AT-RADgate Authentication
AT-RADgate Authentication
AT-RADgate performs authentication according to the RADIUS Authentication protocol.The RADIUS Authentication protocol is a protocol for centralized management of connection authentication to a server or network. It is used in a network consisting of a supplicant requesting a connection, a destination server or network device (NAS), and an authentication server (AT-RADgate).
RADIUS Authentication is basically performed as follows:
- The supplicant connects to the NAS.
- The NAS sends a supplicant authentication request to the authentication server. The authentication request contains information about the connecting supplicant and the NAS itself.
- The authentication server verifies the contents of the authentication request and sends the result to the NAS.
- The NAS performs the supplicant connection process based on the received authentication result.
Authentication server behavior
The authentication request verification process performed by the authentication server can be divided into two processes: authentication, which evaluates the legitimacy of the supplicant, and authorization, which determines the permissions assigned to the supplicant.The authentication process involves verifying the legitimacy of the NAS and the supplicant.
The legitimacy of the NAS is determined by matching the source IP Address of the authentication request message with the pre-shared key information contained in the message.
With AT-RADgate, you can register the NAS to which you want to allow connection as a NAS policy. AT-RADgate discards all authentication request messages from a NAS that do not match the NAS policy information and does not return a response.
The validity of the supplicant is verified by matching the username and password information contained in the authentication request message.
With AT-RADgate, you can register the users you manage as User policies. AT-RADgate responds with a rejection message to any connection request from a supplicant that does not match the information in the authentication policy. When a NAS receives a rejection message, it usually redisplays the login prompt and asks the user to re-enter their information.
AT-RADgate inserts a certain delay time when sending a rejection message to suppress hacking by unauthorized devices.
AT-RADgate can use Windows Active Directory account information instead of its own authentication policy as the authentication database used when authenticating a supplicant.
If you want to perform authentication using Windows Active Directory, you must register the Windows Server you want to work with in AT-RADgate and use EAP-PEAP as the authentication protocol.
Endpoint Authentication
AT-RADgate is equipped with an endpoint authentication function. In addition to the standard user authentication of RADIUS, this function verifies the MAC Address stored in the Calling-Station-Id attribute, and is intended to be used in conjunction with the port authentication function of our AW+ Switches and the client authentication function of our Wireless LAN Access Points.The endpoint authentication function can be enabled or disabled for each NAS, and is disabled by default.
AT-RADgate allows you to register the endpoints it manages as Endpoint policies. When a MAC Address is stored in the Calling-Station-Id attribute of an authentication request message sent by a NAS with endpoint authentication enabled, AT-RADgate checks whether the MAC Address is registered in the Endpoint policy. As a result of the confirmation, even if the MAC Address is not registered, a rejection message is not sent and processing continues. The registration state of the MAC Address is used during the authorization phase.
MAC-based Authentication
If a MAC Address is stored in the User-Name attribute of an authentication request message sent by a NAS with endpoint authentication enabled (if the authentication request message contains a Calling-Station-Id attribute, the same MAC Address must be stored in the User-Name attribute and the Calling-Station-Id attribute), AT-RADgate does not perform user authentication, but only endpoint authentication.Authorization Process
AT-RADgate's authentication policy has the concepts of tags and access levels. The tag is a string that represents the group the policy belongs to, and the access level is a number between 0 and 15 that represents the strength of the policy's permissions. The numbers representing the access levels range from 0 meaning that no connection is allowed, to 15 which represent increasing privileges, with 15 being the most restrictive.Tags can be set in NAS policies, User policies, and Endpoint policies, and access levels can be set in User policies and Endpoint policies.
During the authentication process, AT-RADgate finds the NAS policy, User policy, and Endpoint policy that match the supplicant being authenticated. The authorization process involves combining this information with the contents of the authentication request message to create Supplicant parameters, searching for a Supplicant Profile policy that matches those Supplicant parameters, and sending the permissions stored in the found profile to the NAS.
The Supplicant parameters created during the authorization process are as follows:
- Device MAC Address (Authentication Request Message User-Name attribute or Calling-Station-Id attribute)
- Name of the endpoint (Endpoint policy)
- Endpoint registration status (Endpoint policy)
- Access Level (User policy, Endpoint policy)
- Tags (NAS policy, User policy, Endpoint policy)
The tag is the sum of all tags set in the NAS policy, User policy, and Endpoint policy.
The created Supplicant parameters are compared with the condition settings of the Supplicant Profile to determine which profile should be applied.
Supplicant Profile is assigned a priority value between 1 and 15. Profiles with the lowest priority are evaluated first, and the first matching profile is the permission given to the supplicant.
The following actions are configured in the Supplicant Profile, and each behaviors the specified operation as follows.
| Action   | Behavior |
|---|---|
| Pass | The supplicant is allowed to connect and, if a VLAN is configured, is connected to that VLAN segment. |
| Drop | The supplicant's connection is rejected. The current version of AT-RADgate sends an authentication rejection message because the standard RADIUS attributes cannot express the discard state. |
| Quarantine | The supplicant is placed into a quarantined state. If a VLAN is configured, it is isolated to that VLAN segment. If the profile does not have a VLAN setting, the supplicant is quarantined to the system's default quarantine VLAN. |
| Undecide | Puts the supplicant into an undecided state and, if configured, isolates it to its VLAN segment. If the VLAN is not set, the behavior is the same as Drop.NoteIt is not supported in this version. |
| Notice | Records an event log indicating that this profile is matched. Only if this action matches a configured profile it continues to evaluate the profile to find the privileges that should be applied to the supplicant. |
| Item Name | Description |
|---|---|
| VLAN | Set the destination VLAN. Can only be set if the action is Pass, Quarantine, or Undecided. |
| Filter ID | Set the ID of the traffic filter to be applied to the supplicant. If you set multiple filters, separate them with a space character. |
| Filter Rule | Set the traffic filter to be applied to the supplicant. When setting multiple filter rules, separate them with a newline character. |
- Device Condition
Matches devices that meet the following criteria:
Table 3: Device Condition Condition Name Description All endpoints Matches all devices. Registered devices Matches devices enrolled in Endpoint policy. Unregistered devices Matches devices that are not enrolled in Endpoint policy. Specified by MAC address Matches devices with the specified MAC Address. Specified by name Matches devices with the specified name. - Access Level Condition
Matches supplicants whose access level meets the configured criteria.
The conditions are specified by numbers.
Table 4: Access Level Condition Example of setting value Description 7 Specify only 7 - Tag Condition
Matches supplicants that have all configured tags.
If you set multiple tags, separate them with a space character.
Default Supplicant Profile policy
In AT-RADgate, the following Supplicant Profile policies are pre-configured with a lower priority than the profile set by the user. If a user does not match any of the registered Supplicant Profile policies, these policies are applied to the supplicant in order of decreasing priority.| Priority | Condition | Action |
|---|---|---|
| 1 | Unregistered devices | Drop |
| 2 | Access Level 0 | Drop |
| 3 | Access Level 1 or higher | Pass |
02 Oct 2025 12:05