4.5. Configuring the RADIUS access to the LinOTP appliance¶
A RADIUS client is a computer that talks to the LinOTP server for authentication using the RADIUS protocol. This can be a SSL VPN, a firewall or the LSE RadiusGINA or Credential Provider.
You need to configure which RADIUS clients are allowed to contact the LinOTP Server via the RADIUS protocol. This can be done on the tab RADIUS → Clients. The client definition can contain a complete subnet. E.g. you can configure that the whole subnet 192.168.0.0/24 may access the LinOTP RADIUS server using a common secret. You can define many different RADIUS client definitions. Each should have a unique identifying name.
E.g if you want to have only one client access the LinOTP RADIUS server, you could specify 192.168.0.1/32, so that only the host 192.168.0.1 may access the RADIUS server.
Each RADIUS client definition may be given an optional shortname. This is an identifier you can use to refer to in the detailed RADIUS definitions.
4.5.1. Detailed settings¶
Detailed RADIUS settings can be defined on the tab RADIUS → Settings.
4.5.1.1. Realm mapping¶
Using the Realm mapping you can map a realm to RADIUS clients, i.e. you can define, that only a specified realm should be allowed to login to certain RADIUS clients.
This is a two-step process.
- You need to map a realm to a RADIUS LinOTP instance. This will define a RADIUS internal instance, that can be used for further RADIUS policies.
- In the second step you need to map the RADIUS client as defined by the shortname to this internal RADIUS instance.
4.5.1.2. Windows domain stripping¶
Some RADIUS clients will send the Windows domain with the RADIUS username. LinOTP usually only handles the username without FQDN. Some RADIUS clients may send
- username@windows-domain
- NT-DOMAINusername
- NT-DOMAIN/username
Note
LinOTP interprets the @-sign as a delimiter between username and LinOTP realmname. So if your Windows domain matches your LinOTP realm names, this can be an intended behavior.