RADIUS client configuration

Setting up the WTI device for RADIUS login support via CLI. 


First login to the WTI device, after login issue there commands:

/n

29

This will get you to the RADIUS configuration screen with its default values as shown below:


The WTI RADIUS client configuration screen in its default state.

What the menu options mean.

Enable: - Whether a RADIUS request is sent on a login attempt.

Primary Host/Address: The first RADIUS server that is attempted to be used on a login attempt.

Primary Secret Word: The Secret Word (or Password) of the Primary Host/Address.

Secondary Host/Address: The second RADIUS server that is attempted when the Fallback Timer expires after trying to access the Primary Host/Address,  to be used on a login attempt.

Secondary Secret Word: The Secret Word (or Password) of the Secondary Host/Address.

Fallback Timer: Determines how long the WTI Unit will continue to attempt to contact the Primary Host/Address before trying the Secondary Host/Address:

Fallback Local: Determines what action to take if the RADIUS authentication login attempt fails for any reason.

Off : The attempt is over and the user fails the login process.

On (All failures) : When all RADIUS options are tried and failed for any reason, including the RADIUS servers being down or username/password failure, the username and password will be tried locally on the WTI device.

On (Transport failure) : When all RADIUS options are tried and failed because of the RADIUS  servers being down, the username and password will be tried locally on the WTI device.

Retries: Determines how many times the WTI device will attempt to contact the Primary Host/Address and Secondary Host/Address.

Authentication Port: The port number that the RADIUS servers use for authentication.

Accounting Port: The port number that the RADIUS servers use for accounting.

Default User Access: If the RADIUS servers do not have WTI’s Vendor-Specific Attributes (VSA) defined for users and the WTI RADIUS Dictionary file has not been installed on the RADIUS servers, by default a logged in user will only have View rights. When enabled, this parameters gives undefined valid users these default rights when logging in.

OneTime Auth: If you are using the Web Interface with a Two Factor Authentication scheme like the RSA SecureID, this option should be enabled. Since the Web get many pieces at a time, this parameters tells the web not to authenticate for every piece, just the first time you access the page.

OneTime Auth Timer: This parameter determines how long (in minutes) the One Time Password will be valid.

Debug: When enabled will add useful debug information to the log files internal to the WTI Device. This should only be used when debugging a connection that is having trouble.

Ping Test: Allows you to ping Primary Host/Address and the Secondary Host/Address in order to check that a valid IP address or domain name has been entered.



After configuration you should have something like this screen:


The WTI RADIUS client configuration screen in its configured state

And if you have configured a Default User screen something like this:





If you escape out of all the menus, and login as a defined user on your RADIUS server, you should get the default Port and Plug Access you defined for all your default users who are not defined on your RADIUS server.

To review the article on how to setup users with WTI's dictionary files on your RADIUS server, please refer to this article:

Basic Linux FreeRadius Setup with WTI Dictionary Install