RAdmin® Radius User Administration

Open System Consultants Pty. Ltd.
Copyright (C) 1999-2015

Administrator Help for RAdmin version 1.15

1.0 Table of Contents

1.0 Table of Contents 1

2.0 Introduction 3

3.0 How it works 4

4.0 General information 4

4.1 Access control and permissions 4

4.2 The toolbar 5

4.3 Entering dates and times 5

4.4 Entering time intervals 7

4.5 Using dates in searches 8

4.6 Using text in searches 8

4.7 Using numbers in searches 9

4.8 Resorting search results 9

4.9 Service Profiles and RADIUS Check and Reply items 9

5.0 Add a User, Edit a User 10

5.1 Editable fields 11

5.2 Tasks using this page 14

6.0 List Users 14

6.1 Search Criteria 15

6.2 User List 16

6.3 Tasks using this page 16

7.0 List Usage 16

7.1 Search Criteria 17

7.2 Usage List 18

7.3 Tasks using this page 19

8.0 Usage Summary 19

8.1 Search Criteria 20

8.2 Usage Summaries 21

8.3 Tasks using this page 21

9.0 Log 21

9.1 Search Criteria 22

9.2 The List 23

9.3 Tasks using this page 23

10.0 Current sessions 24

10.1 Search Criteria 25

10.2 Session List 26

10.3 Tasks using this page 26

11.0 Modem usage report 26

11.1 Search Criteria 27

11.2 Modem usage list 28

11.3 Tasks using this page 28

12.0 Authentication Log 28

12.1 Search Criteria 29

12.2 Authentication Log list 30

12.3 Tasks using this page 30

13.0 Add Service Profile, Edit Service Profile 30

13.1 Editable Fields 31

14.0 List Service Profiles 31

15.0 Edit RADIUS Attributes 32

16.0 Add Radius Client, Edit Radius Client 33

16.1 Editable Fields 34

17.0 List Radius Clients 36

18.0 Subscription Management 37

18.1 Email to users 38

19.0 User subscriptions 39

19.1 Editable fields 40

20.0 Add a Product, Edit a Product 41

20.1 Editable fields 42

21.0 List Products 43

22.0 Vasco Digipass support 43

22.1 Import Digipass Tokens 44

22.2 List Digipass Tokens 45

22.3 Show Digipass Tokens details 47

23.0 Yubikey support 49

23.1 Import Yubikey Tokens 50

23.2 Importing with Yubico Windows COM/ActiveX Personalization Library installed 51

23.3 Importing with Yubico Windows COM/ActiveX Personalization Library NOT installed 52

23.4 List Yubikey Tokens 54

23.5 Show Yubikey Token details 54

24.0 Some common tasks 56

24.1 Adding a new user 56

24.2 Changing a password 56

24.3 Finding a User 56

24.4 Deleting a user 57

24.5 Checking who is currently on-line 57

24.6 Checking a user’s session history 57

24.7 Checking usage summaries 57

24.8 Checking the message log 57

24.9 Checking modem usage 58

24.10 Help a user with login problems 58

24.11 Import Digipass tokens from a DPX file 58

24.12 Allocating a Digipass token to a user 58

24.13 Import a Yubikey token 59

24.14 Allocating a Yubikey token to a user 59

 

2.0 Introduction

This document contains help and information for users of the RAdmin Radius User Administration System from Open System Consultants.

RAdmin provides a Web interface to a Radius user database. You can use RAdmin to add, configure and remove the users who are allowed to log into your network. You can use RAdmin to change their password, control how much time they are permitted to use, and also to set up a static IP address.

You can also use RAdmin to:

RAdmin is not a user billing or invoicing system.

‘RAdmin’ and the RAdmin logo are registered trademarks of Open System Consultants Pty Ltd.

3.0 How it works

RAdmin works together with your Radiator Radius Server to control who is permitted to log in to your network. Whenever a user connects and authenticates to an access server in your network, the access server send an “access request” to Radiator. Radiator looks in your RAdmin user database to check the password. If the password is correct, Radiator tells the terminal server to let the user in. If the password is not correct, or some other precondition is not satisfied, the user is rejected. You can use RAdmin to add and remove users, and to change their password and other login preconditions.

After the user is connected, the terminal server sends an “accounting request” to Radiator with details about the new session that has been started. Radiator saves this information in the RAdmin usage database.

When the user finally disconnects, the terminal server sends another “accounting request” to Radiator with details about the completed session, including the total session time and bytes counts. Radiator also saves this information in the RAdmin usage database. You can use RAdmin to get total usage summaries for your users, and to drill down to details for each session.

If during its operation, Radiator detects any problems, or gets any errors, they will be logged in the RAdmin Message Log. You can use RAdmin to investigate the Message Log.

4.0 General information

4.1 Access control and permissions

In order to access your RAdmin web pages, your system administrator may have enabled access control to your web site. That will mean you will have to enter a username and password before you can get to any of the RAdmin web pages. Your system administrator will tell you the username and password you will need to enter to get access.

Your system administrator can also individually tailor access to specific pages and functions in RAdmin. If you are unable to access a function, or an expected menu item does not appear, its probably because your system administrator has disabled your access to that function.

4.2 The toolbar

At the top of each page in Radmin is a toolbar, which allows you to quickly get to the most commonly used pages in RAdmin. It usually contains the following links:

  • List Users
  • Add a User
  • Log
  • Usage Summary
  • Current sessions
  • Modem usage report

Your RAdmin administrator can customize the toolbar to suit your organization, and add links to other RAdmin pages that you wish to access frequently, or even to other administrative web pages that you commonly need to use in your organization.

4.3 Entering dates and times

RAdmin allows you to enter dates in a variety of formats, and includes many fast shorthand ways of entering dates in the past and the future. All times and dates are entered and displayed in your time zone’s local time.

All dates stored and displayed in RAdmin include both the date and the time. Wherever you can enter a date, you can also enter the time. If you do not specify a time, it always defaults to midnight at the beginning of the day you specify. If you enter a time it must be in the format hh:mm(:ss). The seconds are optional. Times are in 24 hour time format. Some examples are:

  • 11:55
  • 16:20:30
  • 08:08
  • 09:5
  • 00:00 (i.e. midnight)

Dates are stored and displayed in RAdmin including the full 4 digit year. When entering dates, you can enter shorthand years, such as “99” or “00”, and RAdmin will make an educated guess about which year you mean.

During installation, your RAdmin administrator will have chosen the appropriate date format for your locality. This controls how dates are printed in RAdmin, and also how you must enter exact dates.

Many of the shorthand date formats allow you to use contractions. For example, instead of “1 week”, meaning 1 week in the future, you can enter “1w”. Instead of “today” you can enter “tod”.

TABLE 1. Permitted date/time formats

General date format

Meaning

Examples

now

The date and time of right now

now

today

The date of today, time defaults to midnight at the beginning of today.

tod
today 10:55

tomorrow

The date of tomorrow

tom 9:20

forever

The largest possible time value, effectively the end of time

forever

forev

n minutes

The number of minutes in the future.

1mi
3 minutes
5mins

n minutes ago

The number of minutes in the past.

2m ag
3 minutes ago
66mins ago

n hours

The number of hours in the future.

1h
3hours
5h

n hours ago

The number of hours in the past.

2hag
3 hours ago
6h ago

n days

The number of days in the future. “1 day” is the same as “tomorrow”

1d
3day
5d 12:00

n days ago

The number of days in the past. “1 day ago” is yesterday

2dag
3 day ago
6d ago

n weeks

The number of weeks in the future. If today is Wednesday, then “2 weeks” would be wednesday 2 weeks from today. “1 week” is the same as “7 days”

2 w
3 weeks 15:00

n weeks ago

The number of weeks in the past. “1 week ago” is the same as “7 days ago”

3wag
6week ago
3w ag 21:30

n months

This day of the month a number of months in the future.

2m
3month

n months ago

This day of the month a number of months in the past.

1mag
4 mon ago

n years

Todays date a number of years in the future. “1 year” is the same as “12 months”

1y
2 year

n years ago

Todays date a number of years in the past. “1 year ago” is the same as “12 months ago”

2yag
3 y ago

dd/mm/yyyy

(Only if your administrator has chosen your local date format as “dd/mm/yyyy”)

The exact date given.

12/5/99 13:00
1/1/00
5/9/2001 08:00
30/12/1999

mm/dd/yyyy

(Only if your administrator has chosen your local date format as “mm/dd/yyyy”)

The exact date given.

5/12/99 13:00
1/1/00
9/5/2001 08:00
12/30/1999

yyyymmdd

The exact date given.

20000101 12:00
20011225

4.4 Entering time intervals

Some data fields require an time interval to be entered to specify a period of time, as opposed to an exact date. time intervals can be intered in a variety of ways. Some examples are:

  • 10
  • 1h10m5s
  • 1:10:5
TABLE 2. Permitted time interval formats

Time interval format
(N is an integer)

Meaning

Examples

n

an exact number of seconds

10
12455

n s

Exact number of seconds

10s
12455s

n m

Exact number of minutes

5m
60m

n h

Exact number of hours

2h
155h

n h n m

Hours and minute

1h55m
10h5m

n m n s

Minutes and seconds

5m55s
1m5s

n : n

Minutes and seconds

5:55
1:5

n h n m n s

Hours minutes and seconds

1h55m10s
5h5m5s

n : n : n

Hours minutes and seconds

1:55:10
5:5:5

4.5 Using dates in searches

A number list pages allow you to search for items by date. You will see “date from” and “to” fields. For example, on the List Users page, you can search by the “Valid from” date. In these kind of date searches, you can limit the date range searched by entering a start date/time and/or an end date/time. If you enter neither the start nor the end date, then all the matching dates will be listed.

The dates and times you enter may be any of the supported date/time formats. See Entering dates and times.

TABLE 3. Example date ranges in searches

date from

to

Meaning

 

 

All dates

now

 

Any time from right now

 

now

Any time up until right now

 

1 week

Any time up until midnight at the beginning of the day 1 week from today

1 d ago

1d

Any time from midnight at the beginning of yesterday to midnight at the end of today

1/1/99

tod 12:00

Any time from midnight at the beginning of January 1 1999 to midday today

now

1y

Any time from right now to 1 year from now

tod 8:00

tod 10:55

Any time from 8 am today to 10:55 am today.

tod

tom

Any time today (i.e from midnight at the beginning of today to midnight at the end of today)

 

 

 

4.6 Using text in searches

When you enter some text into a “text like” field on a list page. RAdmin will search for all items that contain that text. So if you entered “fred” it would match not only “fred” but also “frederick”, “Alfred” and “myfreddy”. Text searching is case sensitive, so “fred” would not match “Fred” or “AlfredD”.

RAdmin also supports wildcards when searching for text. The following wildcards are supported:

  • % means any number of characters
  • _ (underscore) means any single character.
  • TABLE 4. Example text searches

    text like

    example matches

    fred

    fred Alfred frederick

    al%ce

    alice alce alsacelorraine balances

    al%

    alice alce alsacelorraine

    fr_d

    fred frod frud fr3d fridge

    j__

    jim jay jabberwocky major

     

    anything at all

     

     

4.7 Using numbers in searches

Some pages allow you to search certain fields by a numeric value. You will see “number from” and “to” fields. For example, on the List Users page, you can search by the “Login time left” field. In these kinds of searches, you can specify the lower and/or upper limit of the range you wish to match. If you enter neither the lower nor the upper limit, then all possible values will match.

TABLE 5. Example number searches

number from

to

Meaning

10

 

10 or more

 

100

100 or less

11

11

exactly 11

1

10

1 to 10 inclusive

 

 

anything at all

 

 

 

4.8 Resorting search results

After searching on a search page, you can re-search and sort by a different column by clicking on a column header.

4.9 Service Profiles and RADIUS Check and Reply items

RAdmin gives you detailed control over who can log in, under what circumstances, and to also control the characteristics of their session once they are connected.

Service Profiles allow you to group a number of users with similar login privileges together and to control their privileges easily. The RAdmin Administrator will usually set up a number of Service Profiles, one for each group of users. For example, you might set up a Service Profile for your normal subscribers, and a different Service Profile for your Operations Centre staff that has greater privileges, or can connect through a dedicated line.

When a user attempts to log in, Radiator/RAdmin will perform the following checks in this order:

  • Bad Logins count has not been exceeded
  • The Valid From and Valid To dates are OK.
  • The password is correct.
  • If the user has a Service Profile, that any RADIUS Check Items in that Service Profile match.
  • If there are any user-specific RADIUS Check Items for the user, that they match.

RAdmin allows you to easily set RADUS Check and Reply items for users and Service Profiles.

RADIUS Check Items are checked when a user attempts to log in. All the Check items must be correct, otherwise the user will not be permitted to log in. There is a wide range of RADIUS attributes that may be used as Check Items. You should consult your NAS vendor documentation for information about which ones are supported by your NAS, and how they are used.

RADIUS Reply items are used to configure a user’s session once they have successfully logged in. There is a wide range of RADIUS attributes that may be used as Reply Items. You should consult your NAS vendor documentation for information about which ones are supported by your NAS, and how they are used.

Hint: It is also possible to set Check and Reply items for all users in the Radiator configuration file.

5.0 Add a User, Edit a User

This page allows you to examine and change the details of a single user. You can set and change their password, and it will have immediate effect. New users can log in as soon as they are added. Users that are deleted will not be able to log in the future.

FIGURE 1. Edit a User page

5.1 Editable fields

5.1.1 User Name

This is the name that the user logs into your network with. Your user will normally have to configure the name into their authentication client software. To log in, they must enter the user name exactly as shown. It is not possible to change a users User Name with the Edit a User. To change a User Name, you would have to delete the old user and add a new one with the correct name.

Your RAdmin administrator may have configured a default value for this field to provide the normal realm for your organization.

5.1.2 Password

This is the password that the user must configure into their authentication client software. To log in successfully, they must enter the user name exactly as shown. Case is important. You can change their password and click Update , and their password will be changed immediately.

If you are adding a new user with Add a User, a new password will be automatically generated when the page appears. You can accept that password, or enter a new one if you like. We recommend that when you enter passwords, you adhere to your organization’s password policy (if any). Your RAdmin administrator can change the format for automatically generated passwords, or turn off automatic password generation.

5.1.3 Email address

This field can be optionally used to record the user’s email address(es). It has no effect on whether or how your user logs in. It is used to send email about subscription access changes if your RAdmin administrator has enabled Subscription Management in your RAdmin installation. Multiple email addresses can be separated by commas or spaces.

Your RAdmin administrator may have configured a default value for this field to provide the normal email domain for your organization.

5.1.4 Full Name

This optional field allows you to record the users full name. It has no effect on whether or how your user logs in.

5.1.5 Service Profile

This field allows you to choose a ‘Service Profile’ for this user. A Service Profile describes a common set of RADIUS attributes shared by all the users with that profile. Your RAdmin Administrator will generally set up a separate Service Profile for each category of users your organization supports. If you select a Service Profile for a user, then the attributes from the Service Profile will be used to check and configure this user when they log in. User-specific attributes entered into this Edit User page will override the attributes from the Service Profile. If you choose the blank Service Profile, then there will be no Service Profile for this user, and their login attributes will be controlled by this Edit User page.

5.1.6 Valid from

This field specifies the earliest date and time the user is permitted to log in to your network. See Entering dates and times. If you enter a date/time that is in the future, the user will not be able to log in until that time.

The standard default value for this field when adding a new user is “now” (i.e. access is possible immediately), although your RAdmin administrator may have configured it differently for your organization.

5.1.7 Valid to

This field specifies the latest date and time the user is permitted to log in to your network. See Entering dates and times. If you enter a date/time that is in the past, the user will not be able to log in. You can use something like ‘20y’ (i.e 20 years into the future) for users whose accounts are to be valid for a long time.

The standard default value for this field when adding a new user is “1 year” (i.e. it expires one year from today), although your RAdmin administrator may have configured it differently for your organization.

5.1.8 Static IP Address

This optional field allows you to specify a static IP address for that user. You should only enter something in here if you want that user to always get the same IP address when they log in. If you don’t enter anything in here (i.e. leave it blank) then the user will be allocated an IP address from the normal address pool. It will usually be different each time they log in. You can see which IP address a user gets by looking at their usage page.

Static IP Address must be entered as a dotted IP address like these examples:

  • 10.1.1.5
  • 203.63.154.1

5.1.9 Login time left

This optional field specifies the amount of online time (in seconds) the user has left. Each time the user logs out, the time they have used is subtracted from the time they have left. If they try to log in and there is no time left, they will not be permitted to log in at all. Each time they log in, their maximum session time will be set to the amount of time they have left, so they should not be able to overrun their time left. See Entering time intervals.

If you leave this field blank, there are no limits placed on their online time.

5.1.10 Bad login count

This field keeps count of how many consecutive bad logins this user has had. It is used to lock out accounts that are being attacked by password guessers. Each time they enter their password incorrectly, this number will be increased. If it get to the bad login limit (usually 5), they will not be able to log in at all until you reset their count to 0. Each time the user logs in correctly, the count will be reset to 0 automatically. This means that users will be locked out if they enter a bad password 5 times in a row.

If you leave this field blank, then no bad login limits will be applied to this user.

5.1.11 Max simultaneous logins

This field specifies the maximum number of sessions the user can be logged in at the same time. Defaults to 1, which means they can log in once at a time. If they try to log in a second time without logging out, they will be rejected.

If you leave this field blank, then no simultaneous-use limits will be applied. If you set it to 0, then they wont be able to log in at all.

5.1.12 Update

Clicking on this button will cause your edits to take effect. Any changes to the password will take effect immediately. After the user database has been updated, the Edit a User page will be redisplayed with the result of your edits. You will note that the Valid from and Valid to dates will be displayed as the full date and time.

5.1.13 Delete

Clicking on this button will cause this user to be permanently removed from the database. It does not remove any usage records for this user from the usage table. If the user is currently logged on it will not log them out, only prevent them from logging in again in the future. The User Name may be reused for another user after deleting.

This button will not appear when adding a new user.

5.1.14 Usage link

Clicking on this link will show the List Usage page showing usage for this user.

This link will not appear when adding a new user.

5.1.15 Edit RADIUS attributes link

This link takes you to the RADIUS attributes page where you can view and edit specific RADIUS attributes for this user. You can add and remove both check and reply items, which means that you can tailor the RADIUS attributes for this user.

This link will not appear when adding a new user.

5.2 Tasks using this page

The following common tasks relate to this page:

6.0 List Users

This page allows you to search for and list users in your user database. The list shows the main information about each user, and you can drill down to detailed information for each user.

FIGURE 2. List Users page

6.1 Search Criteria

The top part of this page lets you enter search criteria to find particular users or groups of users. The bottom part displays the list of users that satisfy your criteria. You can limit the list of users displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), all the users in your user database will be listed.

6.1.1 User Name

This section restricts which users will be listed in the bottom part by specifying the User Names to match. See Using text in searches.

6.1.2 Email Address

This section restricts which users will be listed in the bottom part by specifying the Email Address to match. See Using text in searches.

6.1.3 Valid from

This section restricts which users will be listed in the bottom part by specifying a range of “Valid from” dates. See Using dates in searches.

6.1.4 Valid to

This section restricts which users will be listed in the bottom part by specifying a range of “Valid from” dates. See Using dates in searches.

6.1.5 Login time left

This section restricts which users will be listed in the bottom part by specifying a matching range of “Login time left”. See Using numbers in searches.

6.1.6 Bad login count

This section restricts which users will be listed in the bottom part by specifying a matching range of “Bad login count”. See Using numbers in searches.

6.2 User List

This section presents a list of users that match the search criteria you entered in the top section. By clicking on a User Name you can drill down to that users details displayed in the “Edit a User” page. See Add a User, Edit a User. Any “Valid from” or “Valid to” dates that are in the future are shown with a yellow background. Dates in the past are shown with a normal white background.

6.3 Tasks using this page

The following common tasks relate to this page:

7.0 List Usage

This page shows summaries of past login sessions for one or more users. From the usage list, you can drill down to see user details, see all the details of a single session, or see other logins to the same NAS. The list shows both session start and session stop records that match the criteria.

FIGURE 3. List usage page

 

7.1 Search Criteria

The top part of this page lets you enter search criteria to find particular sessions The bottom part displays the list of sessions that satisfy your criteria. You can limit the list of sessions displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), all the sessions in your accounting database will be listed.

7.1.1 User Name

The restricts the sessions to those belonging to users who match this field. See Using text in searches.

7.1.2 Time stamp

This restricts the list to session that started or stopped during the date/time range given. See Using dates in searches.

7.1.3 SessionID

This restricts the list to sessions that match the Session ID. See Using text in searches.

7.1.4 Session Time

This restricts the list to sessions whose Session time (which is the time the session lasted in seconds) to the range given. Since only session Stop records have a Session Time, if you use this criteria, it will only list session Stops. See Using numbers in searches.

7.1.5 Framed IP Address

This restricts the list to sessions that match the specified Framed IP Address (which is the IP address the user had for the duration of their session). See Using text in searches.

7.1.6 NAS Identifier

This restricts the list to sessions that were authenticated by a certain NAS (i.e. Terminal Servers etc.). The NAS Identifier is an IP address like 203.63.154.1, not a DNS name. See Using text in searches.

7.1.7 NAS Port

This restricts the list to sessions that had the specified NAS-Port, which identifies which interface, modem or port the session was connected to. See Using numbers in searches.

7.1.8 Status

This restricts the list to sessions with the given Acct-Status-Type.

7.2 Usage List

This section presents a list of sessions that match the search criteria you entered in the top section. By default it shows both session Start and session Stop records. Session Start records can be identified by the fact that they do not have a Session Time.

The User Name column shows the exact user name they logged in with.

The Time stamp column shows the date and time that the session started or stopped (in your time zone’s local time).

The Session ID is an identifying number that the NAS uses to identify a session. It allocates a new Session ID each time a new session starts. The Session ID will be the same for the Start and Stop of the same session. Session IDs are only unique until the NAS reboots. When a NAS reboots, it starts reusing Session IDs

Session Time is the length of time the session lasted (in seconds). For session Start records, this will be blank.

Framed IP Address this is the IP address that the user was allocated for the duration of this session.

NAS Identifier is the IP address of the NAS the user was connecting to.

NAS Port is the number of the NAS's interface, modem or port that the user was connecting to.

You can click on the hotlinks in the following columns:

  • User Name. This will take you to the Edit a User page for that user. See Add a User, Edit a User.
  • Session ID. This will take you to another List Usage page, showing sessions with the same Session ID.
  • NAS Identifier. This will take you to another List Usage page, showing sessions with the same NAS Identifier. The NAS Identifier is the IP address of the NAS where the session was connected to.

7.3 Tasks using this page

The following common tasks relate to this page:

8.0 Usage Summary

This page shows a summary of network usage for some or all of your users. It shows the total login time (in seconds) and total number of bytes in and out for a each user in the interval covered by your accounting table.

FIGURE 4. Usage summary page

 

8.1 Search Criteria

The top part of this page lets you enter search criteria to limit the users whose summaries you wish to see The bottom part displays a summary for each user matched. You can limit the list of users displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), summaries for all the user in your database will be listed.

8.1.1 User Name

This section restricts which users will be listed in the bottom part by specifying the User Names to match. See Using text in searches.

8.2 Usage Summaries

This section presents usage summaries for all the user that matched the search criteria you entered in the top section. For each user it shows:

  • Total time in seconds that the user was logged in for.
  • The total number of bytes in (i.e. bytes transmitted from the user to your network).
  • The total number of bytes out (i.e. bytes transmitted from your network to the user).

8.3 Tasks using this page

The following common tasks relate to this page:

9.0 Log

This page allows you to see messages in the RAdmin/Radiator log. Each time Radiator detects a problem, it logs a message to the RAdmin log. This page allows you to look at some or all of those messages.

FIGURE 5. Log page

 

9.1 Search Criteria

The top part of this page lets you enter search criteria to find particular log messages The bottom part displays the list of messages that satisfy your criteria. You can limit the list of log messages displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), all the log messages in your accounting database will be listed.

9.1.1 Type

The section allows you to restrict what message types are listed. The message types for a message is one of the following numbers:

TABLE 6. Log Message types

Type

Description

0

ERR. Error conditions. Serious and unexpected failures

1

WARNING. Warning conditions. Unexpected failures

2

NOTICE. Normal but significant conditions.

3

INFO. Informational messages.

4

DEBUG. Debugging messages.

See Using numbers in searches.

9.1.2 Time stamp

The limits the range of date/times that are to be listed. For each message, the Time stamp is the local time that the message was logged. See Using dates in searches.

9.1.3 Message

This limits the text of the messages to be displayed. See Using text in searches.

9.2 The List

This section shows the messages that match the search criteria you entered in the top section.

Type is the message type number. See Log Message types.

Time stamp is the time the message was logged, in your time zone’s local time.

Message is the text of the log message. It describes the error or event that was logged.

9.3 Tasks using this page

The following common tasks relate to this page:

10.0 Current sessions

This page lists some or all of the sessions that are currently online (i.e. user sessions that have started, but not yet finished). You can drill down to see details of the user, or the history of sessions with the same NAS Identifier or the same Session ID.

FIGURE 6. Current sessions page

10.1 Search Criteria

The top part of this page lets you enter search criteria to find particular sessions or groups of sessions. The bottom part displays the list of current sessions that satisfy your criteria. You can limit the list of sessions displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), all the current sessions will be listed.

10.1.1 User Name

The restricts the sessions to those belonging to users who match this field. See Using text in searches.

10.1.2 NAS Identifier

This restricts the list to sessions that were connected to a certain NAS (i.e. Terminal Servers etc.). The NAS Identifier is an IP address like 203.63.154.1, not a DNS name. See Using text in searches.

10.1.3 NAS Port

This restricts the list to sessions that had the specified NAS-Port, which identifies which interface, modem or port the session was connected to. See Using numbers in searches.

10.1.4 Session ID

This restricts the list to sessions that match the Session ID. See Using text in searches.

10.1.5 Started

This restricts the list to sessions that started during the date/time range given. See Using dates in searches.

10.1.6 Framed IP Address

This restricts the list to sessions that match the specified Framed IP Address (which is the IP address the user had for the duration of their session). See Using text in searches.

10.1.7 Port type

This restricts the list to sessions with port types that match. The port type describes what type of connection this session is using. Usually one of:

  • Sync
  • Async
  • ISDN
  • Virtual

See Using text in searches.

10.1.8 Service type

This restricts the list to sessions with port types that match. The service type describes what type of session this is. Usually one of:

  • Login user
  • Framed user
  • Administrative-User (a router administrator telnetted into the router)

10.2 Session List

This section shows each current session that matches the search criteria you entered in the top section.

You can click on the hotlinks in the following columns:

  • User Name. This will take you to the Edit a User page for that user. See Add a User, Edit a User.
  • NAS Identifier. This will take you to another List Usage page, showing sessions with the same NAS Identifier. The NAS Identifier is the IP address of the NAS where the session was connected to.
  • Session ID. This will take you to another List Usage page, showing sessions with the same Session ID.

10.3 Tasks using this page

The following common tasks relate to this page:

11.0 Modem usage report

This page summarizes the usage of each modem or interface on your NASs, It is useful for finding dead or underutilized modems.

FIGURE 7. Modem usage report

11.1 Search Criteria

The top part of this page lets you enter search criteria to find particular modems or groups of modems. The bottom part displays the list of modems that satisfy your criteria. You can limit the list of modems displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), usage summaries for all your modems will be listed.

11.1.1 NAS Identifier

The section limits the usage summary to NASs that match this pattern. See Using text in searches.

11.1.2 NAS Port

This section limits the usage summary to modems that match the pattern. See Using text in searches.

11.2 Modem usage list

This section presents a usage summary for each NAS and Port selected by the search criteria you entered in the top section. It summarizes session Stops that are currently in your accounting database.

Sessions is the total number of sessions that have completed in the time interval covered by your accounting database.

You can click on the hotlinks in the following columns:

  • NAS Identifier. This takes you to the List Usage page showing sessions with the same NAS Identifier. See List Usage.

11.3 Tasks using this page

The following common tasks relate to this page:

12.0 Authentication Log

Your Radiator administrator may have configured Radiator to add entries to the Authentication Log when a user attempts to authenticate through Radiator. This means that whenever a user tries to log in, you can see whether they succeed or fail, and if they fail, why they failed.

The Authentication Log page can be very useful when trying to help people with login problems. If a customer reports that they cannot log in, search for all records with their user name for the last day, and you will see all the authentication attempts and the reasons for failures.

FIGURE 8. Authentication Log

12.1 Search Criteria

The top part of this page lets you enter search criteria to find particular Authentication Log records. The bottom part displays the list of records that satisfy your criteria. You can limit the list of records displayed in the lower section by entering one or more restrictions on the search and clicking Search. If you do not enter any search criteria (i.e. if you leave all the search criteria fields in the top part blank), all Authentication Log records will be listed.

12.1.1 Type

This section limits whether you want to see authentication successes, failures or both.

12.1.2 Time stamp

This section limits the range of times to display. The default is for the last day.

12.2 Authentication Log list

This section presents a list of all the Authentication Log records that match the search criteria you entered in the top section. Type indicate whether it was a successful login attempt or not. Time stamp indicates the date and time that the attempt occurred. User name is the login name that was used, and Fail reason is the reason the login was rejected if it was a Failure. Success records do not have a Reason.

12.3 Tasks using this page

The following common tasks relate to this page:

 

13.0 Add Service Profile, Edit Service Profile

This page allows you to add or change details of a Service Profile. A Service Profile is a group of users that all share the same RADIUS check and reply items. You can use Service Profiles to ensure all the users have the same authentication requirements, and you can easily configure or change a user’s authentication requirements by changing their Service Profile on the Edit User page.

It is common to set up a small number of Service Profiles, one for each major grouping of users, for example, one Service Profile for normal users, and one for NOC staff, where the NOC staff are required to login via a certain Called-Station-ID, and who get a special NAS filter.

The Edit Service Profile page allows you to edit the name and description of the profile. The RADIUS attributes for the profile are edited with the Edit RADIUS Attributes page. See Edit RADIUS Attributes.

FIGURE 9. Edit Service Profile Page

13.1 Editable Fields

13.1.1 Service Name

This is the short name of the Service Profile. It will be listed in the menu of Service Profiles you select in the Edit User page

13.1.2 Description

This is a brief description of the purpose of the Service Profile. It is for Radmin user information only and is not used anywhere else.

13.1.3 Edit RADIUS Attributes

This link takes you to the Edit RADIUS Attributes page for this Service Profile. It will allow you to add, change and remove RADIUS Check and Reply items for this Service Profile.

14.0 List Service Profiles

This page allows you to search for and list the Service Profiles in your user database. The list shows the main information about each Service Profile, and you can drill down to detailed information about each Service Profile.

FIGURE 10. List Service Profiles

15.0 Edit RADIUS Attributes

This page allows you to add, change or delete RADUS attributes for a User or Service Profile. See Service Profiles and RADIUS Check and Reply items. for more information about RADIUS attributes. You can reach this page by clicking on the Edit RADIUS Attributes link on an Edit User page, or the Edit RADIUS Attributes link on an Edit Service Profile page. The page will display the current RADIUS attributes for that user or Service Profile.

You can change the value of a RADIUS attribute by altering the field in the ‘Value’ column and then pressing the Update button.

You can add a new Check Item by selection the type of attribute required for the new Check Item, then pressing the Add New Check Item button. The Edit RADIUS Attributes page will appear with the new Check item added to the end of the list. You can then set the Value of the new attribute and press Update .

You can add a new Reply Item by selection the type of attribute required for the new Reply Item, then pressing the Add New Reply Item button. The Edit RADIUS Attributes page will appear with the new Reply item added to the end of the list. You can then set the Value of the new attribute and press Update .

The example page below shows the RADIUS attributes for a Service Profile. There is one Check Item, requiring that the Called-Station-Id for all logins must be 98767676. Users that log in successfully will have their Filter-Id set to ‘ standard ’. See your NAS vendor for details about what RADIUS attributes are available for your NAS and how they can be used.

FIGURE 11. Edit RADIUS Attributes

16.0 Add Radius Client, Edit Radius Client

This page allows you to Add, Change and Delete Radius clients from your database. A Radius client specifies details about a NAS that your Radiator Radius Server will listen to and honor requests.

Most of the editable fields on this page are required for advanced use only. You will probably only need to set the name/address and the Shared secret.

Hint : Radiator only takes notice of the Radius clients configured into this page if the <ClientListSQL> clause is present in your Radiator configuration. See the Radiator reference manual for more details.

Hint : After adding or changing Radius client details with this page, you will need to restart or signal your Radiator before it will use the new details.

FIGURE 12. Edit RADIUS Client page

16.1 Editable Fields

16.1.1 Name or Address

This is the IP address or DNS name of the NAS that will be sending requests to your Radiator. It is required.

16.1.2 Shared Secret

This is the shared secret that will be used to encrypt passwords sent by the NAS. The shared secret is a secret word or sentence that is used to protect all information passed between the NAS and Radiator. It must be configured here and also configured into the NAS. It must be configured exactly the same the NAS. It is case-sensitive. We recommend that you use a shared secret containing mixed case letters and number of about 16 characters.

16.1.3 Default Realm

For advanced operations only.

This optional field specifies a Realm that will be added automatically to the user name of login requests from this NAS if the user name does not already contain a Realm. See the Radiator reference manual for more details.

For example, if you enter open.com.au as the Default Realm, and a user attempts to log in to the NAS as mikem , then the user name will be automatically converted to mikem@open.com.au before being authenticated.

16.1.4 NAS Type

For advanced operations only.

This optional field specifies the manufacturer and type of this NAS. It is only required for strong multiple-login prevention. See the Radiator reference manual for more details.

16.1.5 SNMP Community

For advanced operations only.

This optional field specifies SNMP community for SNMP access to this NAS. It is only required for strong multiple-login prevention. See the Radiator reference manual for more details.

16.1.6 Framed Group Base Address

For advanced operations only.

This optional field specifies the base IP address for automatically setting IP addresses for logins from this NAS. See the Radiator reference manual for more details.

16.1.7 Rewrite Username rule

For advanced operations only.

This optional field allows you to automatically rewrite user names before authentication. See the Radiator reference manual for more details.

16.1.8 Pre-Handler hook perl code

For advanced operations only.

This optional field allows you to enter a Perl code hook that will be invoked before authentication or accounting request from this NAS are handled. See the Radiator reference manual for more details.

16.1.9 Ignore accounting signature

For advanced operations only.

This optional field allows you to work around certain NASs with broken software, where the signature in accounting requests is set incorrectly. See the Radiator reference manual for more details.

16.1.10 Duplicate detection interval

For advanced operations only.

This optional field allows you to change the time period that Radiator uses to detect duplication of Radius request packets. See the Radiator reference manual for more details.

16.1.11 Livingston port offset

For advanced operations only.

This optional field allows you to tailor information about ports on Livingston NASs. It is not required and is ignored for most types of NAS. See the Radiator reference manual for more details.

16.1.12 Livingston port hole size

For advanced operations only.

This optional field allows you to tailor information about ports on Livingston NASs. It is not required and is ignored for most types of NAS. See the Radiator reference manual for more details.

16.1.13 No of ports for address allocation

For advanced operations only.

This optional field specifies how many ports can be allocated an IP address in a class C block. It is only required if Framed Group Base Address is used to compute IP address automatically for this NAS. See the Radiator reference manual for more details.

17.0 List Radius Clients

This page allows you to search for and list Radius Clients that meet certain criteria.

FIGURE 13. List Radius Clients page

18.0 Subscription Management

If your RAdmin system administrator has enabled Subscription Management in your RAdmin system, you will (depending on specific permissions) have access to a number of Subscription Management pages.

RAdmin Subscription Management automatically adds and removes users from password files in the same format that Apache and other applications require. This means that you can use RAdmin to administer access to various parts of a web site (for example), according to what product(s) your customer has bought. This is in addition to the normal user access management that RAdmin always performs.

The Subscription Management pages allow you to define subscription type products, to subscribe users to each product for varying periods of time, and to search for and list subscriptions. At the end of a users subscription period, their access to the product can be automatically disabled by the expire program, which your RAdmin administrator may also have set up.

18.1 Email to users

If a user has one or more email addresses, RAdmin Subscription Management will automatically send email to those addresses at various times:

  • When a product State is changed to Trial or Approved from any other State. No mail is sent when changing from Trial to Approved or vice versa. Mail will contain the product’s ‘Message for new subs’ text if defined on the Edit Product page. The text of the email will be something like this:
    Many part of the email text are configurable by the RAdmin administrator, so the exact content may be different in your installation.
  • When a product State is changed from Trial or Approved from any other State. Mail will contain the product’s ‘Message for stopped subs’ text if defined on the Edit Product page
  • When a product in Trial or Approved State has its Valid To date extended prior to the expiry date. Mail will contain the product’s ‘Message for extended subs’ text if defined on the Edit Product page.
  • When a product in Trial or Approved State is automatically expired by the expire program.

If multiple products are enabled or disabled at the same time, only a one email will be sent to the user containing details of each product enabled or disabled.

The following sections describe the Subscription Management pages.

19.0 User subscriptions

If your RAdmin administrator has enable Subscription Management, the Add and Edit User pages will look slightly different than described in Section 5.0. IN addition, you will see a list of available products (defined with the ‘Add a Subscription Product’ page), and details of the user’s subscription for each product.

FIGURE 14. Edit User with Subscription Management

19.1 Editable fields

19.1.1 State

This field describes the current subscription state for this product. In the standard Radmin system, the available states are:

  • -blank-
    User has no subscription and has never expressed an interest in it.
  • Enquiry
    User has made some enquiries about the product.
  • Wait for approval
    User has ordered but not paid for the product. Record the order details in the Notes
  • Trial
    Temporary and short-term access to the product has been granted. Will be automatically Expired at the end of the Valid To period.
  • Approved
    Access to the product has been granted. Will be automatically Expired at the end of the Valid To period.
  • Expired
    The Valid To date has passed, and the product has been automatically expired
  • Disabled
    Access has been temporarily disabled. Record the reason why in the Notes.
  • Transferred
    The access privileges have been transferred to another user. Record the user in the Notes
  • Closed
    Access has been permanently closed. Record the reason why in the Notes.

When you add enable a subscription (i.e. in Trial or Approved states), the user will be able to access the protected web pages between the ‘Valid From’ and ‘Valid To’ dates. At the end of their subscription period the expire program will change their State to Expired, automatically remove them from the access password file, and they wont be able to access the protected web pages any more.

The other states (Enquiry, Wait for approval etc.) are place-holders that allow you to record where you are in the sales cycle for this product to this customer. Access to the protected area is only possible in Trial and Approved states.

Hint: if multiple subscription products are configured with the same non-empty Product Group name, then only one of those products can be enabled at any time. If you attempt to enable more than one such product, you will receive an error message and the user will not be updated.

19.1.2 Valid From

This is the first date which access will be granted. Any of the date formats described in Section 4.3 are permitted. The default value is set by the ‘Default valid from time’ field in the ‘Edit Product’ page.

19.1.3 Valid To

This is the last which access will be granted. Any of the date formats described in Section 4.3 on page 4 are permitted. The default value is set by the ‘Default valid to time’ field in the ‘Edit Product’ page.

19.1.4 Notes

This section contains notes about the users subscription to this product.

20.0 Add a Product, Edit a Product

This page allows you to define and alter subscription products. For each product, you can define the location of the access password file, the default values for the from and to dates, and optional messages to be sent by email to a user when their access to the product changes.

FIGURE 15. Edit a Product

20.1 Editable fields

20.1.1 Product Name

This is a short product name. It will appear on the Edit User page, and also in emails sent to the user.

20.1.2 Description

This is a brief description of the product for reference only. It is not displayed anywhere but here.

20.1.3 htpasswd files

This is a list of password files that will be automatically managed when users are subscribed or unsubscribed to this product. The file is in htpasswd format as required by Apache and other systems, one line per valid user. Multiple file names can be specified separated by colons. If multiple file names are specified, subscribed users will be added to all the files named

20.1.4 Default valid from time

This is the default Valid From for new subscriptions. Any text is permitted, but a relative date in one of the date formats described in Section 4.3 are recommended, such as ‘now’, ‘tomorrow’, ‘1 year’ etc. The date will appear on the Edit User page, but can be changed to another value there.

20.1.5 Default valid to time

This is the default Valid To for new subscriptions. Any text is permitted, but a relative date in one of the date formats described in Section 4.3 are recommended, such as ‘now’, ‘tomorrow’, ‘1 year’ etc. The date will appear on the Edit User page, but can be changed to another value there.

20.1.6 Message for new subs

This message will be added to the email sent when a user is subscribed to a product (i.e is changed to Trial or Approved State). You might use it to describe how to access the product.

20.1.7 Message for extended subs

This message will be added to the email sent when a user’s existing subscription is extended before it expires. You might use it to thank them or provide information about product changes.

20.1.8 Message for stopped subs

This message will be added to the email sent when a user is unsubscribed from a product (i.e is changed from Trial or Approved State to any other State). You might use it to describe how to resubscribe the product.

20.1.9 Message for expired subs

This message will be added to the email sent when a user is automatically expired from a product (i.e is changed from Trial or Approved State to Expired State by the expire program). You might use it to describe how to resubscribe the product.

20.1.10 Product Group

This optional field allows you to group subscription products so that at most one of the group can be enabled at a time. If multiple products exists with the same non-empty Product Group anme, then only at most on such product can be enabled on the Edit User page.

21.0 List Products

This page allows you to search for and list the currently defined subscription products.

FIGURE 16. List Products

22.0 Vasco Digipass support

RAdmin can optionally support Vasco Digipass tokens (http://www.vasco.com). Digipass tokens are small handheld devices that generate one-time-passwords that change every minute. They can be purchased from Vasco and issued to your users. Such tokens provide much higher levels of security than static passwords. Additionally, with some types of token, users can set up individual PINs, which provides even higher levels of security with two-factor authentication. Some types of Digipass token can operate in a Challenge-Response mode. Vasco Digipass is supported by RAdmin on Solaris, Linux and Windows. Your organization may require the issue of Vasco Digipass tokens to some or all users. If so, you should follow these instructions for administering Digipass tokens, and for assigning tokens to RAdmin users.

When you purchase a Digipass token or tokens from Vasco, you will also be supplied with a DPX file that contains important data about the token(s). This DPX file must be imported into the AuthBy DIGIPASS database before the tokens can be assigned to a user and authenticated by Radiator. A DPX file may contain data for one or more tokens, and for one or more applications . A Digipass application is a particular method of using a token. Your tokens will usually only be configured for one application.

22.1 Import Digipass Tokens

Before you can administer a token or assign it to a user, you must import the token data into the RAdmin database. This page allows you to import data for one or more tokens from a token DPX file.

FIGURE 17. Import Digipass Tokens

22.1.1 Import DPX File

Enter the name of the DPX file to import. This must exist on the machine where your browser is running. Most browsers provide a browse button to the right of this field allowing you to select the DPX file from a file dialog.

22.1.2 Overwrite existing tokens with same serial

If this option is set, then the import will overwrite and erase any previously imported data for the same tokens as included in the DPX file. If you receive the error message ‘failed: Duplicate entry’ or similar, it means that token has already been imported, and you may need to set the ‘Overwrite existing tokens with same serial’ in order to import it.

22.1.3 Auto create users and allocate tokens

If this option is set, for each token imported, a matching user is automatically created and allocated to the token. The name of the user is derived from the token serial number: leading zeroes are stripped and any trailing spaces and alpha characters (such as APPL1) are removed. The new user will be created with validity dates from the current time to the same date and time next year.

22.1.4 Master import key

This specifies the key that has been used to encrypt the DPX file. Defaults to ‘11111111111111111111111111111111’, but some organizations may use a different import key. Consult your system administrator is you get the error message ‘Master Key content is incorrect’.

22.1.5 Application name

This specifies the name of the Digipass application data to import from the DPX file. If there is only one application. Defaults to ‘APPL1’, which is a common Digipass application name. If the application data is not present in the DPX file when you import it, you will see an error message and a list of the application names available in that file. If there are several applications present in your import file and you don’t know which one to choose, consult your system administrator.

22.1.6 Import

When you click on Import, the DPX file you selected will be transmitted to the RAdmin web server, where the DPX data will be imported into the RAdmin database. If this is successful, the ‘Import Digipass Tokens’ page will be displayed again with one or more messages in green saying something like ‘imported token 0097123456APPL 1’ where 0097123456APPL 1 is the token’s serial and application name it imported.

22.2 List Digipass Tokens

This page allows you to see which Digipass tokens have been imported into RAdmin, and which ones are available for allocation to a user. A user can’t use their token for authentication until it has been allocated to them in RAdmin.

FIGURE 18. List Digipass Tokens

22.2.1 Token Serial number

This specifies the unique token number for a token. The token number includes the application name: the application name is part of the complete serial number.

22.2.2 Allocated to User Name

This indicates whether the token has been allocated to a given user.

22.2.3 Token type

This indicates the type of Digipass token. Possibilities are: AKII, AUTCD, DP100, DP300, DP500, DP600, DP700 etc.

 

22.3 Show Digipass Tokens details

This page shows important details about a single Digipass token. These details are encoded in the RAdmin database for each token. Importing a token with the ‘Overwrite existing tokens with same serial’ option set will reset all these details.

FIGURE 19. Show Digipass Tokens details

22.3.1 Token Serial

The unique serial number for this token. It includes the application name. There can be multiple tokens with the same digits and different applications

22.3.2 Allocated to User Name

If this token has been allocated to a user, the user name will appear here. A user cannot user their token to authenticate unless it has been allocated to them.

22.3.3 Algorithm

This identifies what sort of mode the Digipass token operates in. Possibilities are:

  • RO: Response Only. The token generates a response each time it is activated. This Response is used as the password for the user to log in.
  • CR: Challenge/Response. For each authentication, Radiator sends a challenge to the user. The user enters the challenge into the token using its keypad, and the token generates a matching Response, which is used as the password for the user to log in.
  • SG: Signature. The token can be used to generate a digital signature, and is usually not used for logging in via Radiator.

Radiator supports authentication by both RO and CR tokens.

22.3.4 Token Model

Indicate what type of Digipass token this is. Possibilities are: AKII, AUTCD, DP100, DP300, DP500, DP600, DP700 etc.

22.3.5 Use Count

Indicates how many times this token has been authenticated since being imported.

22.3.6 Last Time Used

Indicates the last time this token was used. If the token has never been used, it will show ‘Thu Jan 1 00:00:00 1970’.

22.3.7 Last Time Shift

Indicates the time shift in seconds the last time the token was used.

22.3.8 Error Count

Indicates how many consecutive authentication errors have been detected. If this exceeds a certain threshold (check with your Radiator administrator) this user will not be able to authenticate.

22.3.9 Codeword

Describes the crypto algorithm used by this token.

22.3.10 Triple DES

Indicates if this token uses triple-DES. YES or NO.

22.3.11 Max Input Fields

If this token can be used for signatures, indicates the maximum number of fields that can be signed.

22.3.12 Response Length

Indicates how many characters in the tokens response.

22.3.13 Response Type

Indicates whether the tokens response is hexadecimal or decimal. HEX or DEC.

22.3.14 Response Checksum

Indicates whether the response has a checksum digit.

22.3.15 Time Step Used

Indicates the size of the timestep this token uses.

22.3.16 Reset this token

This link resets a number of Digipass counters, including Last Time Used, Last Time Shift and Error Count. Digipass provides automatic clock synchronization between Radiator and the Digipass token, but if a token has not been used for a long time, its clock may be out of synchronization. Resetting the token will allow new clock synchronization at the next authentication. Also if authentication has been locked because of too many incorrect authentications, Resetting will clear the error count.

22.3.17 Reset static password for this token

This can be used with a Digipass that has a static password (e.g Digipass GO 1). After clicking on ‘Reset static password for this token’, the user will have to define a new static password at their next authentication.

22.3.18 Unlock this token

Some types of Digipass require the user to enter a PIN into the Digipass before it can be used to generate a response. If the wrong PIN is entered into the Digipass too many times, it will be come locked, and you will have to use this function to unlock the token. When the token becomes locked, it will display a random number, which you must enter into the unlock token field. When you click on the /Unlock this token’ link, a new page will appear with a field where you enter the number displayed by the token, and click ‘Unlock’. The resulting Unlock Code must be entered by the user into their Digipass in order to unlock it.

22.3.19 Deallocate user from this token

This link deallocates the currently allocated user from this token, allowing it to be allocated to another user. After Deallocating a user, they will not be able to authenticate with that Digipass token.

22.3.20 Delete this token

This link deletes the Digipass token from the Radmin database.

22.3.21 Allocate this token to user xxxxx

This link will only appear during the process of allocating a token to a user. In order to allocate a token to a user, you must first go to the ‘Edit User’ page, click on the ‘Allocate a Digipass token to xxxx’, then search for and select a token and then click on the ‘Allocate this token to user xxxxx’ link.

23.0 Yubikey support

RAdmin can optionally support Yubikey tokens from Yubico (http://www.yubico.com). Yubico tokens are small USB devices that act like a keyboard and which type in a one-time-password when the button is pressed. They can be purchased from Yubico and issued to your users. Such tokens provide much higher levels of security than static passwords. Yubikey is supported on all RAdmin platforms. Support for Vasco Digipass requires the installation.

Each Yubikey token has a unique Token ID (also called the public identity in Yubico documentation), and a secret AES cryptographic key. In order to authenticate a Yubikey token, the RAdmin database must contain a Yubikey record containing both the Token ID and the AES secret for that key. You can add new tokens into the RAdmin database with the RAdmin ‘Import Yubikey Tokens’ page. After a token is imported, it must be allocated to a user before that user can use the token to authenticate.

23.1 Import Yubikey Tokens

Before you can administer a token or assign it to a user, you must import the token data into the RAdmin database. This page allows you to import data for one or more tokens. The procedure for doing this depends on whether the Yubico Windows COM/ActiveX Personalization Library is installed on the browser host. The Yubico Windows COM/ActiveX Personalization Library from Yubico (http://www.yubico.com/developers/personalization/ is an ActiveX tool that works with Windows Internet Explorer and allows Yubikeys to be automatically initialised from the RAdmin ‘Import Yubikey Tokens’ page. If it is installed on the browser host, the user will be able automatically initialise tokens by just plugging them in to a USB port on the browser host. A new random Token ID and AES Secret will be inserted into the Yubikey, and the import page will be automatically seeded with the new Token ID and AES Secret, ready for importing into RAdmin. This is the easiest way to import Yubikey tokens into RAdmin.

If the Yubico Windows COM/ActiveX Personalization Library is not installed on the browser host, it is necessary to use the Yubico Personalization Tool (http://www.yubico.com/developers/personalization/) to manually intialise each Yubikey with a new Token ID and AES Secret, and then cut-and-paste them into the RAdmin ‘Import Yubikey Tokens’ page.

The following fields are available on the Import Yubikey Tokens page:

23.1.1 Token ID

Enter the unique Token ID (also called the public identity in Yubico documentation). This is a 12 characterr Hex string, with optional spaces.

23.1.2 Token AES Secret

Enter the token AES secret. This is a 32 characterr Hex string, with optional spaces.

23.1.3 Overwrite existing tokens with the same Token ID

If there is already a Yubikey token with this Token ID is already in the RAdmin database, this flag will cause it key to be overwritten. If this flag is not set, the import operation will fail.

23.1.4 Auto create user and allocate token

If this option is set, the Import will both add the token to the RAdmin database and also create a new user whose user name is the same as the Token ID, and will allocate the token to that user. The new user will be created with validity dates from the current time to the same date and time next year.

23.2 Importing with Yubico Windows COM/ActiveX Personalization Library installed

 

FIGURE 20. Before a Yubikey is inserted.

After inserting a Yubikey into a USB port on the browser host, the token will be automatically initialised with a new Token ID and AES Secret, and the new Token ID and AES Secret will be seeded into the Import form ready to import the token data into the RAdmin database.

FIGURE 21. After a Yubikey is inserted

23.3 Importing with Yubico Windows COM/ActiveX Personalization Library NOT installed

If the Yubico Windows COM/ActiveX Personalization Library is not installed on the browser host, you must use the Yubico Personalization Tool to manually initialise the Yubikey, and then cut-and-paste the new token details into the Import form. The Yubico Personalization Tool can be downloaded from http://www.yubico.com/developers/personalization/.

FIGURE 22. Initialising and Importing Yubikey token using Yubico Personalization Tool

23.4 List Yubikey Tokens

This page allows you to see which Yubikey tokens have been imported into RAdmin, and which ones are available for allocation to a user. A user can’t use their token for authentication until it has been allocated to them in RAdmin.

FIGURE 23. List Yubikey Tokens

23.4.1 Token ID

This specifies the unique Token ID number for a token.

23.4.2 Allocated to User Name

This indicates whether the token has been allocated to a given user.

23.5 Show Yubikey Token details

This page shows important details about a single Yubikey token. These details are encoded in the RAdmin database for each token. Importing a token with the ‘Overwrite existing tokens with same Token ID’ option set will reset all these details.

FIGURE 24. Show Yubikey Token details

23.5.1 Token ID

The tokens unique Token ID

23.5.2 Allocated To User Name

The user this token is allocated to (if any)

23.5.3 Counter

If the token has been authenticated by Radiator at least once, this field will contain the Yubikey session counter of the last authentication.

23.5.4 Low

If the token has been authenticated by Radiator at least once, this field will contain the Yubikey timestamp low word of the last authentication.

23.5.5 High

If the token has been authenticated by Radiator at least once, this field will contain the Yubikey timestamp high word of the last authentication.

24.0 Some common tasks

24.1 Adding a new user

  1. Click on [Add a User] in the toolbar. You will get the Add a User page. See Add a User, Edit a User.
  2. Enter a user name. This will be the name the user must use to log in with.
  3. Make sure the automatically generated password is suitable.
  4. Choose a suitable Service Profile from the set of Service Profiles configured into your RAdmin system.
  5. Enter a suitable Valid to date. This will be the last date/time the user will be allowed to log in. Don’t forget that the default time is midnight at the beginning of that day.
  6. If the user needs a static IP address, enter it as an IP address, in the format 203.63.154.1
  7. If the user is to be limited to a maximum amount of usage, enter the number of seconds in Login time left field. If there is no limit, leave it blank.
  8. Click on the Add button.
  9. The user should now be able to log in, using the user name and password you entered.

24.2 Changing a password

  1. Find the user you are interested in, perhaps by using the List Users page. See Finding a User. See List Users.
  2. Click on the user name to get the Edit a User page. See Add a User, Edit a User.
  3. Delete the old password and enter a new one.
  4. Click on the Update button.
  5. The new password is now in effect. The user will have to use the new password next time they log in. Any current sessions are unaffected.

24.3 Finding a User

  1. Click on [List Users] in the toolbar. You will get the List Users page, including a list of all your current users. See List Users.
  2. Enter your search criteria in the top section.
  3. Click on the Search button.
  4. When the page reappears, look in list in the bottom section for the user you are interested in. If you still cant see them, change your search criteria and press the Search button again.
  5. When you find the user you are interested in, click on the User Name, this will take you to the Edit a User page for that user. See Add a User, Edit a User.

24.4 Deleting a user

  1. Find the user you are interested in, perhaps by using the List Users page. See Finding a User. See List Users.
  2. Click on the user name to get the Edit a User page. See Add a User, Edit a User.
  3. Click on the Delete button.
  4. The user has now been removed from the database and they will not be able to login in again. Note that this has no effect on any current sessions they may have: if they are already logged in, this will not force them to disconnect.

24.5 Checking who is currently on-line

  1. Click on [Current sessions] in the toolbar. You will get the Current sessions page. See Current sessions.
  2. At the bottom of the page is a list of all the current sessions.
  3. If you have lots of sessions and can’t find the one you are interested in, enter some search criteria in the top section and click on the Search button.

24.6 Checking a user’s session history

  1. Find the user you are interested in, perhaps by using the List Users page. See Finding a User. See List Users.
  2. Click on the user name to get the Edit a User page. See Add a User, Edit a User.
  3. Click on the “Usage for ...” hotlink at the bottom right. You will get a List Usage page showing all sessions for that user in the database. See List Usage.

24.7 Checking usage summaries

  1. Click on [Usage summary] in the toolbar. You will get the Usage summary page. See Usage Summary.
  2. At the bottom of the page is a list of all users that have sessions in your accounting table. For each table you will se the total time online (in seconds), plus the total bytes transferred in and out (in means into your network, out means out to the user).
  3. If you have lots of users and can’t find the one you are interested in, enter some search criteria in the top section and click on the Search button.

24.8 Checking the message log

  1. Click on [Log] in the toolbar. You will get the Log page. See Log.
  2. Log messages will be shown in the bottom part of the page. The most recent messages will be shown near the top of that section.
  3. If you cant find the message(s) you are interested in, you can limit the search be entering search criteria in the top part of the page and pressing the Search button.

24.9 Checking modem usage

  1. Click on [Modem usage report] in the toolbar. You will get the “Modem usage report” page. See Modem usage report.
  2. Usage summaries by NAS and Port will be shown in the bottom part of the page. If you see any ports with an unusually low “Session” count, it may be because the associated modem is dead.

24.10 Help a user with login problems

  1. Click on [Authentication Log] in the toolbar. You will get the “Authentication Log” page. See Authentication Log.
  2. Enter the user name into the User name field.
  3. Click on the Search button. You will see a list of recent authentication successes and failures. The Failure messages will have a Failure reason that will help identify the user’s problem.

24.11 Import Digipass tokens from a DPX file

  1. Ensure the DPX file is on your workstation: the computer where your web browser is running.
  2. Click on [Import Digipass tokens] in the toolbar. You will get the “Import Digipass Tokens” page. See Import Digipass Tokens.
  3. Enter the name of the DPX file into ‘Import DPX File: field or clicking on the file browser button.
  4. Click on the button.

24.12 Allocating a Digipass token to a user

  1. Ensure the tokens data has been imported. See Import Digipass tokens from a DPX file.
  2. Ensure the user has been created. See Adding a new user.
  3. Using the List Users page, find the user you wish to allocate a token to. Click on the User Name. You will get the “Edit User” page. See Add a User, Edit a User.
  4. Click on the ‘Allocate a Digipass token to xxxx’ link near the bottom of the Edit User page. You will get the ‘List Digipass Tokens’ page. See List Digipass Tokens.
  5. Click on the button. The “List Digipass Tokens” page will appear again, showing the tokens that matched your search criteria. You will be able to see which tokens do not have a user allocated to them.
  6. Select the token you wish to allocate to the user by clicking on the token serial number. You will get the “Show Digipass Token Details” page. See Show Digipass Tokens details.
  7. Click on the “Allocate this token to user xxxx” link near the bottom of the page. You will get the “Show Digipass Token Details” page again showing the user’s name in the “Allocated to User Name” field.
  8. Ensure the user is given the physical token matching the one you allocated.

24.13 Import a Yubikey token

  1. Ensure the Yubico Windows COM/ActiveX Personalization Library is installed on your browser host.
  2. Open the Import Yubikey Token page.
  3. Insert a Yubikey token into a USB port on your browser host. The token will be initialised and new TokenID and AES Secret wil be seeded into the Import form.
  4. Click on Import. This will add the token details to the RAdmin database.

24.14 Allocating a Yubikey token to a user

  1. Ensure the token data has been imported. See Import a Yubikey token.
  2. Ensure the user has been created. See Adding a new user.
  3. Using the List Users page, find the user you wish to allocate a token to. Click on the User Name. You will get the “Edit User” page. See Add a User, Edit a User.
  4. Click on the ‘Allocate a Yubikey token to xxxx’ link near the bottom of the Edit User page. You will get the ‘List Yubikey Tokens’ page. See List Yubikey Tokens.
  5. Click on the button. The “List Yubikey Tokens” page will appear again, showing the tokens that matched your search criteria. You will be able to see which tokens do not have a user allocated to them.
  6. Select the token you wish to allocate to the user by clicking on the token serial number. You will get the “Show Yubikey Token Details” page. See Show Yubikey Token details.
  7. Click on the “Allocate this token to user xxxx” link near the bottom of the page. You will get the “Show Yubikey Token Details” page again showing the user’s name in the “Allocated to User Name” field.
  8. Ensure the user is given the physical token matching the one you allocated.