The RADIUS user identification process

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using RADIUS Agent for Transparent User Identification > Processing RADIUS traffic > The RADIUS user identification process

The RADIUS user identification process

Using RADIUS Agent | Web Security Solutions | Version 7.7, 7.8

Websense RADIUS Agent works with the RADIUS server and RADIUS client in your network to process and track Remote Access Dial-In User Service (RADIUS) protocol traffic. This enables you to assign Web Security policies to users or groups of users who access your network remotely, as well as to local users.


	Note Websense, Inc., recommends installing RADIUS Agent on a machine separate from the RADIUS server machine. This prevents port and IP address conflicts between RADIUS Agent and the RADIUS server.

Without RADIUS Agent, remote users are authenticated by a RADIUS client (RAS server, VPN server, or firewall).

The authentication process without RADIUS Agent is as follows:

1.

A user logs on to the network from a remote machine.

2.

The RADIUS client receives an authentication request for that user.

3.

The RADIUS client contacts the RADIUS server via the default RADIUS ports (1645 for authentication, and 1646 for accounting), and sends the user name and password to the RADIUS server.

4.

The RADIUS server validates the user name/password combination by checking it against the directory service, and then responds to the RADIUS client.

With Websense RADIUS Agent in place in your network, the user authentication process allows the agent to process and transmit remote authentication requests and provide user information to Filtering Service for use in policy enforcement and reporting.

The transparent identification process is as follows:

1.

RADIUS Agent listens on port 1645 (the RADIUS authentication port) for authentication requests and detects users logging on to domains, or logging on to the RADIUS server directly.


	Note If you are using RADIUS authentication in a specific Windows domain, run the Websense RADIUS Agent service as a domain user, or as the default System account on a machine in that domain.

2.

When a remote user logs on to the network, the RADIUS client receives an authentication request and contacts the RADIUS Agent machine via port 1645.

3.

RADIUS Agent extracts the authentication request ID (a unique identifier), user name, and originating IP address and stores the data in a user name-to-IP-address map in local memory, and in the RadiusAgent.bak file.


	Note If RADIUS Agent receives a new request from an IP address already included in its user map, it replaces the existing pair with the new pair.

4.

After extracting the required information, RADIUS Agent forwards the authentication request to the RADIUS server.

5.

The RADIUS server checks the user name and password entered against the corresponding account in the directory service, and then sends a response to RADIUS Agent indicating the status of the authentication request.


	Note To configure the amount of time RADIUS Agent waits for a response from the RADIUS server before ending a query attempt, modify the Timeout parameter in the RADIUS configuration file (wsradius.ini). For more details, see Custom configuration for a RADIUS Agent instance and RADIUS Agent initialization parameters.

6.

RADIUS Agent evaluates the response from the RADIUS server. If the RADIUS message received is an authentication rejection, RADIUS Agent removes the corresponding entry from its user map.

If the RADIUS packet received is an authentication acceptance, RADIUS Agent copies the corresponding entry to its main user map (a listing of full domain/user name/IP address entries).

7.

RADIUS Agent forwards the authentication response to the RADIUS client.

8.

RADIUS Agent sends user names and IP addresses to Filtering Service each time its user map is updated, using port 30800. Filtering Service records user name/IP address pairs to its own copy of the user map in local memory. No confidential information (such as user passwords) is transmitted.


	Note If you configure RADIUS Agent to require authentication, the RADIUS Agent service checks the password provided by Filtering Service against the password you specified on the Settings .> General > User Identification page in the Web Security manager. See Configuring RADIUS Agent settings in the Web Security manager.

9.

Filtering Service queries User Service to get group information for user names in its copy of the user map. User Service queries the directory service for group information corresponding to those users, and sends the information to Filtering Service.

10.

Filtering Service applies policies to logged-on users. For more information about applying policies to directory clients, see the Web Security Help.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using RADIUS Agent for Transparent User Identification > Processing RADIUS traffic > The RADIUS user identification process

Copyright 2016 Forcepoint LLC. All rights reserved.