RADIUS

Opendium Web Gateway and UTM use a RADIUS accounting server to help keep track of the users. With the help of network access controllers, such as your wifi controller, a single sign-on service can be provided for many single user devices. For example, people using smartphones and tablets will only need to enter their credentials once, rather than having to log onto the wifi network and then separately log onto the web proxy.

For full functionality, the network access controller must include Framed-IP-Address and/or Framed-IPv6-Address attributes in the radius accounting data. The following wifi systems are known to work well:

  • Ruckus
  • Meru

Network access controllers which do not include the Framed-IP-Address / Framed-IPv6-Address attributes can be used in situations where the end-user devices have a direct layer 2 connection to the Opendium server. i.e. the Web Gateway / UTM must be on the same IP subnet as the end-user devices, rather than traffic receiving layer 3 IP routing through another device. The following wifi systems are known to work in this configuration:

  • Ubiquity UniFi
  • Meraki

Restrictions

  • IPv4 and IPv6 networks with a layer 2 connection to the Opendium system are supported all circumstances.
  • IPv4 networks without a layer 2 connection to the Opendium system include a Framed-IP-Address attribute in the RADIUS accounting data.
  • IPv6 networks without a layer 2 connection to the Opendium system that do not include a Framed-IPv6-Address attribute in the RADIUS accounting data must assign addresses through SLAAC rather than DHCPv6, and IPv6 Privacy Extensions must be disabled on the client devices.
  • IPv6 networks without a layer 2 connection to the Opendium system that do include a Framed-IPv6-Address attribute in the RADIUS accounting data must assign addresses through DHCPv6, rather than SLAAC.

Configuration

In order to configure your network access controllers to send accounting data to Web Gateway / UTM, first go to Users and Groups -> RADIUS Configuration. Use the Create Client button and enter the IP address of the network access controller. The accounting data will be protected with a shared secret, so that no one can forge it. You can either use the shared secret that has been automatically generated, or replace it with your own. If you have multiple network access controllers, you can repeat this step for each, or specify their whole subnet. Note that with some wireless systems (e.g. Ruckus) the accounting data is sent only by the controller, whereas with other systems (e.g. Ubiquity UniFi) the individual access points send the accounting data.

Once RADIUS is configured on the Opendium system, set your network access controllers to send accounting data to Web Gateway / UTM using the same shared secrets.

Remember to set the appropriate user identification profiles for your networks.

Active Sessions

You can view the currently active RADIUS sessions in Users and Groups -> RADIUS Sessions. Note that Web Gateway / UTM use RADIUS to keep track of users it knows about, even if a network access controller has not sent any accounting data. For example, when a user authenticates with the web proxy, accounting data for that session is recorded. The NAS column will show "Iceni Internal" for sessions which have been recorded by the Opendium system, or the respective network access controller's ID and IP address for other sessions.

Logs

The accounting logs can be queried through Reports -> RADIUS -> Logs. After entering search criteria, a report will be shown for all matching RADIUS sessions. Clicking on one of the sessions will bring up more information.