Creating a RADIUS configuration file

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18

You can use a RADIUS server for authentication on your storage system.

To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.

CAUTION:
If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM then save.
auth.server.type=radius 
auth.server.name=server-name
auth.group.mapping=value
auth.radius.server-name.attribute=value
auth.group.domain-name.attribute=value

A full example is shown below:

auth.server.type=radius 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.radius.PrimaryServer.protocol=PAP 
auth.radius.PrimaryServer.host=example.com 
auth.radius.PrimaryServer.port=1812 
auth.radius.PrimaryServer.timeout=3 
auth.radius.PrimaryServer.secret=secretword 
auth.radius.PrimaryServer.retry.times=3 
auth.radius.PrimaryServer.domain.name=radius.example.com
auth.group.radius.example.com.protocol=ldaps
auth.group.radius.example.com.host=xxx.xxx.xxx.xxx
auth.group.radius.example.com.port=636
auth.group.radius.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.group.radius.example.com.searchpw=password
auth.group.radius.example.com.basedn=CN=Users,DC=domain,DC=local

The attributes are defined in the following tables.

Table. RADIUS definition (for authentication server)
Attribute Description Required / Optional Default value
auth.server.type Type of authentication server

Specify radius.

Required None
auth.server.name Name of the server (referred to as <server_name>)

When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less.

The names can use all ASCII code characters except for the following:

\ / : , ; * ? " < > | $ % & ' ˜

Required None
auth.group.mapping Information about whether to work together with an authorization server
  • true: Works together.
  • false: Does not work together.
Optional False
auth.radius.server-name.protocol RADIUS protocol to use
  • PAP: Password authentication protocol that transmits plaintext user ID and password.
  • CHAP: Challenge-handshake authentication protocol that transmits encrypted password.
Required None
auth.radius.server-name.host Host name, IPv4 address, or IPv6 address of the RADIUS server

An IPv6 address must be enclosed in square brackets.

You cannot specify the following IP addresses as an IPv6 address:

  • Invalid value: [::]
  • Loopback address: [::1]
  • Multicast address: [FF00:: - FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]
  • IPv4-mapped IPv6 address: [::FFFF:(IPv4)]
  • Link-local address: [FE80::]
  • Global unicast address: [2001::]
  • Global unicast address: [2002::]
Required1 None
auth.radius.server-name.port Port number of the RADIUS server

Must be between 1 and 65,535.

Optional2 1,812
auth.radius.server-name.timeout

Number of seconds before the connection to the RADIUS server times out

Must be between 1 and 30.

Optional2 10
auth.radius.server-name.secret RADIUS secret key used for PAP or CHAP authentication Required None
auth.radius.server-name.retry.times

Retry times when the connection to the RADIUS server fails

Must be between 0 and 3. 0 means no retry.

Optional2 3
auth.radius.server-name.attr.NASIdentifier Identifier for the RADIUS server to find SVP

Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted.

Optional None
auth.radius.server-name.attr.NAS-IPv4-Address IPv4 address of the SVP

Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted.

Optional None
auth.radius.server-name.attr.NAS-IPv6-Address IPv6 address of the SVP

Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested.

Optional None
Notes:
  1. If you query DNS with external authorization, the settings are not required.
  2. If the specified value is not applicable, the default value is used.
Table. RADIUS definition (for authorization server)
Attribute Description Required / Optional Default value
auth.radius.server-name.domain.name Domain name that the LDAP server manages (referred to as domain-name) Required None

auth.radius.server-name.dns_lookup

Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server

Specify false (searches with the host name and port number).

Do not specify true (searches with the information registered in the SRV records in the DNS server).

Optional false

auth.group.domain-name.protocol

LDAP protocol to use

Specify ldaps (uses LDAP over SSL/TLS).

Do not specify starttls (uses StartTLS).

Required None

auth.group.domain-name.host

Host name, IPv4 address, or IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]).

You cannot specify the following IP addresses as an IPv6 address:

  • Invalid value: [::]
  • Loopback address: [::1]
  • Multicast address: [FF00:: - FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]
  • IPv4-mapped IPv6 address: [::FFFF:(IPv4)]
  • Link-local address: [FE80::]
  • Global unicast address: [2001::]
  • Global unicast address: [2002::]
Optional1 None

auth.group.domain-name.port

Port number of the LDAP server

Must be between 1 and 65535.

Optional2 389

auth.group.domain-name.searchdn

DN of the user for searching Required3 None
auth.group.domain-name.searchpw User password for searching

Specify the same password that is registered in the LDAP server.

Required None
auth.group.domain-name.basedn Base DN for searching for users to authenticate

Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN.

Optional3 abbr
auth.group.domain-name.timeout Number of seconds before the connection to the LDAP server times out

Must be between 1 and 30.

Optional2 10
auth.group.domain-name.retry.interval Retry interval in seconds when the connection to the LDAP server fails

Must be between 1 and 5.

Optional 1
auth.group.domain-name.retry.times Retry times when the connection to the LDAP server fails

Must be between 0 and 3. 0 means no retry.

Optional2 3
Notes:
  1. This item can be omitted if true is specified for auth.radius.server-name.dns_lookup.
  2. If the specified value is not valid, the default value is used.
  3. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the basedn or searchdn field, type abc\+\+.
    To enter a backslash (\), forward slash (/), or quotation mark ("), type a backslash (\) followed by the ASCII code in hex:
    • To enter a backslash (\), type \5c.
    • To enter a forward slash (/), type \2f.
    • To enter a quotation mark ("), type \22.