Skip to content

RADIUS Server Configuration Documentation

The RADIUS Server configuration in the Mideye Server interface allows administrators to define and manage RADIUS server settings, providing flexible options for authentication, accounting, request handling, and user communication. This documentation outlines the configuration components and available options, ensuring a comprehensive understanding for effective management.

RADIUS Servers Overview

Purpose

The RADIUS Server configuration page enables administrators to create, modify, and manage RADIUS server entries used for handling authentication and accounting requests. Each server can have customized settings for authentication ports, client identification, accounting ports, and more, ensuring seamless integration and operation within the network infrastructure.

Main Actions

  • Add New RADIUS Server:
    Create a new server configuration to handle authentication and accounting traffic.

  • Edit/Delete Existing Servers:
    Modify or remove existing server entries using the provided actions to maintain an up-to-date RADIUS environment.

Creating and Configuring a RADIUS Server

1. General Settings

  • Server Name:
    Assign a friendly and unique name to the RADIUS server for easy identification.

  • Auth Port:
    Define the UDP port used for authentication requests. The default RADIUS authentication port is 1812, but this can be customized as necessary.

  • Acct Port:
    Define the UDP port used for accounting requests. The default RADIUS accounting port is 1813, ensuring that both authentication and accounting traffic are handled appropriately.

  • Create Button:
    After defining the general settings, click Create to initialize the new RADIUS server entry.

2. Advanced Settings

The Advanced tab offers additional configuration options to fine-tune the server’s behavior:

  • Max Pending Requests:
    Specifies the maximum number of simultaneous RADIUS requests that the server can handle. Once this threshold is reached, additional requests are rejected to prevent server overload.

  • Max Failed Attempts:
    Limits the number of consecutive failed login attempts before the associated Mideye database accounts are locked, enhancing security against brute force attacks.

  • Max User Deliveries per Hour/Minute:
    Sets limits for One-Time Password (OTP) spam protection. Once the threshold is reached for a single user, further login attempts are blocked to prevent abuse.

  • Touch Accept User Inactivity Timeout (seconds):
    Specifies the maximum time the server waits for a user to respond to a Touch Accept request, ensuring timely authentication processes.

  • Push Delivery Timeout (seconds):
    Defines the maximum waiting time for the delivery of push message notifications, maintaining efficient communication workflows.

  • Database User Authorization Per RADIUS Client:
    If enabled, users in the Mideye internal database are only authorized to access assigned RADIUS clients, enforcing strict access controls.

  • Identify RADIUS Client By Source IP:
    When enabled, RADIUS clients are identified based on the source IP address before attempting identification using the NAS IP address (Attribute 4) and NAS Identifier (Attribute 32).

  • Ignore Multiple Logins:
    Prevents login issues caused by simultaneous requests from RADIUS clients that do not support multiple-click protection, enhancing user experience and system stability.

User Messages Configuration

The User Messages tab allows customization of various user-facing messages displayed during authentication processes. This enhances the user experience by providing clear and consistent communication. The configuration includes:

  • General Messages:
    Customize messages related to user authorization status, invalid user/password notifications, and expired user accounts.

  • OTP Messages:
    Customize messages presented to the user during One-Time Password (OTP) challenges, including prompts for entering OTPs and error messages for invalid OTPs.

  • Plus Messages:
    Customize messages for Mideye signature challenges, including manual signature requests and error messages for unreachable phones or failed signature verifications.

  • Token Messages:
    Customize messages related to token verification issues, including out-of-sync errors and invalid OTP messages.

  • Touch Accept Messages:
    Customize messages related to Touch Accept interactions, including prompts for accepting login requests and notifications for unsuccessful Touch Accept logins.

  • Assisted Login Messages:
    Customize messages used in the assisted login process, including prompts and notifications for approvers.

Note: As long as the RADIUS Client supports it. All user messages can be customized to fit the specific needs of the organization, enhancing the user experience and providing clear communication during the authentication process.

Listening for Authentication and Accounting Traffic

Each RADIUS server configured within the Mideye Server listens for both authentication and accounting traffic. This dual functionality ensures comprehensive handling of user authentication requests and detailed accounting of user sessions, enabling effective monitoring and management of network access.

Authentication Traffic

Handles user login attempts, verifying credentials, and issuing authentication responses based on the configured protocols (e.g., PAP, MSCHAPv2, EAP-MSCHAPv2).

Accounting Traffic

Manages session accounting, including tracking session start and stop times, session duration, and usage metrics. This data is essential for auditing, and monitoring purposes.

Multiple Login Points:

For RADIUS clients that cannot send a unique identifier such as NAS-ID or NAS-IP and rely solely on the source IP address, the Mideye Server will treat every login as originating from the same client. This limitation can pose challenges in environments with multiple login points within a RADIUS concentrator.

To differentiate each login point, configure each one to connect to the same RADIUS Server using different UDP ports. By assigning distinct ports to each login point, the Mideye Server can recognize and manage each login separately, allowing for unique configurations and settings per login point.

  • Distinct Identification:
    Each login point is uniquely identified by its designated port, preventing overlaps and ensuring accurate session management.

  • Customized Configurations:
    Different ports enable administrators to apply specific policies or settings tailored to each login point, enhancing flexibility and control.

  • Example Configuration:

    • Shared Secret: Both Login Point A and B will come from same source ip. So only one Shared secret is required.
    • Login Point A: Connects to the RADIUS Server on port 1812. Mideye RADIUS CLient A is configured to only accept requests on RADIUS Server listening on port 1812.
    • Login Point B: Connects to the RADIUS Server on port 1813. Mideye RADIUS CLient B is configured to only accept requests on RADIUS Server listening on port 1813.

  • This setup ensures that the Mideye Server can differentiate between login attempts from Login Point A and Login Point B, even if they share the same source IP address.