How Does RADIUS Accounting for Single-Sign-On Work?

NOTE: Radius Accounting is supported only on the NSA 3500 and above.

RADIUS Accounting is specified by RFC 2866 as a mechanism for a network access server (NAS) to send user login session accounting messages to an accounting server. These messages are sent at user login and logoff. Optionally, they can also be sent periodically during the user’s session.

When a customer uses a third-part network access appliance to perform user authentication (typically for remote or wireless access) and the appliance supports RADIUS accounting, a SonicWall appliance can act as the RADIUS Accounting Server, and can use RADIUS Accounting messages sent from the customer's network access server for single sign-on (SSO) in the network.

When a remote user connects through a third-party appliance, the third-party appliance sends an accounting message to the SonicWall appliance (configured as a RADIUS accounting server). The SonicWall appliance adds the user to its internal database of logged in users based on the information in the accounting message.

When the user logs out, the third-party appliance sends another accounting message to the SonicWall appliance. The SonicWall appliance then logs the user out.

NOTE: When a network access server (NAS) sends RADIUS accounting messages, it does not require the user to be authenticated by RADIUS. The NAS can send RADIUS accounting messages even when the third-party appliance is using LDAP, its local database, or any other mechanism to authenticate users.

RADIUS accounting messages are not encrypted. RADIUS accounting is inherently secure against spoofing because it uses a request authenticator and a shared secret. RADIUS accounting requires that a list of the network access servers (NASs), that can send RADIUS Accounting messages, be configured on the appliance. This configuration supplies the IP address and shared secret for each NAS.

Topics:

RADIUS Accounting Messages

RADIUS accounting uses two types of accounting messages:

An Accounting-Request can send one of three request types specified by the Status-Type attribute:

Accounting messages follow the RADIUS standard specified by RFC 2866. Each message contains a list of attributes and an authenticator that is validated by a shared secret.

The following attributes, that are relevant to SSO, are sent in Accounting-Requests:

SonicWall Compatibility with Third Party Network Appliances

For SonicWall appliances to be compatible with third party network appliances for SSO via RADIUS Accounting, the third party appliance must be able to do the following:

NOTE: In the case of a remote access server using NAT to translate a user’s external public IP address, the attribute must provide the internal IP address that is used on the internal network, and it must be a unique IP address for the user. If both attributes are being used, the Framed-IP-Address attribute must use the internal IP address, and the Calling-Station-Id attribute should use the external IP address.

The user’s login name should be sent in the User-Name attribute of Start messages and Interim-Update messages. The user’s login name can also be sent in the User-Name attribute of Stop messages, but is not required. The User-Name attribute must contain the user’s account name and may include the domain also, or it must contain the user’s distinguished name (DN).

Proxy Forwarding

A SonicWall appliance acting as a RADIUS accounting server can proxy-forward requests to up to four other RADIUS accounting servers for each network access server (NAS). Each RADIUS accounting server is separately configurable for each NAS.

To avoid the need to re-enter the configuration details for each NAS, the UI on the SonicWall appliance allows you to select the forwarding for each NAS from a list of configured servers.

The proxy forwarding configuration for each NAS client includes time outs and retries. How to forward requests to two or more servers can be configured by selecting the following options:

Non-Domain Users

Users reported to a RADIUS accounting server are determined to be local (non-domain) users in the following cases:

A non-domain user authenticated by RADIUS accounting is subject to the same constraints as one authenticated by the other SSO mechanisms, and the following restrictions apply:

IPv6 Considerations

In RADIUS accounting, these attributes are used to contain the user's IPv6 address:

Currently, all these IPv6 attributes are ignored.

Some devices pass the IPv6 address as text in the Calling-Station-ID attribute.

The Calling-Station-ID is also ignored if it does not contain a valid IPv4 address.

RADIUS accounting messages that contain an IPv6 address attribute and no IPv4 address attribute are forwarded to the proxy server. If no proxy server is configured, IPv6 attributes discarded.

RADIUS Accounting Server

RADIUS accounting normally uses UDP port 1646 or 1813. UDP port 1813 is the IANA-specified port. UDP port 1646 is an older unofficial standard port. The SonicWall appliance listens on port 1812 by default. Other port numbers can be configured for the RADIUS accounting port, but the appliance can only listen on only one port. So, if you are using multiple network access servers (NASs), they must all be configured to communicate on the same port number.