Configuring RADIUS authentication in IAG

  • Article

Applies To: Intelligent Application Gateway (IAG)

The RADIUS scheme applies the Remote Authentication Dial-In User Service (RADIUS) protocol in order to manage the exchange of authentication information in the internal network. When using a RADIUS server for authentication in Whale Communications Intelligent Application Gateway (IAG) 2007, IAG and the RADIUS authentication server operate in a client-server mode, where IAG has to be configured as a client of the RADIUS server.

Secret key

The RADIUS protocol utilizes a secret key to encrypt the credentials that the user enters in the login script. The authentication server then decrypts the data and compares it to its database.

Challenge-response modes

The RADIUS authentication scheme supports all the challenge-response authentication modes available on the RADIUS server.

For example: allowing the user to create a new personal identification number (PIN), requiring the user to create a new PIN, requiring the user to enter the token that is displayed on the authenticator, and more.

RADIUS groups

You can configure the RADIUS authentication scheme to extract users' group membership from a RADIUS attribute.

RADIUS authentication flow

The following figure illustrates a sample authentication process through which users go when the RADIUS authentication scheme is implemented in a challenge-response mode. In this mode, the user can be challenged a number of times before the request is accepted, depending on the configuration of the RADIUS server.

Note

The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is determined in the Authentication tab, in Permitted Authentication Attempts.

RADIUS Authentication Scheme--Sample Flow

7e88bac1-e35e-4b0c-b968-0042ed3adff1

Configuring the RADIUS authentication server

It is the responsibility of the system administrator to configure the RADIUS server to operate in conjunction with the IAG client. In order to do so, take the following steps:

  1. Add IAG to the client list of the RADIUS server.

  2. Define the users that will be connecting through this client, to authenticate in a User-Login mode.

  3. Configure the challenge-response modes that will be used in the authentication process.

  4. Define the secret key that will be used to encrypt and decrypt the user password. This key must be identical to the secret key assigned to the authentication scheme when you define the RADIUS server in the IAG Configuration program, as described in Authenticating IAG sessions.

Note

In IAG Service Pack 2, the character limit for the user name field and for the password field is increased from 20 characters to 255 characters. This change was first introduced in IAG Service Pack 1, Update 2.