0 Replies Latest reply on Oct 19, 2012 12:13 PM by jaimen

    Using RADIUS Authentication for NitroView Access

      Administrators have the option of configuring the ESM to authenticate users against a RADIUS server.  To use RADIUS authentication, you must configure the RADIUS server to correctly respond to NitroView RADIUS requests and configure the NitroView RADIUS settings.  Only the system administrator is able to configure RADIUS settings in NitroView.  Note that the system administrator will always authenticate against the ESM database and not the RADIUS server.

       

       

      Access groups must be set up on the ESM before using RADIUS authentication.  These access group names will be used when configuring the RADIUS server.  When a user is authenticated, the RADIUS server returns a list of the user’s allowed access groups, so the access group names on the ESM and the RADIUS server must match in order for a user to have privileges on the ESM.

       

       

      User accounts do not need to be created on the ESM.  When a user is authenticated for the first time using RADIUS, the user account is automatically created.  This account will be used to store user specific settings, such as time zone and color options.

       

       

      NOTE:  If you are running a firewall between the ESM and the RADIUS server (including a firewall running on the RADIUS server, such as Windows firewall), you must allow RADIUS traffic from the ESM to pass through the firewall.

       

       

       

       

      Configuring a Windows RADIUS Server

       

       

      Before you can configure a Windows Server as a RADIUS server, you must install the Internet Authentication Service component.  This can be found in the Networking Services Windows components group.

       

       

      Configure Windows Users and Groups:

      • The usernames and passwords used when setting up user accounts will be used to log into NitroView.
      • User accounts that will be used for RADIUS authentication must be allowed remote access permissions.  This setting is found on the Dial-in tab in the user properties dialog.
      • Each user group will be associated with a list of NitroView access groups.
      • The users in each user group will have NitroView privileges specified by the user group’s list of NitroView access groups.

       

       

      Configure the Internet Authentication Service (Windows 2000):

      1. Click Start > Programs > Administrator Tools > Internet Authentication Service.
      2. Determine the RADIUS server’s RADIUS port:
        1. Right-click on Internet Authenticate Service in the tree menu, select Properties.
        2. Click the RADIUS tab. Write down the port numbers that are in use for authentication (this port will be used when configuring the NitroView RADIUS settings).
        3. Click the Cancel button to close the window.
      3. Configure a new remote access policy.  This policy will associate the user groups with the NitroView access groups, so you will need a separate policy for each set of privileges you would like to assign to users.
        1. Right-click on Remote Access Policies from the tree menu, and select New Remote Access Policy.
        2. Type a name for the Policy friendly name, such as “NitroSecurity All Rights Users”.
        3. Click Next.
        4. Click the Add... button to add a condition
        5. Select Windows-Groups from the list and click Add.
        6. Click the Add... button in the Groups dialog.
        7. Select the desired user group from the list and click Add.
        8. Click OK.
        9. Click OK in the Groups dialog.
        10. Click Next.
        11. Select the Grant Remote Access permission radio button and click Next.
        12. Click Edit Profile....
        13. Click on the Advanced tab.
        14. Remove all entries in the Parameters section.
        15. Click Add....
        16. Select Filter-Id from the list, and click Add.
        17. Click the Add… button.
        18. In the Enter attribute value in: section, make sure the radio button for String is selected.
        19. Type the following in the text box: NitroSecurity:version=1:groups=ACCESS_GROUPS
          1. ACCESS_GROUPS should be replaced with a comma separated list of NitroView access groups.  For example, if I had a NitroView access group called “AllRights”, I would type:
          2. NitroSecurity:version=1:groups=AllRights
          3. If I had two access groups that I wanted to assign to this policy, “Policy” and “Reporting”, I would type:
          4. NitroSecurity:version=1:groups=Policy,Reporting
        20. Click OK.
        21. Click OK to close the Multivalued Attribute Information dialog.
        22. Click Close to close the Add Attributes dialog.
        23. Click the Authentication tab.
        24. Check the Unencrypted Authentication (PAP, SPAP) checkbox.
        25. Click OK to close the Edit Dial-In Profile dialog.
        26. Click Finish to close the Add Remote Access Policy wizard.
        27. If necessary reorder the list of remote access policies to avoid having another policy reject the authentication request.
        28. Configure the ESM as an authorized client of this RADIUS server.  You will need to configure each ESM that will authenticate with this server as a client of the RADIUS server.
        29. Right-click on the Clients folder in the tree menu, and select New Client.
        30. For the Friendly name, type a name for the ESM. Click Next.
        31. Type the IP address of the ESM for the Client address.
        32. The checkbox for Client must always send the signature attribute in the request is optional. If your organization`s security policy requires it, check the checkbox.
        33. Type in a shared secret (password) in the text box labeled Shared secret. Type the same shared secret again in the Confirm shared secret box (this shared secret will be used when configuring the NitroView RADIUS settings).
        34. Click Finish.
        35. Restart the internet authentication service:
        36. Right-click Internet Authentication Service and select Stop Service.
        37. Right-click Internet Authentication Service and select Start Service.
        38. NOTE:  The service has been seen to stop by itself after starting.  If this happens, start the service again or the RADIUS authentications will time out.

       

       

      Configure the Internet Authentication Service (Windows 2003):

      1.       Click Start > Programs > Administrator Tools > Internet Authentication Service.
      2.       Determine the RADIUS server’s RADIUS port:
        1.       Right-click on Internet Authentication Service in the tree menu, select Properties.
        2.       Click the Ports tab. Write down the port numbers that are in use for authentication (this port will be used when configuring the NitroView RADIUS settings).
        3.       Click the Cancel button to close the window.
      3.       Configure a new remote access policy.  This policy will associate the user groups with the NitroView access groups, so you will need a separate policy for each set of privileges you would like to assign to users.
        1.       Right-click on Remote Access Policies from the tree menu, and select New Remote Access Policy.
        2.       Click Next.
        3.       Select the Set up a custom policy option.
        4.       Type a name for the Policy name, such as “NitroSecurity All Rights Users”.
        5.       Click Next.
        6.       Click the Add... button to add a condition
        7.       Select Windows-Groups from the list and click Add.
        8.       Click the Add... button in the Groups dialog.
        9.       Select enter the desired user group and click Ok.
        10.       Click OK in the Groups dialog.
        11.       Click Next.
        12.       Select the Grant Remote Access permission radio button and click Next.
        13.       Click Edit Profile....
        14.       Click on the Advanced tab.
        15.       Remove all entries in the Attributes section.
        16.       Click Add....
        17.       Select Filter-Id from the list, and click Add.
        18.       Click the Add… button.
        19.       In the Enter attribute value in: section, make sure the radio button for String is selected.
        20.      Type the following in the text box: NitroSecurity:version=1:groups=ACCESS_GROUPS
          1. ACCESS_GROUPS should be replaced with a comma separated list of NitroView access groups.  For example, if I had a NitroView access group called “AllRights”, I would type:
          2. NitroSecurity:version=1:groups=AllRights
          3. If I had two access groups that I wanted to assign to this policy, “Policy” and “Reporting”, I would type:
          4. NitroSecurity:version=1:groups=Policy,Reporting
        21.       Click OK.
        22.       Click OK to close the Multivalued Attribute Information dialog.
        23.       Click Close to close the Add Attributes dialog.
        24.       Click the Authentication tab.
        25.       Check the Unencrypted Authentication (PAP, SPAP) checkbox.
        26.       Click OK to close the Edit Dial-In Profile dialog.
        27.       If prompted to view help topics, click No.
        28.       Click Next.
        29.       Click Finish to close the Add Remote Access Policy wizard.
      4.       If necessary reorder the list of remote access policies to avoid having another policy reject the authentication request.
      5.       Configure the ESM as an authorized client of this RADIUS server.  You will need to configure each ESM that will authenticate with this server as a client of the RADIUS server.
        1.       Right-click on the RADIUS Clients folder in the tree menu, and select New RADIUS Client.
        2.       For the Friendly name, type a name for the ESM.
        3.       Type the IP address of the ESM for the Client address.
        4.       Click Next.
        5.       Use RADIUS Standard for the Client-Vendor setting.
        6.       The checkbox for Request must contain the Message Authenticator attribute is optional. If your organization`s security policy requires it, check the checkbox.
        7.       Type in a shared secret (password) in the text box labeled Shared secret. Type the same shared secret again in the Confirm shared secret box (this shared secret will be used when configuring the NitroView RADIUS settings).
        8.       Click Finish.
      6.       Restart the internet authentication service:
        1.       Right-click Internet Authentication Service and select Stop Service.
        2.       Right-click Internet Authentication Service and select Start Service.

       

       

       

       

      Configuring a Linux FreeRADIUS Server

       

       

      Before you can configure a Linux FreeRADIUS server, you must install FreeRADIUS.  There are multiple ways that FreeRADIUS users can be configured.  These instructions are for a basic setup where usernames and passwords are stored in plain text in the RADIUS server’s configuration file.

       

       

      Configure FreeRADIUS:

      1.          Navigate to the FreeRADIUS configuration directory (probably /etc/raddb).

      2.          Configure the ESM as an authorized client of this RADIUS server.  You will need to configure each ESM that will authenticate with this server as a client of the RADIUS server.

           a.          Open “clients.conf” for editing.

           b.          Add an entry for the ESM:

      client ESM_IP {

                secret                    = SHARED_SECRET

                shortname          = ESM_ALIAS

      }

      Where ESM_IP is the IP address of the ESM, SHARED_SECRET is password for connecting to the RADIUS server (this shared secret will be used when configuring the NitroView RADIUS settings), and ESM_ALIAS is an alias for the ESM used for logging purposes.

      3.          Configure user accounts to be authenticated.

           a.          Open “users” for editing.

           b.          Add an entry for each user allowed to log into the ESM:

      USER          Auth-Type := Local, User-Password == “PASSWORD”

                Framed-Filter-Id = “NitroSecurity:version=1:groups=GROUPS”

      Where USER is the username of the user account, PASSWORD is the password for logging in, and GROUPS is a comma separated list of NitroView access groups.For example, if I had a NitroView access group called “AllRights”, I would type:

      NitroSecurity:version=1:groups=AllRights

      If I had two access groups that I wanted to assign to this policy, “Policy” and “Reporting”, I would type:

      NitroSecurity:version=1:groups=Policy,Reporting

      4.          Restart the radiusd service.

       

       

       

       

      Configuring the NitroView RADIUS Settings

       

       

      1.          Select System in the System Navigation Tree.

      2.          Click Properties in the Actions Pane.

      3.          Click the Login Security tab.

      4.          Use the following settings in the RADIUS Authentication Settings section:

           a.          Enabled – enables/disabled RADIUS authentication.

           b.          Primary/Secondary Server IP Address – IP address of the RADIUS server(s).

           c.          Primary/Secondary Server Port – RADIUS port of the RADIUS server(s).

           d.          Primary/Secondary Shared Secret – shared secret used when configuring the RADIUS server(s).

      5.          Click the OK button.