...
Configuration is carried out via device's web interface: "Main menu" >> "Preferences" >> "RADIUS".
To enable user authentication via a Radius server, you need to check the box "Enable", and fill in the following fields:
...
Configuring the server using FreeRADIUS as an example
FreeRADIUS server version 3.0 and higher uses the /etc/freeradius/3.0 directory for configuration files. Older versions may uses another directories, like /etc/raddb.
Authentication method - unencrypted authentication (PAP, SPAP).
...
1. Vendor glossary (for example, file "dictionary.local) must be placed in the directory /etc/raddbfreeradius/3.0,
Code Block | ||||
---|---|---|---|---|
| ||||
# # Vutlan dictionary of parameters. # VENDOR Vutlan 39052 ATTRIBUTE SRead 10 string Vutlan ATTRIBUTE SWrite 11 string Vutlan ATTRIBUTE CRead 12 string Vutlan ATTRIBUTE CWrite 13 string Vutlan ATTRIBUTE GRead 14 string Vutlan ATTRIBUTE GWrite 15 string Vutlan ATTRIBUTE RFU1 16 string Vutlan ATTRIBUTE RFU2 17 string Vutlan |
...
2. The list of server clients is in the file /etc/raddbfreeradius/3.0/clients.conf. Client's record looks like this:
Code Block | ||||
---|---|---|---|---|
| ||||
client 192.168.1.88 { secret = password123 } |
...
3. User records are in the file./etc/raddbfreeradius/3.0/mods-config/files/authorize and are as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450" SRead = "all,", SWrite = "all,", CRead = "all,", CWrite = "all,", GRead = "all,", GWrite = "all,", RFU1 = "something strange", RFU2 = "anover something strange too" |
...
Code Block | ||||
---|---|---|---|---|
| ||||
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address == "192.168.1.88" SRead = "all,", SWrite = "all,", CRead = "all,", CWrite = "all,", GRead = "all,", GWrite = "all," username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address != "192.168.1.88" SRead = "all,", SWrite = "devvirt,elements,log,logics,modules,notify,relays,sdcard,system,view,", CRead = "all,", CWrite = "all,", GRead = "all,", GWrite = "3001,3002," |
Here, when authorizing the user username01 through the device with IP-address 192.168.1.88, he will get full access rights to the device (all fields "all"). When authorization under the same username username01 from other devices (all IP-addresses except 192.168.1.88), the user will be limited in the rights of recording resources and groups of a device.
Run freeradius server by command freeradius -X for view full debug messages.
System access permissions
...
Accordingly, in the user profile, there are two types of lists: lists for read access and for write access (both recording and reading).
В системе возможны три вида списков разрешений:
The system allows three types of permission lists :
...