Perle Systems 833IS

Chapter 9: Configuring the Server

Perle 833IS User Guide 173

ARA clients are not supported in this mode.

RADIUS RADIUS (Remote Authentication Dial-In Users Services) is an open standard

network security protocol. It can be used to centralize the authentication and

accounting functions for any number of RAS (Remote Access Server) units. A

RADIUS server authenticates users by matching the user name and password with a

user record in its internal database.

When the remote client connects, it will communicate with the 833IS using the

CHAP or PAP protocol. Regardless of the protocol used to exchange the password

information with the client, the 833IS will always ensure that the password is

encrypted before it is sent to the RADIUS server. If the user ID and password

provided by the client matches the user ID and password within the RADIUS server,

the user will be granted access to the 833IS. If any additional parameters were

specified for the user on the RADIUS server, they will be forwarded to the 833IS at

this time.

If RADIUS authentication has been configured on the 833IS, all users who attempt

to gain access to the 833IS will have to have records on the RADIUS server. The

local user database will not be used to authenticate users. This includes users who

have administrator privileges. You can add a user record to the internal 833IS user

database to define attributes not supported within RADIUS. The user ID field must

match the user IS stored in RADIUS, the password in the internal user database will

not be used. If a local user database entry exists for a user, it will only be used after

the user has been successfully authenticated by the RADIUS server.

Sequence of events for RADIUS authentication:

1. PC dials in and is prompted for a user name and password. User enters the

information which is then forwarded to the 833IS.

2. The 833IS will forward the user name and password to the RADIUS

authentication server. If necessary, the password is first encrypted by the 833IS.

3. The RADIUS authentication server indicates to the 833IS if the user is

authenticated. If authentication is rejected, the 833IS will notify the user.

4. If the user is authenticated, the 833IS looks for a local user record for the user.

If one is found, it is loaded into the working user record. If no local user is found,

the standard user record will be used.

5. The RADIUS server may return some configured parameters for the user. If it

does, these parameters will take precedence over existing parameters in the

working user record.