Setting up SiteMinder Radius Authentication - CA · PDF fileSetting up SiteMinder Radius Authentication Revision History ... Make sure the ^Reversible Encryption _ is enabled as this

Radius Authentication Page 1 of 12

Setting up SiteMinder Radius Authentication

Revision History

Revision Date Status Author(s) Changes

1.00 23/Nov/2010 Tested on v6.0.5.35

Sung Hoon Kim


Components and Versions

Policy Server : v6.0 SP5 CR35 JDK : v1.5.0_20 User Store : AD (You can chose different userstores) 3rd Party : NTRadPing Test Tool 1.5

Pre-requisites You should already have configured a working Policy Server and Active Directory as a User Store. You need to have some knowledge on RADIUS.

Before you begin

This is not using other RADIUS Server but configuring Policy Server to act as a RADIUS Server.

This has been tested to work on SiteMinder v6.0.5.35 but may fail or require additional/less configuration on other versions.

This document does not cover setting up AD.


Setting up Policy Server to act as RADIUS Server.

1. At the settings tab, check “Enable” button under RADIUS and leave the ports to default

value.

2. At the Logs tab, check “Log to File” under RADIUS Log and specify a full file path.


3. Start up the Policy Server and verify you get the following entries in the smps.log

[4392/1928][Tue Nov 23 2010 18:28:53][CSmRadiusLogger.cpp:151][INFO] RADIUS log file renamed to: C:\Documents and

Settings\Administrator\Desktop\LOGS\radius.log.23Nov2010_18_28_53 [4392/1928][Tue Nov 23 2010 18:28:53][CSmRadiusLogger.cpp:163][INFO] RADIUS logging enabled, logging to file:

C:\Documents and Settings\Administrator\Desktop\LOGS\radius.log.23Nov2010_18_28_53 [4392/1928][Tue Nov 23 2010 18:28:53][CServer.cpp:6195][INFO] Radius accounting port: 1646

[4392/1928][Tue Nov 23 2010 18:28:53][CServer.cpp:6204][INFO] Radius authentication port: 1645

[4392/1928][Tue Nov 23 2010 18:29:29][CServer.cpp:5698][INFO] RADIUS accounting UDP port is up

[4392/1928][Tue Nov 23 2010 18:29:29][CServer.cpp:5705][INFO] RADIUS authentication UDP port is up

4. Configure an AD userstore



5. Create a user for testing. In this sample, it is “winuser1”

Make sure the “Reversible Encryption” is enabled as this is a requirement for CHAP

authentication.


Once this is set, reset the password so that it will be stored in “Reversible Encryption”.

Then set the an IP address value in the “Assign a Static IP Address”, in this sample I will

use 10.10.10.10


6. Goto http://www.novell.com/coolsolutions/tools/14377.html and download ntradping

tool.

http://www.novell.com/coolsolutions/tools/14377.html


7. Create a Radius Agent as below

IP Address is the NAS Device IP Address(In this case it is all in one machine IP

192.168.38.128)

Secret is “password”

8. Create an Authentication Scheme as below

Specify the user attribute that stores the clear text password, since “Reversible

Encryption” is enabled we can specify the unicodePWD attribute.


9. Create a Domain named “Radius” and assign the AD userstore created above.

10. Create a Realm named “radius realm” and assign the radius agent and the

authentication scheme above.

11. Create a rule under “radius realm” as below.

There is only 1 type of rule you can create and that is “Authenticate”

12. Create a response to fetch the IP Address where you previously set in “Assign a Static IP

Address”


13. Create a Policy and add “winuser1” user. Then link above “rule” and “response”.


Ensure the user is able to authenticate successfully

1. Load the NTRadPing Test Utility and populate the values as below.

Radius Server/port: Policy Server and 1645

Reply timeout : set to 10

RADIUS Secret key: password (this was set in the radius agent properties at #7)

User-Name : winuser1

Password : P@ssw0rd

CHAP: You can have it enabled or disabled

Request type: “Authentication Request”

Then click on “Send” button

2. You will get the following response from the Policy Server.