Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > RADIUS authentication
RADIUS authentication
Help | Content Gateway | Version 8.1.x
Content Gateway supports the RADIUS option to ensure that users are authenticated with a RADIUS server before accessing content through the proxy.
When the RADIUS option is enabled:
*
Content Gateway acts as a RADIUS client and directly challenges users who request content for a username and password.
*
After receiving the username and password, Content Gateway contacts the RADIUS server to check that the credentials are correct.
*
If the RADIUS server accepts the username and password, the proxy serves the client with the requested content and stores the username and password entry in the RADIUS cache; all future authentication requests for that user are served from the RADIUS cache until the entry expires.
*
If the RADIUS server rejects the username and password, the user's browser displays a message indicating that authorization failed and prompts again for a username and password.
Content Gateway supports a primary RADIUS server and a secondary RADIUS server for failover. If the primary server does not respond to the proxy request within the specified timeout (60 seconds by default), Content Gateway tries to check the username and password again. If a response from the primary RADIUS server is not received after the maximum number of retries (10 by default), the proxy contacts the secondary RADIUS server. If Content Gateway cannot contact the secondary RADIUS server, the user is prompted again for a username and password.
The RADIUS cache is held in memory and stored on disk. Content Gateway updates the data on disk every 60 seconds. In addition, Content Gateway stores username and password entries in the RADIUS cache for 60 minutes. If a password and username entry is expired in the RADIUS cache, Content Gateway contacts the RADIUS server to accept or reject the username and password.
To configure Content Gateway to be a RADIUS client:
*
Enable the RADIUS option.
*
Specify the hostname or IP address of the primary and secondary (optional) RADIUS servers, and the port and shared key that Content Gateway uses to communicate with the RADIUS servers.
See Configuring Content Gateway to be a RADIUS client.
Configuring Content Gateway to be a RADIUS client
1.
Go to Configure > My Proxy > Basic > General.
2.
In the Authentication section, click Radius On, and then click Apply.
3.
Navigate to Configure > Security > Access Control > Radius.
4.
Enter the hostname of your primary RADIUS server.
5.
Enter the port number through which Content Gateway communicates with the primary RADIUS server.
6.
Enter the key used for encoding.
7.
If you are using a secondary RADIUS server, enter the hostname, port, and shared key in the appropriate fields of the Secondary Radius Server (Optional) area.
8.
Click Apply.
9.
Click Restart on Configure > My Proxy > Basic > General.
 
* 
Note 
In addition to performing these procedures, you must add the Content Gateway machine as a trusted client on the primary and secondary RADIUS servers and provide the shared key you want to use for the Content Gateway machine (the shared key must be the same one you specify in the procedure below). See your RADIUS server documentation.
Setting RADIUS cache and server timeout options
By default, the RADIUS cache and RADIUS server timeout options are configured as follows:
*
The RADIUS cache is configured to store 1,000 entries and each entry is considered fresh for 60 minutes.
*
Content Gateway can try to re-establish a connection to the RADIUS server if the connection remains idle for 10 seconds and can retry the connection a maximum of 10 times.
Change these default values by editing the records.config file.
1.
Open the records.config file located in /opt/WCG/config.
2.
Edit the following variables:
 
Variable
Description
proxy.config.radius.auth.
min_timeout
Specify the amount of time in seconds that the Content Gateway connection to the RADIUS server remains idle before Content Gateway closes the connection.
proxy.config.radius.auth.
max_retries
Specify the maximum number of times Content Gateway tries to connect to the RADIUS server.
proxy.config.radius.cache.size
Specify the number of entries allowed in the RADIUS cache.
The minimum value is 256 entries. If you enter a value lower than 256, Content Gateway signals a SEGV.
proxy.config.radius.auth.ttl_value
Specify the number of minutes that Content Gateway can store username and password entries in the RADIUS cache.
proxy.config.radius.cache.
storage_size
Specify the maximum amount of space that the RADIUS cache can occupy on disk.
This value must be at least 100 times the number of entries. It is recommended that you provide the maximum amount of disk space possible.
3.
Save and close the file.
4.
From the Content Gateway bin directory (/opt/WCG/bin), run content_line -L to restart Content Gateway on the local node or content_line -M to restart WCG on all the nodes in a cluster.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > RADIUS authentication
Copyright 2016 Forcepoint LLC. All rights reserved.