RADIUS authentication

In the RADIUS authentication section you configure the settings for the RADIUS server used for VPN client authentication.

In the Password field you set the password that the RADIUS server receives as a user password in the access-request attribute.

The RADIUS server usually associates this password directly with a VPN peer for network access authorization. With IKEv2 however, the requesting VPN peer is authorized not by the RADIUS server, but instead by the LANCOM gateway after this receives the corresponding authorization in the access-accept message from the RADIUS server.

Accordingly, you enter a dummy password at this point.

Just click on RADIUS server to open the configuration dialog of the RADIUS server.

Name

Specify an identifier for this entry.

Server address

Specify the host name for the RADIUS server (IPv4, IPv6 or DNS address).

Port

Specify the UDP port of the RADIUS server. The value "1812" is preset as the default value.

Secret

This entry contains the shared secret used to authorize the LANCOM gateway at the RADIUS server.

Note: Confirm the secret by entering it again into the field that follows.

Protocols

From the drop-down menu, choose between the standard RADIUS protocol and the secure RADSEC protocol for RADIUS requests.

Source address (optional)

Enter the loopback address of the device, where applicable.

Attribute values

LCOS facilitates the configuration of the RADIUS attributes used to communicate with a RADIUS server (for authentication and accounting). The attributes are specified in a semicolon-separated list of attribute numbers or names along with a corresponding value in the following form: <Attribute_1>=<Value_1>;<Attribute_2>=<Value_2> As the number of characters is limited, the name can abbreviated. The abbreviation must be unique, however. Examples:

• NAS-Port=1234 is not allowed, because the attribute is not unique (NAS-Port, NAS-Port-Id or NAS-Port-Type).
• NAS-Id=ABCD is allowed, because the attribute is unique (NAS-Identifier).

Attribute values can be used to specify names or RFC-compliant numbers. For the device , the specifications Service-Type=Framed and Service-Type=2 are identical. Specifying a value in quotation marks ("<Value>") allows you to specify special characters such as spaces, semicolons or equals signs. The quotation mark requires a leading backslash (\"), as does the backslash itself (\\). The following variables are permitted as values:

%n

Device name

%e

Serial number of the device

%%

Percent sign

%{name}

Original name of the attribute as transferred by the RADIUS application. This allows attributes to be set with the original RADIUS attributes, for example: Called-Station-Id=%{NAS-Identifier} sets the attribute Called-Station-Id to the value with the attribute NAS-Identifier.

Backup profile

From the list of RADIUS server profiles, select a profile as the backup server.

CoA active

Here you enable/disable CoA. The disconnect message is supported as a CoA message in order to disconnect a connected VPN user or a VPN peer. The CoA-disconnect message must include the username as a RADIUS attribute "User-Name" as well as the attribute "NAS-IP-Address". Activating the function also requires Dynamic Authorization to be activated globally, and access for CoA clients must be configured.