RADIUS Authentication and Authorization

1 Introduction

The Remote Access Dial In User Service (RADIUS) server can be used to authenticate users who log in to the KEMP LoadMaster. The LoadMaster passes the user’s details to the RADIUS server and the RADIUS server informs the LoadMaster whether the user is authenticated or not.

RADIUS in Windows Server 2008 R2 is done with network policy and access services.

The steps in this document have been tested and validated on Windows Server 2008 R2.

1.1 Document Purpose

The purpose of this document is to provide further information and steps on configuring RADIUS authentication and authorization.

1.2 Intended Audience

This document is intended to be used by anyone who is interested in learning more about using RADIUS authentication and authorization in the LoadMaster.

2 Prerequisites for Authentication and Authorization

Before performing these steps, ensure there is an Active Directory group to add to the network policy. This needs to be done on the domain controller.

The steps in this document outline how to give the users/groups certain permissions to the KEMP LoadMaster.

It is not possible to use RADIUS authentication and authorization if you are using a FIPS LoadMaster.

2.1 Add a RADIUS Client

A RADIUS client needs to be created so that the LoadMaster can authenticate. Create a RADIUS client by following the steps below:

1. Open the Server Manager application.

Add a RADIUS Client.png

2. Navigate to the following option: Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers > RADIUS Clients.

Add a RADIUS Client_1.png

3. Click New in the panel on the right.

Add a RADIUS Client_2.png

4. Enter a Friendly name.

5. Enter the IP Address of the LoadMaster.

6. Enter a Shared secret.

7. Enter the same shared secret in the Confirm shared secret text box and click OK.

3 Configure Authentication and Authorization

LoadMaster allows the users to be authorized by either RADIUS or Local User authorization. The user’s authorization decides what level of permissions the user has and what functions on the LoadMaster they are allowed to perform.

When both authorization methods are selected, the LoadMaster initially attempts to authorize the user using RADIUS. If this authorization method is not available, the LoadMaster attempts to authorize the user using the Local User authorization.

In addition to configuring RADIUS authentication in the Server Manager, the LoadMaster also needs to be configured to use it. Configuration of RADIUS authentication in the LoadMaster varies depending on what method you want to use:

Local Authentication and Authorization means that the LoadMaster contacts the RADIUS server for authentication and will use local authorization.

RADIUS Authentication and Authorization means that the LoadMaster contacts the RADIUS server for authentication and will use reply messages sent back from the RADIUS server to authorize.

The maximum character length for RADIUS authentication passwords that are used to log in to the Edge Security Pack (ESP) form is 128 alphanumeric characters. If non-alphanumeric or other characters are used that require multi-byte encoding, the maximum number of characters that can be used reduces.

Follow the steps in the relevant section below, depending on the chosen method.

For further details on what each of the LoadMaster fields mean, refer to the Web User Interface, Configuration Guide .

3.1 Local Authentication and Authorization

Follow the steps below to configure the local authentication and authorization settings in the LoadMaster.

Session Management must be disabled in order to use this method. If Session Management is enabled, the RADIUS server options mentioned in this section will not be available.

3.1.1 Specify the RADIUS Server Details

To enter the details of the RADIUS server, follow the steps below:

1. In the main menu of the LoadMaster WUI, navigate to Certificates & Security > Remote Access.

2. Enter the IP address of the Radius Server and click the Radius Server button.

If you do not see this option, ensure to disable Session Management in Certificates & Security > Admin WUI Access.

3. Enter the Shared Secret and click the Set Secret button.

The Shared Secret should be the same as the one entered in the Add a RADIUS Client section.

4. Enter the Revalidation Interval and click Set Interval.

3.1.2 Specifying RADIUS Authentication for an Individual User

When adding a new user in the System Configuration > System Administration > User Management screen, the Use RADIUS Server check box can be selected.

Selecting this check box will mean that RADIUS authentication is used when that user logs in to the LoadMaster. The RADIUS server details must be set up before this option can be used.

Specifying RADIUS Authentication.png

3.1.3 Specifying Local Authorization for an Individual User

After a user has been added, you can specify what permissions they have by clicking the Modify button in the Action column.

Specifying Local Authorization.png

The level of user permissions can be set in this screen. This determines what configuration changes the user is allowed to perform. The primary user, bal, always has full permissions. Secondary users may be restricted to certain functions.

3.2 RADIUS Authentication and Authorization

This is an alternative option to using local authentication and authorization. In order to use this method, session management must be enabled. Session management settings are configurable in Certificates & Security > Admin WUI Access. If session management is disabled, the RADIUS options mentioned in this section will not be available.

3.2.1 Specify the RADIUS Server Details

To use the RADIUS Authentication and Authorization method, Session Management must be enabled. To enable Session Management, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Certificates & Security.

Specify the RADIUS Server_1.png

2. Select the Enable Session Management check box.

Specify the RADIUS Server_1_1.png

3. Enter User and Password details and click the Login button.

Specify the RADIUS Server_1_2.png

4. In the main menu of the LoadMaster WUI, select Certificates & Security > Admin WUI Access.

When Session Management is enabled on the LoadMaster, follow the steps below to configure RADIUS authentication:

5. In the main menu of the LoadMaster WUI, navigate to Certificates & Security > Remote Access.

Specify the RADIUS Server_1_3.png

6. Click the WUI Authorization Options button.

Specify the RADIUS Server_1_4.png

7. Enter the Radius Server IP address and Port.

8. Select the Radius Authentication check box.

9. Select the Radius Authorization check box.

10. Click the Radius Server button.

11. Enter the Shared Secret.

The Shared Secret should be the same as the one entered during the Add a RADIUS Client section.

12. Click the Set Secret button.

13. If necessary, fill out details for a Backup Radius Server.

14. Enter the Revalidation Interval.

15. Click the Set Interval button.

The RADIUS authorization method can only be used if the RADIUS authentication method is selected.

There is a Test AAA for User section at the bottom of this screen. When session management is enabled, you can enter a valid Username and Password to test.

3.2.2 Specifying RADIUS permissions for Groups and All Users

Permissions can be set up to apply to all users, or to groups:

Connection request policies: Sets of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection request that the Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.

Network policies: Sets of conditions, constraints and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy Network Access Protection (NAP), health policy is added to the network policy configuration so that NPS performs client health checks during the authorization process.

Connection request policies apply to all users. Network policies apply to groups.

Refer to the relevant section below depending on what level of permissions are needed.

3.2.2.1 Specifying RADIUS Authentication and Authorization for a Group (Network Request Policy)

3.2.2.1.1 Specifying RADIUS Authentication for a Group

To set up a network policy, follow the steps below in the Server Manager.

Specifying RADIUS permissions.png

1. In the panel on the left, go to Policies > Network Policies.

Specifying RADIUS permissions_1.png

2. Click New in the panel on the right.

Specifying RADIUS permissions_2.png

3. Enter a Policy name.

4. Click Next.

Specifying RADIUS permissions_3.png

5. Click the Add… button.

Specifying RADIUS permissions_4.png

6. Select the relevant group type.

7. Click the Add… button.

Specifying RADIUS permissions_5.png

8. Click the Add Groups… button.

Specifying RADIUS permissions_6.png

9. Enter the group name in the text area provided.

10. Click Check Names.

11. If the name is alright, click OK.

Specifying RADIUS permissions_7.png

12. Click OK.

13. Click Next.

Specifying RADIUS permissions_8.png

14. Select the relevant Access Permission option.

15. Click Next.

Specifying RADIUS permissions_9.png

16. Remove the tick from the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) check box.

17. Ensure that Microsoft Encrypted Authentication (MS-CHAP) is selected.

18. Ensure that User can change password after it has expired is selected.

19. Select the Unencrypted authentication (PAP, SPAP) check box.

20. Click Next.

Specifying RADIUS permissions_10.png

If idle timeout is used on the server it should match the idle timeout settings in the LoadMaster. Generally, KEMP recommends not setting this on the server.

21. Click Next.

The KEMP RADIUS policies should be moved to the top of the policy list on the Windows RADIUS server. The policies are executed in the order they are displayed.

3.2.2.1.2 Specify RADIUS Authorization for a Group

Specifying RADIUS permissions_11.png

The Attributes on this screen need to be in a certain order for the settings to work correctly. The order is as follows:
1. Reply-Message
2. Framed-Protocol
3. Service-Type

Unfortunately, these attributes are not movable. So, to order these attributes correctly, you need to Remove and then Add them.

1. Select Framed-Protocol and click Remove.

2. Select Service-Type and click Remove.

3. Click the Add… button.

Specifying RADIUS permissions_12.png

4. Select Reply-Message.

5. Click the Add… button.

Specifying RADIUS permissions_13.png

6. Click the Add… button.

Specifying RADIUS permissions_14.png

7. Enter the relevant permission option(s) and click OK.

The available permission options are as follows:
real,vs,rules,backup,certs,cert3,certbackup,users,root
These correspond to the permission options in the LoadMaster Web User Interface (WUI).
The root permission grants all permissions.
Multiple attributes can be specified here, but they must be separated by a comma (with no space).

8. Click OK again.

9. Select Framed-Protocol.

Specifying RADIUS permissions_15.png

10. Click the Add… button.

Specifying RADIUS permissions_16.png

11. Select PPP from the Commonly used for Dial-Up or VPN drop-down list.

12. Click OK.

Specifying RADIUS permissions_17.png

13. Select Service-Type.

14. Click the Add… button.

Specifying RADIUS permissions_18.png

15. Select Framed from the Commonly used for Dial-Up or VPN drop-down list.

16. Click OK.

17. Click Close.

18. Click Next.

Specifying RADIUS permissions_19.png

19. Click Finish.

20. Repeat this process as needed to set permissions for other groups.

3.2.2.2 Specify RADIUS Authentication and Authorization for All Users

3.2.2.2.1 Specify RADIUS Authentication for All Users (Connection Request Policy)

Permissions set in the connection request policy apply to all users.

To set up a connection request policy, follow the steps below.

Specifying RADIUS permissions_20.png

1. Navigate to Roles > Network Policy and Access Services > Policies > Connection Request Policies.

Specifying RADIUS permissions_21.png

2. Click New in the panel on the right.

Specifying RADIUS permissions_22.png

3. Enter a Policy name.

4. Click Next.

Specifying RADIUS permissions_23.png

5. Click the Add… button.

Specifying RADIUS permissions_24.png

6. Select the Location Groups option.

7. Click the Add… button.

003.png

8. Type Domain users and click OK.

9. Click Next.

Specifying RADIUS permissions_25.png

10. Click Next.

Specifying RADIUS permissions_26.png

11. Select the Override network policy authentication settings check box.

12. Select the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) check box.

13. Select the User can change password after it has expired check box.

14. Select the Unencrypted authentication (PAP, SPAP) check box.

3.2.2.2.2 Specifying RADIUS Authorization for All Users

Specifying RADIUS permissions_27.png

1. Select Standard in the panel on the left.

2. Click the Add… button.

Specifying RADIUS permissions_28.png

3. Select Reply-Message.

4. Click the Add… button.

Specifying RADIUS permissions_29.png

5. Click the Add… button.

Specifying RADIUS permissions_30.png

6. Enter the relevant permission(s) and click OK.

The available permission options are as follows:
real,vs,rules,backup,certs,cert3,certbackup,users,root
These correspond to the permission options in the LoadMaster Web User Interface (WUI).
The root permission grants all permissions.
Multiple attributes can be specified here, but they must be separated by a comma (with no space).

Specifying RADIUS permissions_31.png

7. Select the attribute and click OK.

8. Click OK again.

9. Click Close.

Specifying RADIUS permissions_32.png

10. Click Next.

Specifying RADIUS permissions_33.png

11. Click Finish.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Web User Interface, Configuration Guide

Document History

Date

Change

Reason for Change

Version

Resp.

Apr 2014

Initial draft

Initial draft of document

1.0

LB

May 2014

Minor change

General improvements

1.1

LB

May 2015

Minor changes

Enhancements made

1.2

LB

June 2015

Minor changes

Enhancements made

1.3

KG

Sep 2015

Screenshot updates

LoadMaster WUI reskin

2.0

KG

Dec 2015

Release updates

Updates for 7.1-32

3.0

LB

Jan 2016

Minor updates

Updated Copyright Notices

4.0

LB

Mar 2016

Release updates

Updates for 7.1-34

5.0

LB

July 2016

Minor updates

Enhancements made

6.0

LB

Oct 2016

Release updates

Updates for 7.2.36

7.0

LB

Jan 2017 Release updates Updates for 7.2.37 8.0 LB

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
order

3.2.2.2.1Specify RADIUS Authentication for All Users (Connection Request Policy)
Step 4 condition is missing

Avatar
James Rago Global Support Manager

The condition is added in the next step, you do not see any conditions since it is not created yet.

Edited by James Rago Global Support Manager