2.10.5. RADIUS Authentication

This authentication method is a preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external RADIUS server.

RADIUS Authentication

In addition to authentication you can define positive (whitelist) or negative (blacklist) user based access control lists.

2.10.5.1. Global authentication settings

Global authentication settings section

Number of authentication processes The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user (optional).  Number of source IP addresses a user can be logged in at one time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This takes no effect if running Local authentication and the user is a member of the “Extended” group.

User/IP cache TTL Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled).

A value greater than 0 is only reasonable while using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses By default authentication is required even for unrestricted IP addresses. If you don't want to require authentication for these addresses, untick this box.

Authentication realm prompt This text will be shown in the authentication dialog. The default is “IPCop Advanced Proxy Server”.

Destinations without authentication This allows you to define a list of destinations that can be accessed without authentication.

Note

Any domains listed here are destination DNS domains and not source Windows NT domains.

Examples:

Entire domains and subdomains

*.example.net
*.google.com

Single hosts

www.example.net
www.google.com

IP addresses

81.169.145.75
74.125.39.103

URLs

www.example.net/download
www.google.com/images

Note

You can enter all of these destination types in any order.

Example for Windows Update.

To allow access to Windows Update without authentication add these destinations to the list:

*.download.microsoft.com
*.windowsupdate.com
windowsupdate.microsoft.com

2.10.5.2. Common RADIUS settings

Common RADIUS settings section

RADIUS Server Enter the IP address of the RADIUS Server you want to use for authentication.

Port Enter the port that will be used to communicate with the RADIUS Server. The default is port 1812, some RADIUS servers may use the depreciated port 1645 instead.

Identifier (optional).  This is an optional field and can be used to identify your IPCop for the RADIUS Server. If this is left empty, the IP address of your IPCop will be used for identification.

Shared secret This is the shared secret for the authentication of your IPCop against the RADIUS Server. This must be the same password that you have entered on your RADIUS Server.

2.10.5.3. User based access restrictions

User based access restrictions section

Enabled Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized users The users listed here will be allowed web access. For all other users, access will be denied.

Use negative access control / Unauthorized users The listed users will be blocked from web access. For all other users, access will be allowed.