RADIUS/ACE Services
Issue 4 May 2005 125
SettingsRADIUS attempts before assuming failure- Integer from 1 to 10 indicating the number of
attempts the security gateway makes before timing out with a failure. The default is 3.
RADIUS time-out before assuming failure - Time in seconds from 10 to 500. This value is the
total number of seconds that the security gateway waits for a response from any specified
RADIUS server before timing out with a failure. The default is 6 seconds.
RADIUS conceptsFor additional user authentication, the VSUs support the Remote Authentication Dial-In User
Services (RADIUS) protocol, thus providing stronger Client authentication and accounting
mechanisms via third-party products such as Ascend Access Control™ and RSA Security ACE/
Server™ AccessManager.
Using RADIUS, remote users must pass the RADIUS server’s authentication mechanism in
order to connect to a corporate network. This authentication process is summarized as follows:
●First, the user initiates communication with a VPN member.
●The VPN traffic is processed by VPNremote and then sent to the target security gateway.
●The security gateway identifies then incoming traffic as new VPN traffic and initiates a
request to the RADIUS server for user authentication requirements.
●The RADIUS server responds to the security gateway indicating authentication is required.
●The security gateway challenges the user to provide the required authentication
information.
●The user enters the required authentication information via a prompt displayed by
VPNremote. This challenge response is sent back to the security gateway.
●The security gateway forwards the challenge response to the RADIUS server.
●The RADIUS server decides if the user has met the challenge, and if so, informs the
security gateway that the user is authorized. The RADIUS server also forwards the user
configuration details, known as user attributes, to the security gateway. These attributes
specify VPN-specific information, including the cryptographic keys used for encryption.
●The security gateway then allows VPN traffic to flow between the VPNremote Client and
the VPN members.
Two methods of user authentication—simple passwords and “one-time” passwords based on
two-factor authentication mechanisms—can be used to meet a variety of security, cost, and
convenience requirements. All RADIUS implementations support standard password
authentication, and many can be used in conjunction with RSA Security ACE/Server for
SecurID™ Token requirements.