Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Using RADIUS Agent for Transparent User Identification > Components used for transparent identification with RADIUS Agent
Components used for transparent identification with RADIUS Agent
Using RADIUS Agent | Web Security Solutions | Version 7.7, 7.8
Transparent identification with Websense RADIUS Agent uses the following components.
RADIUS Agent is installed on a machine running one of the following supported operating systems:
One instance of Websense RADIUS Agent can support multiple RADIUS clients. Multiple RADIUS Agents can also be used; this may benefit larger networks.
By default, RADIUS Agent listens for authentication requests on the RADIUS authentication port. Filtering Service uses the information provided by RADIUS Agent to apply policies to remote users logged on to the network.
RADIUS Agent extracts the authentication request ID (a unique identifier), user name, and originating IP address. The Agent stores this data in a user name-to-IP-address map in local memory and in the RadiusAgent.bak file.
IP addresses are the key element in tracking logon sessions, because the same user may log on to the network from different locations. In cases where users share an IP address (as with Windows Terminal Services), Websense software may not always be able to identify users. In this case, user requests receive computer or network policies, or by the Default policy.
A RADIUS Agent installation typically includes the following files:
C:\Program Files or Program Files (x86)\Websense\Web Security\bin\ or
User Service
User Service interacts with your directory service to get group information corresponding to logged-on users. It provides this information to Filtering Service.
Filtering Service
Filtering Service receives user logon information from RADIUS Agent as users log on to the network. At each transmission, only the record of logon sessions established since the last transmission is sent back to the server. This includes new users logged on to existing remote machines and new users logged on to new remote machines.
Filtering Service receives user data in the form of user name/IP address pairs (originating from RADIUS Agent's map in local memory). When Filtering Service gets the IP address of a machine making an Internet request, the server matches the address with the corresponding user name provided by RADIUS Agent, allowing users to be identified transparently whenever they make Internet requests. Filtering Service then applies the policies assigned to those users or groups.
Filtering Service is the destination for the user information RADIUS Agent gleans from authentication requests. When you are troubleshooting user identification problems, be sure to determine whether Filtering Service is getting the latest and most accurate user data.
Websense software can be configured to prompt users to manually authenticate if it cannot obtain user information via RADIUS Agent. With manual authentication, if a user does not provide a valid user name and password, he or she is blocked from Internet access.
If a user cannot be identified transparently, and manual authentication is not enabled, a computer or network policies, or the Default policy, is applied to the request.
Typically, the RADIUS client is a Network Access Service (NAS) or remote access server, which acts as the point of contact for remote user logons. The client receives authentication requests as users log on, and sends authentication requests to RADIUS Agent for processing.
The RADIUS client sends authentication requests to the port specified in the Web Security manager (go to the Settings > General > User Identification page and click a RADIUS Agent instance to view and configure this setting).
These port values are also stored as AuthInPort and AccInPort in the RADIUS Agent wsradius.ini file (see Custom configuration for a RADIUS Agent instance and RADIUS Agent initialization parameters).
The RADIUS server is typically a service that performs Internet authentication, such as the Microsoft Internet Authentication Service (IAS).
The RADIUS server performs the actual user authentication function. The RADIUS server receives authentication requests from Websense RADIUS Agent, and checks the user name and password entered against the corresponding account in the directory service. Finally, the RADIUS server sends a response to RADIUS Agent indicating the status of the authentication request.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Using RADIUS Agent for Transparent User Identification > Components used for transparent identification with RADIUS Agent
Copyright 2016 Forcepoint LLC. All rights reserved.