There have been rare occasions where Customers wish to use RADIUS  Authentication, but do not have, or want to install Microsoft's NPS  service. In these circumstances, Blue Reef have developed a solution to  accommodate these customers.

 

HOW DOES IT WORK?

 

The basis for this feature is fairly simple and straight forward. In  the absence of an NPS server, clients can point their own RADIUS server  to Sonar's agent that runs and sits on the Sonar itself, which will  listen for Accounting requests. These requests will contain the  username, domain and IP Address and pass them onto Sonar for  authentication.

 

AGENT CONFIGURATION SETTINGS

 

The Radius Agent on Sonar contains a configuration file (.xml) that can be found in/etc/sonar/radius_agent/radius_agent.xml. It will look something like the following:

 

The only two settings that you will only have to worry about are the shared secret  (which can be obtained from the NPS/RADIUS server) and the port on  which the agent will listen for Accounting Requests, which by default is  1813 unless otherwise specified. The optional configuration options are:

 

  • Domain - Only specify this when you are NOT including the domain information in the user-name attribute in the requests.
  • Debug-Mode - Specify this to be true only when you  wish to listen for requests ONLY. This will log all the traffic but not  attempt to register with Sonar, nor pass on any of the authentication  requests. This is a good thing to have set if you've just installed the  agent and want to first test to see if the traffic is being picked up  properly by the agent. 

 

ENABLING THE SERVICE

 

It is important to note that the agent is only available on Sonar 3.5.2 and above. If you wish to use this service and you are not currently on Sonar 3.5.2, you can upgrade by following these instructions.  Due to the service being hosted on the Sonar itself, you will need  command line access to turn it on. You can log into Sonar's command line  via SSH applications such as PuTTY. 

 

*IMPORTANT NOTE* Managed Customers are strongly advised to contact Blue Reef for assistance in setting this up.

 

As Blue Reef widely encourage customers to use the NPS solution where  possible, the RADIUS agent on Sonar is disabled by default. To enable  it, type the following command into the command line:

 

chkconfig will enable the service in its default  state, which will mean it will listen for Accounting packets on  localhost 127.0.0.1, port 1813 from the RADIUS server. After running the  service as above, you can now log into the GUI and check Domain  Authentication Monitor, which you can access under Network ->  Authentication Servers. If the agent has been started, you should see it  appear in the list:

 

As with all Domain Controllers, you have to "Enable" the monitor in  the GUI but highlighting the server and clicking the "Enable/Disable"  button. Once done, the Monitor Enabled icon should go green:

 

At this point, the agent should be running successfully and should be  receiving accounting packets from the RADIUS server. Every time a user  logs in via RADIUS, it should log them into Sonar as well.

 

TROUBLESHOOTING

 

If you are experiencing issues with the radius agent on Sonar it will generally come down to a few things:

 

  1. The Agent is not activated (set to enabled) in Domain Authentication Monitor on Sonar.
  2. RADIUS device is not set up to sent accounting packets to Sonar.
  3. Firewall is not allowing UDP 1813. 
  4. The Shared Secret is incorrect.