To the DualShield Radius Server, a Network Access Server(NAS), VPN gateway or VPN application is a Radius client. In order to connect a Radius client to a DualShield Radius Sever, the Radius client needs to be registered in DualShield.
To register a Radius client, select “RADIUS | Radius Client” in the main menu and click “Register” button in the tool bar.
IP Address
The address of the radius client (NAS device) connected to this entry.
Shared Secret
A shared secret is a case-sensitive password used to validate communications between the RADIUS server and the RADIUS client (NAS device). The shared secret must be configured to match on both devices.
DualShield supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters:
~!@#$%^&*()_+|\=-`{}[]:"';<>?/.,
Authentication Protocols
Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP, MS-CHAP.v2 and EAP. This setting lists the authentication protocols the RADIUS server will allow from a given RADIUS client. Currently PAP, CHAP and MS-CHAP.v2 are the only available authentication protocols supported by the system.
Encryption Data Policy
Data encryption protects the data sent between the remote access client (VPN client) and the remote access server (NAS). The remote access server can be configured to require data encryption. The remote access client can be configured to request the following levels of data encryption:
- Optional encryption (connect even if there is no encryption).
- No encryption allowed (the server disconnects if it requires encryption).
- Require encryption (disconnect if the server declines).
If the remote access client cannot perform the required encryption, the connection attempt is rejected.
Do not Reply with Message Authenticator
Some VPN gateway appliance, such as CheckPoint, requires that the “Message Authenticator” should not be returned from the Radius Server. If your VPN gateway has this requirement, tick the option.
Strip the realm from username at authentication
If the username received is prefixed by a realm or domain (e.g. realm\name), then the realm/domain part is removed from the username.