Configuring the Server
Depending on your authentication requirements, you may need to configure Steel-Belted Radius Carrier to work with an external SQL or LDAP database, or RSA SecurID service.
Configuring External Databases
If you want to use external databases for authentication or accounting purposes (and you did not configure this feature when prompted by the Steel-Belted Radius Carrier installation script), you can set up external database configuration settings.
To configure Steel-Belted Radius Carrier to work with an external database:
- Optionally, perform the instructions in Chapter 18, "Configuring SQL Authentication" on page 271 or Chapter 19, "Configuring SQL Accounting" on page 285.
- If you want to use Steel-Belted Radius Carrier with an LDAP database, review your LDAP database vendor's documentation.
- Perform the instructions in Configuring LDAP Authentication300.
Configuring SecurID Authentication
If you want to use SecurID authentication, you must configure Steel-Belted Radius Carrier to communicate with the RSA SecurID server.
Perform the following steps to configure a Steel-Belted Radius Carrier server to work with an RSA SecurID server. If you are not familiar with the RSA SecurID server, contact your RSA SecurID server administrator for assistance.
Start the RSA SecurID server administration program and display the list of clients. If the list of clients does not include the Steel-Belted Radius Carrier server, select Client > Add Client and complete the Client window, giving the Steel-Belted Radius Carrier server a Client type of Net OS Client.
- Copy the sdconf.rec file from the \ACE\data directory on the RSA SecurID server to the directory that contains the radius daemon on the Steel-Belted Radius Carrier server.
- Edit the [SecurID] section of radius.ini. The radius.ini file is found in the same directory as the Steel-Belted Radius Carrier daemon.
Verify that the CachePasscodes field is set to yes and the SecondsToCachePasscodes field is set to an appropriate number of seconds. These settings ensure that authenticated SecurID users can open a second B-channel during an ISDN connection.
- Edit the [SecurID] section of the eap.ini file, which is found in the same directory as the Steel-Belted Radius Carrier daemon.
Verify that the EAP settings in this section are enabled (remove the semi-colon from the start of each line) if you plan to use RSA SecurID authentication with EAP Generic-Token protocol support. The client system must support this protocol as well for this combination to work.
- If you copy the sdconf.rec file after the Steel-Belted Radius Carrier daemon has been started, or if you edit the radius.ini or eap.ini files after Steel-Belted Radius Carrier has been started, stop and restart Steel-Belted Radius Carrier.
- Verify connectivity between the Steel-Belted Radius Carrier server and the RSA SecurID server.
The RSA SecurID server offers a monitoring window on which it logs every authentication transaction, complete with the reason for the accept or reject decision. You can verify that pass-through to RSA SecurID is working, by creating a SecurID User called <ANY> and then attempting to access the network. Look for your request on the RSA SecurID monitor screen. If access is denied, you know that there is a configuration problem. Try these steps again, or contact your RSA SecurID administrator for assistance.
These steps complete initial setup of the two servers. To fully enable pass-through authentication to the RSA SecurID server, you must also set up the SecurID authentication method.
Set the Location of the sdconf.rec File
The value of the VAR_ACE variable in the sbrd script specifies the location of the sdconf.rec file. The VAR_ACE variable is exported so that Steel-Belted Radius Carrier can use it. The default specified location is the
radiusdirdirectory, but if the variable is not set in the file, the server sets the value of this variable to /var/ace.VAR_ACE="radiusdir/ace"export VAR_ACE