[Contents] [Index]

About This Document >>     Installing SSH Tectia Server (M) >>     Using SSH Tectia Server (M) >>     Troubleshooting SSH Tectia Server (M) >>     Configuration >>     Authentication >>         Server Authentication with Public Keys >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys >>         User Authentication with Certificates >>         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive >>             Client Configuration             Server Configuration             Pluggable Authentication Module (PAM) Submethod             RSA SecurID Submethod             RADIUS Submethod         User Authentication with GSSAPI >>     Application Tunneling >>     Sample Files >>     Man Pages     Log Messages >>

RADIUS Submethod

RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It is originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In SSH Tectia, RADIUS is implemented as a submethod of Keyboard-Interactive authentication.

The radius Keyboard-Interactive submethod requires one or more RADIUS servers to be configured in the sshd2_config file:

AllowedAuthentications keyboard-interactive ... AuthKbdInt.Optional radius ... AuthKbdInt.RADIUS.NASIdentifier identifier AuthKbdInt.RADIUS.Server serveraddress=address,\ nasidentifier=client_identifier,secretfile=filename,timeout=120

The AuthKbdInt.RADIUS.NASIdentifier keyword defines the default NAS identifier to be used when talking to the RADIUS server.

The AuthKbdInt.RADIUS.Server keyword defines one RADIUS server. The server address field is mandatory, other fields are optional. The address can be an IP address or a DNS name.

The nasidentifier field overrides the default for this server, if specified.

The default file for the shared secret is /etc/ssh2/ssh_radius_nas_secret.dat.

The default timeout is 23 seconds. This should be usually sufficient, but if the RADIUS server is expected to take a long time to process the authentication request, it can be lengthened. The servers are queried in the order they have been specified, and only one at a time. The minimum timeout is 7 seconds, and the timeout has a granularity of 8 seconds. The RADIUS server will always be queried for at least the number of seconds specified in the timeout parameter.

The supported RADIUS servers are the FreeRADIUS server and Microsoft IAS (Internet Authentication Service) server. The following sections contain advice on configuring them to interoperate with SSH Tectia Server (M).

FreeRADIUS Server Configuration

Configure the client (SSH Tectia Server) in /etc/freeradius/clients.conf with the proper IP address and nastype = other. The FreeRADIUS server can be instructed to check the users agains the system's main passwd file with the following in /etc/freeradius/users:

DEFAULT Auth-Type = System, Fall-Through = 1

In /etc/freeradius/radiusd.conf, PAP must be configured to be available for authentication. See the FreeRADIUS documentation for further details.

IAS Server Configuration

For SSH Tectia Server to interoperate with Microsoft IAS, following must be done:

1. Requiring Signature Attribute must be switched off in IAS.
2. Dial-In must be allowed in the user's properties.
3. PAP authentication must be allowed in IAS.

Note: SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers SSH Tectia applications.