Creating a RADIUS configuration file

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-06-0x
Audience
anonymous
Part Number
MK-97HM85028-08

You can use a RADIUS server for authentication on your storage system.

To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.

CAUTION:
If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM then save.
auth.server.type=radius 
auth.server.name=server-name
auth.group.mapping=value
auth.radius.server-name.attribute=value
auth.group.domain-name.attribute=value

A full example is shown below:

auth.server.type=radius 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.radius.PrimaryServer.protocol=PAP 
auth.radius.PrimaryServer.host=example.com 
auth.radius.PrimaryServer.port=1812 
auth.radius.PrimaryServer.timeout=3 
auth.radius.PrimaryServer.secret=secretword 
auth.radius.PrimaryServer.retry.times=3 
auth.radius.PrimaryServer.domain.name=radius.example.com
auth.group.radius.example.com.protocol=ldaps
auth.group.radius.example.com.host=xxx.xxx.xxx.xxx
auth.group.radius.example.com.port=636
auth.group.radius.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.group.radius.example.com.searchpw=password
auth.group.radius.example.com.basedn=CN=Users,DC=domain,DC=local

The attributes are defined in the following tables.

Table. RADIUS definition (for authentication server)
Attribute Description Required / Optional Default value
auth.server.type Type of an authentication server. Specify radius. Required None
auth.server.name The name of a server.

When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less.

The names can use all ASCII code characters except for the following:

\ / : , ; * ? " < > | $ % & ' ˜

In this manual, the value specified here is called server-name hereafter.

Required None
auth.group.mapping Information about whether to work together with an authorization server
  • true: Works together
  • false: Does not work together
Optional False
auth.radius.server-name.protocol RADIUS protocol to use.
  • PAP: Password authentication protocol that transmits plaintext user ID and password
  • CHAP: Challenge-handshake authentication protocol that transmits encrypted password
Required None
auth.radius.server-name.host A host name, an IPv4 address or an IPv6 address of the RADIUS server. An IPv6 address must be enclosed in square brackets. Required1 None
auth.radius.server-name.port A port number of the RADIUS server.

Must be between 1 and 65,535.

Optional2 1,812
auth.radius.server-name.timeout

The number of seconds before the connection to the RADIUS server times out.

Must be between 1 and 30.

Optional2 10
auth.radius.server-name.secret RADIUS secret key used for PAP or CHAP authentication Required None
auth.radius.server-name.retry.times

Retry times when the connection to the RADIUS server fails.

Must be between 0 and 3. 0 means no retry.

Optional2 3
auth.radius.server-name.attr.NASIdentifier Identifier for the RADIUS server to find SVP. Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted. Optional None
auth.radius.server-name.attr.NAS-IPv4-Address IPv4 address of the SVP. Specify the value of the NAS-IP-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. Optional None
auth.radius.server-name.attr.NAS-IPv6-Address IPv6 address of the SVP. Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. Optional None
Notes:
  1. If you query DNS with external authorization, the settings are not required.
  2. If the specified value is not applicable, the default value will be used.
Table. RADIUS definition (for authorization server)
Attribute Description Required / Optional Default value
auth.radius.server-name.domain.name A domain name that the LDAP server manages. In this manual, the value specified here is called domain-name hereafter. Required None

auth.radius.server-name.dns_lookup

Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.

Specify "false" (Searches with the host name and port number).

Do not specify "true" (Searches with the information registered in the SRV records in the DNS server).

Optional false

auth.radius.domain-name.protocol

LDAP protocol to use.

Specify "ldaps" (Uses LDAP over SSL/TLS).

Do not specify "starttls" (Uses StartTLS).

Required None

auth.radius.domain-name.host

A host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]). Optional1 None

auth.radius.domain-name.port

A port number of the LDAP server.

Must be between 1 and 65535.

Optional2 389

auth.radius.domain-name.searchdn

DN of the user for searching. Required None
auth.radius.domain-name.searchpw User password for searching. Specify the same password that is registered in the LDAP server. Required None
auth.radius.domain-name.basedn Base DN for searching for users to authenticate. Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN. Optional3 abbr
auth.radius.domain-name.timeout The number of seconds before the connection to the LDAP server times out. Must be between 1 and 30. Optional2 10
auth.radius.domain-name.retry.interval Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5. Optional 1
auth.radius.domain-name.retry.times Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry. Optional2 3
Notes:
  1. The item can be omitted if true is specified for "auth.radius.server-name.dns_lookup".
  2. If the specified value is not valid, the default value will be used.
  3. To use symbols such as + ; , < = and >, enter a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the searchdn field, use \+ instead of + as shown here: abc\+\+

    To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.

    • Enter \5c for \.
    • Enter \2f for /.
    • Enter \22 for "

    For example, to enter abc\ in the searchdn field, enter abc\5c.