RADIUS Overview - Metasys - LIT-12011279 - General System Information - Metasys System - 10.1

Network and IT Guidance Technical Bulletin

Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
10.1
Revision date
2019-12-20

You can optionally configure the secured server and network engines to authenticate non-local user access through a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is used by the server and network engines to authenticate the identity of authorized non-local users of the system.

All RADIUS users must have a Metasys system user defined for which Metasys authorization is created and maintained. The server and network engines RADIUS implementation adheres to the following Internet RFC documents:

  • RFC 2865 - Remote Authentication Dial In User Service
  • RFC 2548 - Microsoft Vendor-specific RADIUS Attributes
  • RFC 2759 - Microsoft Point-to-Point Protocol (PPP) Challenge Handshake Authentication Protocol (CHAP) Extensions, Version 2

The Metasys system implementation of RADIUS is as follows:

  • The Metasys system does not import authorization; all Metasys system users, both local (Metasys) and non-local (RADIUS), are authorized through user configuration done online in the SMP, then stored in the Metasys Security Database.
  • The user ID must match what is expected to be authenticated by the RADIUS server, with or without the @domain as defined by the local RADIUS implementation.
  • Since the Metasys system performs no local authentication of non-local users, all password functions are unavailable or ignored when creating and maintaining non-local Metasys user accounts. RADIUS passwords are never stored in the Metasys Security Database.
  • Authorization for a RADIUS user may be configured as Administrator, User, Operator, Maintenance, or any custom roles created in the Metasys system.
  • When a non-local user receives a number of consecutive RADIUS failures to authenticate and the account has been set up to lock after receiving that many failed login attempts, the Metasys system authorization locks, prohibiting the user from accessing the Metasys system device until a Metasys system administrator unlocks the account.

  • When a non-local user is authenticated by RADIUS, and the Metasys system schedule prohibits access during the login time, the user's login attempt fails.

When a user provides a non-local username to the Metasys system for login, after confirming the supplied password conforms to Metasys complexity rules, the controller passes the credentials, including the username and password, to the configured RADIUS server for authentication. After the RADIUS server confirms authenticated access, authorization is permitted as specified in the Metasys Security Database.

Messages reporting errors in RADIUS authentication are intentionally obscure to hinder possible intrusion from unauthorized users. See RADIUS errors for some situations that may result in error messages. Descriptive Metasys system login failure messages are presented to the user only when RADIUS is disabled. When RADIUS is enabled, local and non-local authentication failure messages are identical and obfuscated.