UserGate can transparently authenticate users who have already authenticated on an external RADIUS server. The UserGate server does not communicate with the RADIUS server; it only monitors the RADIUS accounting information redirected from the RADIUS client. The RADIUS accounting information includes the username and IP address. To configure this functionality, follow these steps:
|
Task |
Description |
|---|---|
|
Step 1. Create a user in UserGate. |
Create the desired users in UserGate. See the section Users. |
|
Step 2. Allow the authorization agent service in the desired zone. |
In the Network --> Zones section, select the zone containing the interface to which RADIUS accounting information is to be sent. Allow the Authorization agent service. For more details on configuring zones, see the section Zone Configuration. |
|
Step 3. Set a password for terminal server agents. |
In the UserGate --> General settings --> Modules section, click the Configure button next to the Password for terminal server agent entry, and set a terminal server agent password. This password will be used as the RADIUS secret at the time of configuring the RADIUS server. |
|
Step 4. Add the RADIUS accounting source in the UserGate web console. |
In the Users and devices --> Terminal servers section, add the RADIUS accounting information source, specifying the host name and IP address. |
|
Step 5. Configure RADIUS accounting. |
Configure the sending of RADIUS accounting information to the UserGate server, specifying the UserGate IP address as the server address and UDP 1813 as the port. Specify the terminal server agent password set at Step 3 as the RADIUS secret. The username should be sent in the RADIUS User-Name attribute (type=1), user's IP address in the RADIUS Framed-IP-Address attribute (type=8), and RADIUS server IP address in the RADIUS NAS_IP_Address (attribute type=4). For more details on configuring a RADIUS server, see the documentation for your RADIUS server and client. Important! The RADIUS accounting information update period should not exceed 120 seconds. |
Configured that way, UserGate will map the username to the user's IP address received from the RADIUS accounting server. Depending on the information being transmitted, UserGate will behave as follows:
|
Scenario |
Description |
|---|---|
|
The RADIUS server sent a username that does not exist in UserGate. |
The Accounting-Request will be responded to with an Accounting-Reject. The user data will not change. |
|
The RADIUS server sent an existing username and specified Acct-Status-Type = Start or Interim-Update. |
The IP address sent from RADIUS will be assigned to this user. The username will start appearing in logs for this IP address. The system will start applying user rules to the traffic that uses this IP address. If this user already has an IP address different from that sent from RADIUS, two and more IP addresses will be assigned to the user. If this IP address is already assigned to the user, nothing happens. If this IP address is assigned to another user, it will be removed from that user and assigned to the user specified in the request. |
|
The RADIUS server sent an existing username and specified Acct-Status-Type = Stop. |
The IP address sent from RADIUS will be removed from this user. The username will stop appearing in logs for this IP address. The system will stop applying user rules to the traffic that uses this IP address. |