Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
            Client Configuration
            Server Configuration
            Pluggable Authentication Module (PAM) Submethod
            RSA SecurID Submethod
            RADIUS Submethod
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

RADIUS Submethod

RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It is originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In SSH Tectia, RADIUS is implemented as a submethod of Keyboard-Interactive authentication.

The radius Keyboard-Interactive submethod requires one or more RADIUS servers to be configured in the sshd2_config file:

AllowedAuthentications   keyboard-interactive
AuthKbdInt.Optional      radius
AuthKbdInt.RADIUS.NASIdentifier identifier
AuthKbdInt.RADIUS.Server serveraddress=address,\ 

The AuthKbdInt.RADIUS.NASIdentifier keyword defines the default NAS identifier to be used when talking to the RADIUS server.

The AuthKbdInt.RADIUS.Server keyword defines one RADIUS server. The server address field is mandatory, other fields are optional. The address can be an IP address or a DNS name.

The nasidentifier field overrides the default for this server, if specified.

The default file for the shared secret is /etc/ssh2/ssh_radius_nas_secret.dat.

The default timeout is 23 seconds. This should be usually sufficient, but if the RADIUS server is expected to take a long time to process the authentication request, it can be lengthened. The servers are queried in the order they have been specified, and only one at a time. The minimum timeout is 7 seconds, and the timeout has a granularity of 8 seconds. The RADIUS server will always be queried for at least the number of seconds specified in the timeout parameter.

The supported RADIUS servers are the FreeRADIUS server and Microsoft IAS (Internet Authentication Service) server. The following sections contain advice on configuring them to interoperate with SSH Tectia Server.

FreeRADIUS Server Configuration

Configure the client (SSH Tectia Server) in /etc/freeradius/clients.conf with the proper IP address and nastype = other. The FreeRADIUS server can be instructed to check the users agains the system's main passwd file with the following in /etc/freeradius/users:

DEFAULT Auth-Type = System, Fall-Through = 1

In /etc/freeradius/radiusd.conf, PAP must be configured to be available for authentication. See the FreeRADIUS documentation for further details.

IAS Server Configuration

For SSH Tectia Server to interoperate with Microsoft IAS, following must be done:

  1. Requiring Signature Attribute must be switched off in IAS.
  2. Dial-In must be allowed in the user's properties.
  3. PAP authentication must be allowed in IAS.

Note: SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers SSH Tectia applications.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now