There have been rare occasions where Customers wish to use RADIUS Authentication, but do not have, or want to install Microsoft's NPS service. In these circumstances, Blue Reef have developed a solution to accommodate these customers.
HOW DOES IT WORK?
The basis for this feature is fairly simple and straight forward. In the absence of an NPS server, clients can point their own RADIUS server to Sonar's agent that runs and sits on the Sonar itself, which will listen for Accounting requests. These requests will contain the username, domain and IP Address and pass them onto Sonar for authentication.
AGENT CONFIGURATION SETTINGS
The Radius Agent on Sonar contains a configuration file (.xml) that can be found in/etc/sonar/radius_agent/radius_agent.xml. It will look something like the following:
The only two settings that you will only have to worry about are the shared secret (which can be obtained from the NPS/RADIUS server) and the port on which the agent will listen for Accounting Requests, which by default is 1813 unless otherwise specified. The optional configuration options are:
- Domain - Only specify this when you are NOT including the domain information in the user-name attribute in the requests.
- Debug-Mode - Specify this to be true only when you wish to listen for requests ONLY. This will log all the traffic but not attempt to register with Sonar, nor pass on any of the authentication requests. This is a good thing to have set if you've just installed the agent and want to first test to see if the traffic is being picked up properly by the agent.
ENABLING THE SERVICE
It is important to note that the agent is only available on Sonar 3.5.2 and above. If you wish to use this service and you are not currently on Sonar 3.5.2, you can upgrade by following these instructions. Due to the service being hosted on the Sonar itself, you will need command line access to turn it on. You can log into Sonar's command line via SSH applications such as PuTTY.
*IMPORTANT NOTE* Managed Customers are strongly advised to contact Blue Reef for assistance in setting this up.
As Blue Reef widely encourage customers to use the NPS solution where possible, the RADIUS agent on Sonar is disabled by default. To enable it, type the following command into the command line:
chkconfig will enable the service in its default state, which will mean it will listen for Accounting packets on localhost 127.0.0.1, port 1813 from the RADIUS server. After running the service as above, you can now log into the GUI and check Domain Authentication Monitor, which you can access under Network -> Authentication Servers. If the agent has been started, you should see it appear in the list:
As with all Domain Controllers, you have to "Enable" the monitor in the GUI but highlighting the server and clicking the "Enable/Disable" button. Once done, the Monitor Enabled icon should go green:
At this point, the agent should be running successfully and should be receiving accounting packets from the RADIUS server. Every time a user logs in via RADIUS, it should log them into Sonar as well.
If you are experiencing issues with the radius agent on Sonar it will generally come down to a few things:
- The Agent is not activated (set to enabled) in Domain Authentication Monitor on Sonar.
- RADIUS device is not set up to sent accounting packets to Sonar.
- Firewall is not allowing UDP 1813.
- The Shared Secret is incorrect.