Remote Authentication Dial In User Service(RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service.
NSC has built-in RADIUS client function, with which you can easily connect to your existing RADIUS services.(NSC doesn't provide RADIUS server function)
RADIUS Authentication and Authorization Flow:
RADIUS Accounting Flow:
- You just need to simply configure the following items:
- "Radius Server Address": FQDN or IP address of RADIUS service (Note: we only support one RADIUS profile now, so only one address can be configured);
- "Authentication Port" and "Radius Accounting Port": Usually Authentication and Authorization work on port 1812, and Accounting works on port 1813;
- "Radius Shared Secret": This is the secret to protect the connection itself, please get it from RADIUS administrator;
- "Bind Local IP Address": From which local NIC to send out the RADIUS request;
- When Authentication/Authorization service is needed:
- Make sure "Radius Server Address":"Authentication Port" is reachable;
- Add corresponding routing plan rules; Authentication/Authorization can only be used from within routing plan(see next chapter);
- When Accounting service is needed:
- Set "Radius Server Accounting" to "Enable";
- Make sure "Radius Server Address":"Radius Accounting Port" is reachable, or the call will be blocked; if your RADIUS Accounting Server is still not ready yet, please set "Radius Server Accounting" to "Disable";
- Accounting start RADIUS message is sent to RADIUS server when call is connected, while Accounting Stop RADIUS message is sent when call is disconnected.
Here below is an example of how to do Authentication/Authorization from within Routing Plan:
Out channel variable "AUTH_RESULT" has 2 possibilities:
a. "OK": received Access Accpet
b. "NOK": received Access Reject
Adding VSAs for Authencation/Authorization
- Go to "Configuration -> Signalling -> RADIUS", add the "RADIUS VSAs" named as "Calling-Station_Id";
- VSA Vender ID : 35987
- VSA ID : 41
- VSA Value Type : keep it untouched, which is "Direct String Input"
- VSA Value : preferred_lang
- VSA in Radius Message : "Response"
- Here below an example of how to use it in routing plan:
- You can easily troubleshoot RADIUS message flow by filtering wireshark pcap trace by filter "radius".
- NSC only has RADIUS client function; for RADIUS server, you can either use your existing RADIUS server, or download and install the the great open source FreeRadius from www.freeradius.org
- VSAs for NetBorder (Vendor ID: 35987) can be found in file dictionary.sangoma
- If VSAs in RADIUS message can not be decoded correctly, maybe it is because that your wireshark does not have the correct radius dictionary, then please do the following:
- Open Wireshark, go to "Help -> About Wireshark -> Folders", locate where the dictionary.sangma should be copied to (there is a radius sub-folder which contains a bunch of dictionary.* files);
- Download the above dictionary.sangoma file, make sure the file name is dictionary.sangoma, and then copy into the radius sub-folder
- Edit radius/dictionary file, add one line "$INCLUDE dictionary.sangoma"
- If your customerized VSA cannot be recognized by wireshark, just simply edit dictionary.sangoma to add the attribute