Chapter Contents

RADIUS
RADIUS Configuration
Server Address
Server Port
Shared Secret
Upstream Attributes
Downstream Attributes

Using RADIUS authentication, Elektron can forward user authentication requests to another RADIUS server. This is useful if you would like to add Wi-Fi authentication protocols like PEAP and TTLS to a legacy RADIUS server that only supports basic RADIUS authentication types like PAP.

RADIUS servers do not push account group membership to RADIUS clients, so with RADIUS authentication enabled, Elektron will not be able to apply account group membership to authorization policies, as it will not know to which groups a user belongs. This can be worked around by applying account group-based policies on the remote RADIUS server rather than on the local Elektron server.

Elektron allows you to configure two RADIUS servers to be used for remote authentication. Configuration of the primary server is required. When authenticating users, Elektron will first try to contact the primary server. If the primary server does not respond in a timely manner, the secondary server will be contacted.

RADIUS Configuration

The following configuration options are available:

Server Address

Enter the IP address or hostname of the remote RADIUS server.

Server Port

Enter the UDP port for the remote RADIUS server. This is usually 1812, but may be 1645 on older RADIUS servers.

Shared Secret

This is the password or passphrase that Elektron will use to secure communications with the remote RADIUS server. This must match the shared secret configured on the remote RADIUS server. The shared secret is case-sensitive.

Upstream Attributes

Use this list to select which RADIUS attributes from the request made to Elektron will be passed on to the remote server. Some RADIUS attributes are present by default, regardless of the settings in the Upstream Attributes dialog. For instance, the User-Password attribute will always be sent when a user attempts to log in using PAP.

Downstream Attributes

Use this list to select which RADIUS attributes from the remote RADIUS server will be passed along from Elektron to the RADIUS client. If authorization policies are defined on the remote RADIUS server, make sure that the necessary RADIUS attributes are being passed along. For instance, if the remote RADIUS server is setting the Session-Timeout attribute to limit the length of time a user may remain logged in, be sure to enable this attribute in the Downstream Attributes list.