Integrating With Radius

From iDENprotect Knowledge Base
Jump to: navigation, search


Introduction

Radius is a very widely support protocol for integrating various services such as VPN. This guide describes how to integrate such services.

In this guide a service that will make Radius Authentication Requests will be referred to as a NAS (Network Access Server)

Prerequisites

The following servers need to be installed and running

idenprotect Core Platform

idenprotect Authentication Portal

idenprotect User Portal

idenprotect Radius Server


Configuring the NAS

The NAS will need to be configured to make Radius Requests to the idenprotect Radius Server for this the IP address of the Radius Server will be required and the required shared secret.

The IP address will be the IP address of the server on which the idenprotect Radius Server was installed. This will normally be the internal IP address of the server.

The shared secret will need to match the shared secret set on the configuration of the service provider on the authentication portal, see next section and Authentication Portal Service Provider Configuration


Configuring Authentication Portal

Authentication Portal Service Provider Configuration provides general instructions for adding a service provider to the Authentication Portal.

Specifically for a Radius Service Provider

  • The shared secret must match the share secret set on the NAS
  • The SSO URL must match the url to which the login form is submitted when the use authenticates to the NAS

Attributes

It may be that the NAS is expecting a username other than the user's idenprotect username (usually email address).

For example if the NAS is expecting the user's sAMAccountName the following configuration steps are required.

  • Create a mapping for an extra ldap attribute that maps sAMAcountName to a new attribute, eg radiusUserName
  • On the SAML Attribute setting for the NAS create a mapping for username to radiusUserName

This means when the user is authenticated to the NAS, their sAMAccountName will be used.

If the login form requires additional attributes they can also be mapped in the same way, as described in Authentication Portal Service Provider Configuration