RADIUS is an authentication, authorization, and accounting service that authenticates users by integrating with password databases, such as the a UNIX password file, Active Directory, LDAP, and simple text files containing user/password pairs. Reflection for Secure IT supports RADIUS for authentication purposes only.
One or more RADIUS authentication servers must be configured. To configure Reflection for Secure IT, you need the name of the RADIUS server, the port used for RADIUS communication (usually 1812 or 1645), and the shared secret used by the RADIUS server. You'll use this information to create a RADIUS configuration file.
How it Works
The Reflection for Secure IT server acts as a RADIUS client in order to authenticate a user. Requests are sent to any RADIUS servers you have configured in the RADIUS file.
- The Reflection for Secure IT server receives a keyboard-interactive authentication request from a client.
- If RADIUS authentication is enabled, the Reflection for Secure IT server attempts to authenticate the user by sending an ACCESS-REQUEST message with the User-Name and Password attribute/value pair to the first RADIUS server you have configured.
- The Reflection for Secure IT server waits for an ACCESS-ACCEPT or ACCESS-REJECT message from the RADIUS authentication server.
- If the Reflection for Secure IT server receives an ACCESS-ACCEPT message, the client connection is allowed and the Reflection for Secure IT server provides user access based on the current server configuration. If the server receives an ACCESS-REJECT message, or it fails to receive a response, the server attempts to authenticate to any additional RADIUS servers you have configured. If no ACCESS-ACCEPT message is received from any RADIUS server, RADIUS authentication fails and the Reflection for Secure IT server attempts any other allowed authentications.
Note: Authentication fails if a user is able to authenticate to the RADIUS authentication server, but no account exists for that user on the Reflection for Secure IT server.