Scenario: Authenticating dial-up connections with RADIUS NAS

A Network Access Server (NAS) running on the system can route authentication requests from dial-in clients to a separate Remote Authentication Dial In User Service (RADIUS) server. If authenticated, RADIUS can also control the IP addresses assigned to the user.

Situation

Your corporate network has remote users dialing into two systems from a distributed dial-up network. You need to centralize authentication, service, and accounting, allowing one system to handle requests for validating user IDs and passwords and for determining which IP addresses are assigned to them.

Figure 1. Authenticating dial up connections with a RADIUS server
Authenticate dial-up connections with a RADIUS server

Solution

When users attempt to connect, the NAS running on the systems forwards the authentication information to a RADIUS server on the network. The RADIUS server, which maintains all authentication information for your network, processes the authentication request and responds. If the user is validated, the RADIUS server can also be configured to assign the peers's IP address, and can activate accounting to track user activity and usage. To support RADIUS, you must define the RADIUS NAS server on the system.

Sample configuration

To set up a sample configuration from IBM® Navigator for i, follow these steps:

  1. In IBM Navigator for i, expand IBM i Management > Network > All Tasks > Remote Access Services and select Services.
  2. On the RADIUS tab, select Enable RADIUS Network Access Server connection, and Enable RADIUS for authentication. Depending on your RADIUS solution, you can also choose to have RADIUS handle connection accounting and TCP/IP address configuration.
  3. Click the RADIUS NAS settings button.
  4. On the General page, enter a description for this server.
  5. On the Authentication Server (and optionally Accounting Server) pages, click Add and enter the following information:
    1. In the Local IP address box, enter the IP address for the interface that is used to connect to the RADIUS server.
    2. In the Server IP address box, enter the IP address for the RADIUS server.
    3. In the Password box, enter the password that is used to identify the system to the RADIUS server.
    4. In the Port box, enter the port on the system that is used to communicate with the RADIUS server. The defaults are port 1812 for the authentication server or 1813 for the accounting server.
  6. Click OK.
  7. In IBM Navigator for i, expand IBM i Management > Network > Remote Access Services and select Receiver Connection Profiles.
  8. Select the Connection profile that will use the RADIUS server for authentication. RADIUS services are only applicable for receiver connection profiles.
  9. On the Authentication page, select Require this system to verify the identity of the remote system.
  10. Select Authenticate remotely using a RADIUS server.
  11. Select the authentication protocol. (PAP, or CHAP-MD5) This protocol must also be used by the RADIUS server.
  12. Select Use RADIUS for connection editing and accounting.
  13. Click OK to save the change to the connection profile.

You must also setup the RADIUS server, including support for the authentication protocol, user data, passwords, and accounting information. Refer to your RADIUS vendor for more information.

When users dial in using this connection profile, the system forwards the authentication information to the specified RADIUS server. If the user is validated, the connection is allowed, and uses any connection restrictions specified in the user's information about the RADIUS server.