Configuring RADIUS authentication in IAG
Applies To: Intelligent Application Gateway (IAG)
The RADIUS scheme applies the Remote Authentication Dial-In User Service (RADIUS) protocol in order to manage the exchange of authentication information in the internal network. When using a RADIUS server for authentication in Whale Communications Intelligent Application Gateway (IAG) 2007, IAG and the RADIUS authentication server operate in a client-server mode, where IAG has to be configured as a client of the RADIUS server.
Secret key
The RADIUS protocol utilizes a secret key to encrypt the credentials that the user enters in the login script. The authentication server then decrypts the data and compares it to its database.
Challenge-response modes
The RADIUS authentication scheme supports all the challenge-response authentication modes available on the RADIUS server.
For example: allowing the user to create a new personal identification number (PIN), requiring the user to create a new PIN, requiring the user to enter the token that is displayed on the authenticator, and more.
RADIUS groups
You can configure the RADIUS authentication scheme to extract users' group membership from a RADIUS attribute.
RADIUS authentication flow
The following figure illustrates a sample authentication process through which users go when the RADIUS authentication scheme is implemented in a challenge-response mode. In this mode, the user can be challenged a number of times before the request is accepted, depending on the configuration of the RADIUS server.
Note
The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is determined in the Authentication tab, in Permitted Authentication Attempts.
RADIUS Authentication Scheme--Sample Flow
Configuring the RADIUS authentication server
It is the responsibility of the system administrator to configure the RADIUS server to operate in conjunction with the IAG client. In order to do so, take the following steps:
Add IAG to the client list of the RADIUS server.
Define the users that will be connecting through this client, to authenticate in a User-Login mode.
Configure the challenge-response modes that will be used in the authentication process.
Define the secret key that will be used to encrypt and decrypt the user password. This key must be identical to the secret key assigned to the authentication scheme when you define the RADIUS server in the IAG Configuration program, as described in Authenticating IAG sessions.
Note
In IAG Service Pack 2, the character limit for the user name field and for the password field is increased from 20 characters to 255 characters. This change was first introduced in IAG Service Pack 1, Update 2.