WHAT IS RADIUS?
RADIUS (or Remote Authentication Dial in User Service) is a mechanism in which Network Access Servers (NAS) can validate user credentials as part of allowing access to network services. This could be via PPP VPN (ADSL or dial up), Remote access services or 802.1X.
The latter is what Sonar is more interested in as it is used as the underlying authentication process for users connecting to wireless networks. Generally known as WPA2 Enterprise authentication the user of username and password combinations in conjunction with X.509 certificates provides an authenticated, secured communications link via a sites Wi-Fi infrastructure.
The Wireless Access Points (WAPs) need to be able to validate the credentials that users are supplying via their X.509-secured channels. This is where RADIUS is used.
As a RADIUS client, the WAP starts a RADIUS conversation with the RADIUS server. Such functions can be provided by the likes of Windows NPS (Network Policy Server), Cisco ACS, FreeRADIUS and a plethora of other providers. Once the user has been authorized to access the network, the NAS connects them to the appropriate VLANs and allows the flow of traffic.
The connecting of a user onto the network signifies the start of a session for that user. As such, the NAS will send an accounting "start" packet to the configured RADIUS accounting server. Sometimes this is the same server as was used for authentication, other times it is a separate server. This is where the Radius Agent on Sonar comes into effect: it can accept accounting start packets and process them to log users into Sonar.
The Radius Accounting Packet can be made up of a number of different attributes, however the only ones Sonar make use of are:
- User Name
- Framed IP Address
These two attributes give us the user name and the IP address that the session for the user has been created with. With this information, Sonar logs the user in with the existing AD Passthrough methods.
HOW TO SEND ACCOUNTING PACKETS TO SONAR
While we can't provide instructions on how to configure all devices to send accounting packets to Sonar, as all of them vary in configuration and set ups, we can provide basic instructions for those we have had experience with. Instructions may vary of different models.
Clicking on the appropriate Authentication Profile and selecting "edit" will display the following options for you to configure another RADIUS server either as an Authentication/Authorisation fallback or Accounting with the appropriate ports.
The Sonar agent is only configured to listen on port 1813 as this is the IANA-assigned port number for RADIUS Accounting.
Once this has been configured and the firewall and Sonar agent has been set up (see this article on how to set up the RADIUS Agent on Sonar) then accounting packets should start flowing to the agent for processing.
Configuring a Windows NPS server to forward accounting packets to Sonar is relatively simple to set up. In the Network Policy Server side menu, select "Remote RADIUS Server Groups". If you don't see that option available, right click on "Server Groups" and select "New". This will allow you to create a new server group. Call that new group "Sonar" and then click "Add". If you have multiple Sonar units, repeat the process.
- Enter the IP of the Sonar unit that should be receiving the Accounting Packets in the Address tab, as shown below. If you have multiple Sonar devices, you will have to add them separately one by one.
In the Authentication/Accounting tab, untick "use the same shared secret for authentication and accounting" and enter the Shared Secret that will be used with Sonar. Note this is case sensitive.
- Click OK. You should now see the following once the Server has been set up in the new group.
Once the Sonar units have been configured in NPS, go to Policies -> Connection Request Policies and edit the appropriate policy. Under Settings there should be an "Accounting" option. Select the Sonar group from the list and click OK.