Steel-Belted RADIUS (10.x)

Security Gateway Articles and How to's
Locked
jono
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

Steel-Belted RADIUS (10.x)

Post by jono » 13 May 2008, 14:59

This How-to applies to:
  • Clavister CorePlus 8.x, 9.x
  • Clavister cOS Core 10.x
  • Steel-Belted RADIUS 5.3.0
This article will show how to setup an environment with User Authentication in Clavister Security Gateway that will validate users against a machine that is running Steel-Belted RADIUS.

Topics covered in this document
  • Configuring Steel-Belted RADIUS
  • Configuring Clavister Security Gateway
Configuring Steel-Belted RADIUS

Clavister Vendor Specific attributes
Steel-Belted RADIUS must notify the Clavister Security Gateway that any user that matches this policy belongs to a certain group. This is done by letting Steel-Belted RADIUS send a Vendor-Specific-Attribute (VSA) to the Clavister Security Gateway as a part of the remote policy.

To add the Clavister Security Gateway Vendor Specific attributes create a file called clavister.dct in the Services directory. It should contain the information below.
  • ################################################################################
    # clavister.dct - Clavister Security Gateway (8.60.02 or later) dictionary
    # 
    # (See README.DCT for more details on the format of this file)
    ################################################################################
    
    #
    # Use the RADIUS specification attributes in lieu of the Clavister ones
    #
    @radius.dct
    
    #
    # Define additional Clavister Security Gateway parameters
    # (add CSGW specific attributes below)
    MACRO   CSGW-VSA(type,syntax)     26  [vid=5089 type1=%type% len1=+2 data=%syntax%] 
    
    # For User-Groups
    ATTRIBUTE Clavister-User-Group CSGW-VSA(1, string)  R
    
    ################################################################################
    # clavister.dct - Clavister Security Gateway (8.60.02 or later) dictionary
    ################################################################################
Then make sure the dictionary file is included, this is done by the file dictiona.dcm in the directory Services, just add @clavister.dct into that file.
  • @ciscoap.dct
    @cisco-ssg.dct
    @clavister.dct
    @colubris.dct
    @compaq.dct
To be able to select the correct dictionary file the bold lines below need to be added to vendor.ini.
  • vendor-product       = Cisco Service Selection Gateway
    dictionary           = cisco-ssg
    ignore-ports         = no
    port-number-usage    = per-port-type
    help-id              = 
    
    vendor-product       = Clavister Security Gateway
    dictionary           = clavister
    ignore-ports         = no
    port-number-usage    = per-port-type
    help-id              = 
    
    vendor-product       = Colubris Wireless LAN Routers
    dictionary           = Colubris
    ignore-ports         = no
    port-number-usage    = per-port-type
    help-id              = 2152
When this is done, you need to restart Steel-Belted RADIUS.

Adding a client
In order for Clavister Security Gateway to be allowed to communicate with Steel-Belted RADIUS it has to be added as a client.

The Key is the shared secret that is used to encrypt the user-password when a RADIUS-packet is being transmitted, so the same consideration as when choosing a regular password should be taken (the password should be hard to guess, not too small, etc). The Clavister Security Gateway supports shared secrets up to 100 characters. Remember that the shared secret is case-sensitive.
client.png
client.png (18.65 KiB) Viewed 3769 times
Setting up users
The easiest way to setup the users is by adding them to local users in the Steel-Belted RADIUS.
user.png
user.png (26.18 KiB) Viewed 3769 times
This will validate the users against the built-in database and send the Clavister-User-Group "users" to the Clavister Security Gateway, if you need more than one group per user, separate them with a ",". This is what the Security Gateway uses in the User Authentication tab on the network object.

Configuring Clavister Security Gateway
This is described in the Knowledge Base article - Linking Active Directory with Clavister Security Gateway User Authentication - Configuring User Authentication on the Clavister Security Gateway, it can be found here : viewtopic.php?f=8&t=3423

Note: That you have to use PAP instead of CHAP, when using CHAP the RADIUS server need to have access to the passwords; either in plain text format or in some form of reversible crypto.

Locked