RADIUS on the IBM iSeries

Resolving The Problem

This document provides some general information regarding the RADIUS implementation on the IBM
iSeries.

Remote Authentication Dial In User Service (RADIUS) is an Internet standard protocol that provides
centralized authentication, accounting, and IP management services for remote access users in a
distributed dial-up network.

The RADIUS client-server model has a Network Access Server (NAS) operating as a client to a RADIUS
server. The iSeries Server, acting as the NAS, sends user and connection information to a
designated RADIUS server using the RADIUS standard protocol defined in RFC 2865.

RADIUS servers act on received user connection requests by authenticating the user, and returns
all configuration information necessary to the NAS so the NAS (iSeries Server) can deliver
authorized services to the authenticated dial-in user.

RADIUS accounting requests are handled in a similar manner. Account information for remote users
can be sent to a designated RADIUS accounting server. The RADIUS Accounting standard protocol is
defined in RFC 2866.

The RADIUS accounting server acts on received accounting requests by logging the information from
the RADIUS accounting request.

RADIUS is an open and easily integrated authentication protocol.  Remote user authentication
requests, initiated from an iSeries server sent to a centralized RADIUS server, are accepted or
rejected.  All security information, pertaining to the authenticated user can be located in a
single, central database, rather than scattered around the network in several different devices.

The RADIUS server sends back to the iSeries server any services the authenticated user is
authorized to use, such as an IP address.

If a RADIUS server cannot be reached, the iSeries server can route authentication requests to an
alternate server.  This enables global enterprises to offer users a dial-in service with a unique
login user ID for corporate-wide access, no matter what access point is being used.

When an authentication request is received by the RADIUS server, the request is validated.  Then,
the RADIUS server decrypts the data packet to access the user name and password information. The
information is passed on to the appropriate security system being supported.  This could be
iSeries password files, Kerberos, a commercially available security system, or even a custom -
developed security system.

More thorough documentation is in the IBM Redbooks iSeries IP Networks: Dynamic, Chapter 9.  This
publication can be found online at the following Web site:

http://www.redbooks.ibm.com/redbooks/SG246718.html

The important thing to remember about the implementation of RADIUS on the iSeries is that the
iSeries can act only as the RADIUS client--not a RADIUS server.  Below is a screen shot of the
configuration of RADIUS in a PPP environment.  This is the only screen where a particular PPP/L2TP
connection is configured to use RADIUS.  Click on Authenticate remotely using a RADIUS server 
within a PPP or L2TP profile.  Notice that nowhere here do you specify which user IDs are allowed
in.  This is all determined by the RADIUS server rather than the iSeries (RADIUS Client).

To get to this screen, use Operations (iSeries) Navigator and follow the following path:

System->Network->Remote Access Services->Receiver Connection Profiles

This is the authentication tab