Versions Compared

Old Version 12

changes.mady.by.user Technical Service Specialist

Saved on

compared with

New Version 13

changes.mady.by.user Admin1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Application of RADIUS

 RADIUS - a program which that works with a centralized user database. It is used for authentication (verification of authenticity) and authorization (determining access rights) of users. In our case, it may be used to provide centralized control access to multiple monitoring devices on a network. It may be needed when an individual user configuration on each monitoring device separately, is too time-consuming.

Configuration of Radius in device's web interface

...

FreeRADIUS server version 3.0 and higher uses the /etc/freeradius/3.0 directory for configuration files. Older versions may uses another use other directories, like /etc/raddb.

...

  • user name - in our case username 01;
  • Cleartext-Password - user's password, which is SHA-1 hash code entered by a user with plain text password;
  • SRead, SWrite, CRead, CWrite, GRead, GWrite - system access permissions (described below);
  • RFU1 и RFU2 - reserved attributes (currently not used).

If the the attribute is not used, it must be removed from the records. Leaving the attribute in the following form is not allowed :

...

In this example with user record, all of the devices which log in through a single FreeRADIUS server, will receive the same configuration of user permissions. If you need  different user rights on different devices, you need to add a checking for an IP address of a logging device.

...

Here, when authorizing the user username username01 through the device with IP-address 192.168.1.88, he will get full access rights to the device (all fields "all"). When authorization under the same username username01 from other devices (all IP-addresses except 192.168.1.88), the user will be limited in the rights of recording resources and groups of a device.

Run freeradius server by command freeradius -X for view full debug messages.

System System access permissions

Each user profile in the system can have access to system resources in a "read only" or "read-write" modes.

...

  • accesskeys — management of iButton access keys and other compatible;
  • cameras — management of video cameras;
  • canbus — management of CAN bus;
  • devvirt — management of virtual devices (timers, PINGs, triggers);
  • elements — management of elements;
  • groups — group management;
  • gsm — management of GSM-modem;
  • languges languages — management of installed localization files;
  • log — management of system log;
  • logics — management of logic schemes;
  • modules — management of modules;
  • notify — management of notifications (mail, trap, sms);
  • relays — Relay management (global functions);
  • sdcard — SD card management;
  • system — runtime management (OC Linux);
  • users — user management;
  • view — control the appearance of web interface.

...

The list of resource identifiers of the client (Web Interface) is formed and is used solely by the client (by web-interface) in accordance with its it's logical organization. Now it is not used and should be listed as "all,".

...

  • all — full access to all identifiers implies full administrative access;

  • none — access is completely forbidden.

By default, there are no group groups in the system, elements and modules are not in groups, and access to them is possible only with the rights of "all".

...