RADIUS Configurations
If configured, CA Strong Authentication can serve as a RADIUS Server to the configured Network Access Server (NAS) or the RADIUS clients.
aa813test
2112640
If configured, CA Strong Authentication can serve as a RADIUS Server to the configured Network Access Server (NAS) or the RADIUS clients.
This section walks you through preparing request messages for the following:
- RADIUS Client
- RADIUS Server
RADIUS Client
The radiusClientConfigs element of the createRequest message is used to configure RADIUS Client. The following table lists the elements of this message:
Element
| Mandatory
| Description
|
name | No | Name for the configuration. |
status | No | Indicates the status of the configuration. |
radiusClient | No | Contains the following elements: authType The authentication mechanism that will be used for VPN authentication. The supported authentication mechanisms are: - RADIUS OTP - In-Band Password To use this method, configure the credential type resolution. - EAP description A string to describe the RADIUS client. The description helps to identify the RADIUS client, if multiple clients are configured. maxPacketSize The packet size for the RADIUS messages. protocolVersion The RADIUS version supported for the client being added. The supported values are: - 1.0 - 2.0sharedSecret The secret shared between the RADIUS client and CA Strong Authentication Server. additionalRADIUSAttributes Contains attributes that you want CA Strong Authentication Server to return in the response message sent to the RADIUS client after successful authentication. The attributes are set in name-value pairs. defaultOrg Name of the default organization that is supported by the RADIUS client. This attribute is used in In-Band authentication and is used to resolve the organization name during authentication.. |
orgsSupported List of organizations that are supported by the RADIUS client, these organization are configured at the global-level. This attribute is used in In-Band authentication and is used to resolve the organization name during authentication. packetDropConditions The conditions for which the CA Strong Authentication server will not process the RADIUS requests. Following are the possible values: 1102: For user not found condition 5800: For credential not found condition 1000: For internal error 1051: For invalid requests | ||
radiusClient | No | enableRetry Indicates whether the RADIUS client should try to send the request to CA Strong Authentication Server if it does not receive any response. retryWindow Indicates the duration in seconds for which the client must wait to receive a response, in case the enableRetry element is set to true. After this period, the retry is considered invalid. |
eapAuthTypeData | No | Contains the following elements related EAP authentication. Set any of the following elements: serverCertKeyPair/KeyPairInHSM Set the serverCertKeyPair element to CA Strong Authentication Server certificate chain in PEM format. serverCertKeyPair/KeyPairInP12 Set cerKeyP12 to the base64-encoded format of CA Strong Authentication Server certificate in PKCS#12 format. Set certKeyP12Password to the password of the PKCS#12 file. |
RADIUS Server
CA Strong Authentication can be used as a proxy server to pass any password-based authentication requests to other servers that work on RADIUS protocol.
The radiusServerConfigs element of the createRequest message is used to configure RADIUS Server.
The following table lists the elements of this message:
Element
| Mandatory
| Description
|
name | No | Name for the configuration. |
status | No | Indicates the status of the configuration. |
isEnabled | No | An option to enable CA Strong Authentication Server to pass the RADIUS requests to the other configured RADIUS server. |
useSystemConfig | No | An option to use system configuration or organization level configuration. |
radiusServers | No | Contains the following elements: authType The authentication mechanism that will be used for VPN authentication. The supported authentication mechanisms are: - RADIUS OTP - In-Band Password description A string to describe the RADIUS server. The description helps to identify the RADIUS server, if multiple servers are configured. maxPacketSize The packet size for the RADIUS messages. protocolVersion The RADIUS version supported for the server being added. The supported values are: - 1.0 - 2.0 sharedSecret The secret symmetric key shared between the RADIUS server and CA Strong Authentication Server. additionalRADIUSAttributes Contains attributes that you want CA Strong Authentication Server to forward to the RADIUS server. The attributes are set in name-value pairs. ipAddress The IP Address of the RADIUS server. port The port number on which the RADIUS server is listening. |
readTimeout Indicates the maximum time to wait for a response from the RADIUS server. retryCount Indicates the number of times CA Strong Authentication Server should try to connect to RADIUS server if there is no response from the CA Strong Authentication Server. failoverOrder If multiple servers are configured, then this element identifies the server priority, based on this the requests are sent to a particular server in case of failover. |