Click ADVANCED > AUTHENTICATION to display the screen as shown next.
Figure 17 ADVANCED > AUTHENTICATIONThe following table describes the labels in this screen.
Click ADVANCED > AUTHENTICATION > Code to display the HTML source code of a
default sample page (shown next). The user agreement page must include the HTML source
code in the default sample page in order for the user agreement page to send the subscribers’
agreement or disagreement to the ZyXEL Device.
Table 8 ADVANCED > AUTHENTICATION
LABEL DESCRIPTION No
Authentication Select this option to disable subscriber authentication. Subscribers can access the Internet without entering user names and passwords. This is the default setting. Built-in
Authentication Select this option to authenticate the subscribers using the local subscriber database.
Note: When you select this option, you must also configure the
Accounting screen.
Current User Information Backup
The system provides automatic backup of account information and status. Use this field to set the number of minutes between backups. The default value is 1 minute. The valid range is 1 to 1440.
If you create a subscriber account and the ZyXEL Device restarts before backing up the account information, the subscriber account will not be saved. You will need to create a new account for the subscriber.
User Agreement Select User Agreement to redirect a subscriber to an Internet service usage agreement page before accessing the Internet.
Redirect Login
Page URL Specify the URL of the user agreement page in the field provided. Click Code to display the HTML source code of a default sample page. The user agreement page must include the HTML source code in the default sample page in order for the user agreement page to send the subscribers’ agreement or disagreement to the ZyXEL Device. Use up to 350 ASCII characters.
SSL Login Page Select Enable to activate SSL security upon accessing the subscriber login screen so that the subscribers’ user names and passwords are encrypted before being transmitted to the ZyXEL Device. This applies when you select Built-in Authentication or User Agreement.
Select Disable to de-activate SSL security for the subscriber login screen. Refer to the SSL (Secure Socket Layer) Security chapter for more information. Apply Click Apply to save the changes.
C
H A P T E R
6
RADIUS
This chapter shows you how to configure the ZyXEL Device to use an external RADIUS
server.
6.1 About RADIUS
You can use an external RADIUS (Remote Authentication Dial-In User Service) server to
authenticate the subscriber connections and keep track of accounting information.
RADIUS is based on a client-sever model that supports authentication, authorization and
accounting. This system is the client and the server is the external RADIUS server.
RADIUS is a simple package exchange in which the ZyXEL Device acts as a message relay
between the subscribers and the RADIUS server to establish a connection. When you enable
RADIUS authentication, the ZyXEL Device uses RADIUS protocol (RFC 2865, 2866) to send
subscriber authentication information to the external RADIUS server.
When you use an external RADIUS server for accounting, you can use either accumulation or
time to finish accounting. See Chapter 7 on page 75 for information on accumulation and time
to finish accounting.
6.2 RADIUS Settings
The following table describes the labels in this screen.
Table 9 ADVANCED > RADIUSLABEL DESCRIPTION
RADIUS Setup Select Disable if you will not use an external RADIUS server to authenticate subscribers.
Select Enable to use an external RADIUS server to authenticate subscribers. You may also use an external RADIUS server to perform accounting for the subscriber accounts.
Note: Disabling authentication in the AUTHENTICATION
screen also disables authentication via an external
RADIUS server, regardless of what you set here.
Accumulation Select this option to allow each subscriber multiple re-login until the timeallocated is used up.
This applies to subscribers that are authenticated by the RADIUS server; the setting in the BILLING screen applies to subscribers that are authenticated by the built-in authentication. You must also enable the accounting service below. Idle Time Out The ZyXEL Device automatically disconnects a computer from the network
after a period of inactivity. The subscriber may need to enter the username and password again before access to the network is allowed.
Specify the idle timeout between 1 and 1440 minutes. The default is 5 minutes.
Time to Finish Select this option to allow each subscriber a one-time login. Once the subscriber logs in, the system starts counting down the pre-defined usage even if the subscriber stops the Internet access before the time period is finished.
If a subscriber disconnects and reconnects before the allocated time expires, the subscriber does not have to enter the user name and password to access the Internet again.
This applies to subscribers that are authenticated by the RADIUS server; the setting in the BILLING screen applies to subscribers that are authenticated by the built-in authentication. You must also enable the accounting service below. Primary RADIUS
Server
Server IP address Enter the IP address of the RADIUS server in dotted decimal notation. Authentication Port Enter the port number that the RADIUS server uses for authentication. You
only need to change this value from the default if your network administrator gave you a specific port number to use. The allowed numbers are from 0 to 65535.
Accounting Port Enter the port number that the RADIUS server uses for accounting. You only need to change this value from the default if your network administrator gave you a specific port number to use. The allowed numbers are from 0 to 65535. Shared Secret Key Enter a password (up to 64 characters) as the key to be shared between the RADIUS server and the ZyXEL Device. The key is not sent over the network. This key must be the same on the RADIUS server and the ZyXEL Device. Secondary RADIUS
Server
Authentication Port Enter the port number that the RADIUS server uses for authentication. You only need to change this value from the default if your network administrator gave you a specific port number to use. The allowed numbers are from 0 to 65535.
Accounting Port Enter the port number that the RADIUS server uses for accounting. You only need to change this value from the default if your network administrator gave you a specific port number to use. The allowed numbers are from 0 to 65535. Shared Secret Key Enter a password (up to 64 characters) as the key to be shared between the RADIUS server and the ZyXEL Device. The key is not sent over the network. This key must be the same on the RADIUS server and the ZyXEL Device. Retry times when
Primary fail At times the ZyXEL Device may not be able to use the primary RADIUS server. Select the number of times the ZyXEL Device should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server. This also sets how many times the ZyXEL Device will attempt to use the secondary RADIUS server.
For example, you set this field to 3. If the ZyXEL Device does not get a response from the primary RADIUS server, it tries again up to three times. If there is no response, the ZyXEL Device tries the secondary RADIUS server up to three times.
If there is also no response from the secondary RADIUS server, the ZyXEL Device stops attempting to authenticate the subscriber. The subscriber will see a message that says the RADIUS server was not found.
Accounting Service Select Disable if you will not use an external RADIUS server to perform accounting for the wireless client accounts.
Select Enable to use an external RADIUS server to perform accounting for the wireless client accounts.
Interim Update Time Specify the time interval for how often the ZyXEL Device is to send a subscriber status update to the RADIUS server.
Authentication Method Enter the authentication protocol that the RADIUS server uses.
PAP (Password Authentication Protocol) requires users to enter a password before accessing a secure system. The user’s name and password are sent over the wire to a server where they are compared with a database of user account names and passwords.
CHAP (Challenge Handshake Authentication Protocol) avoids sending passwords over the wire by using a challenge/response technique.
IPASS GIS The iPass company provides connectivity services for mobile Internet users. Select this check box to have the ZyXEL Device use the iPass Generic Interface Specification (GIS) method to authenticate iPass clients. Your external RADIUS servers must be Wi-Fi based Wireless Internet Service Provider roaming (WISPr) compliant in order to authenticate iPass clients. Login Mode When using iPass GIS, your ISP will provide you with login mode information.
Select Directly Reply, Proxy Reply with “Redirect Login Page” URL or Proxy Reply with Specific URL (and enter a URL of up to 350 ASCII characters in the field provided). The login mode information for the iPass GIS connection. (Provided by your ISP).
Apply Click Apply to save the changes. Table 9 ADVANCED > RADIUS (continued)