Access to the Didactum monitoring systems with RADIUS server
RADIUS is a program that uses a central user database. It is used for network-wide authentication and authorization (determining access rights) of users. Didactum monitoring systems can be managed via RADIUS within a network.
By using RADIUS, the time-consuming configuration of individual users for each monitoring system is eliminated.
RADIUS configuration in the web GUI of Didactum monitoring systems
The RADIUS settings for the Didactum remote monitoring systems can be found in the web interface under "Main Menu" => "Preferences" => "RADIUS".
To activate RADIUS on the Didactum monitoring system, you must set "RADIUS" to "enabled".
Under "Server address", please enter the IP address of your RADIUS server.
Under "Server Port", specify the port. This is usually "1812".
Under "Server password", please enter your server password.
Then please save your settings (please also click the floppy disk icon in the upper right corner). The Didactum monitoring system will then restart, and the changes will take effect.
Practical example FreeRADIUS:
Authentication method – unencrypted authentication (PAP, SPAP).
After you have installed and configured FreeRADIUS, you must check the following points:
- Vendor glossary
- Access rights (email addresses and passwords) for the clients (e.g. Didactum monitoring systems)
- User list with the corresponding access attributes
The vendor glossary (for example, “dictionary.local”) must be copied into the directory /etc/raddb:
dictionary.local # # Didactum dictionary of parameters. # VENDOR Didactum 39052 ATTRIBUTE SRead 10 string Didactum ATTRIBUTE SWrite 11 string Didactum ATTRIBUTE CRead 12 string Didactum ATTRIBUTE CWrite 13 string Didactum ATTRIBUTE GRead 14 string Didactum ATTRIBUTE GWrite 15 string Didactum ATTRIBUTE RFU1 16 string Didactum ATTRIBUTE RFU2 17 string Didactum
Check whether the dictionary file is included:
dictionary ... $INCLUDE- dictionary.local
The list of server clients is stored in the file /etc/raddb/clients.conf. This client record looks as follows:
/etc/raddb/clients.conf
client 192.168.1.88 {
secret = password123
}The configuration above shows the IP address of the client and the password used to connect to the server. In our case, the clients are the Didactum monitoring systems. The password in the “secret” attribute should match the “Server password” field when you configure the client (see above).
The user records are stored in the file /etc/raddb/mods-config/files/authorize and look as follows:
/etc/raddb/clients.conf
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450"
SRead = "all,",
SWrite = "all,",
CRead = "all,",
CWrite = "all,",
GRead = "all,",
GWrite = "all,",
RFU1 = "something strange",
RFU2 = "anover something strange too"
The following entries have been made:
- user name – in our case username01
- Cleartext password (entered in clear text by the user) – must consist of a SHA‑1 hash code
- SRead, SWrite, CRead, CWrite, GRead, GWrite – the system access permissions
- RFU1 and RFU2 – reserved attributes (not used)
If an attribute is not used, it must be removed from the configuration. Leaving it out in the form RU = “” is not supported by FreeRADIUS.
In our example, all devices that authenticate via the FreeRADIUS server receive the same user permission configuration. If you need different user rights on the devices, please proceed as follows:
/etc/raddb/clients.conf
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address == "192.168.1.88"
SRead = "all,",
SWrite = "all,",
CRead = "all,",
CWrite = "all,",
GRead = "all,",
GWrite = "all,"
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address != "192.168.1.88"
SRead = "all,",
SWrite = "devvirt,elements,log,logics,modules,notify,relays,sdcard,system,view,",
CRead = "all,",
CWrite = "all,",
GRead = "all,",
GWrite = "3001,3002,"In the above example, the user username01 receives full access rights to the device with the IP address 192.168.1.88 (all fields set to “all”). When the same user username01 authenticates on other devices (all IP addresses except 192.168.1.88), the permissions are limited.
System access permissions
For each user profile, a “read only” or “read‑write” mode can be defined when accessing system resources by comparing the resources with the corresponding access ID.
Access control is based on lists. Each list consists of a text sequence of access IDs separated by commas.
Two types of lists are offered for each user profile: one for read access (Read Access) and one for write access (Write Access). The latter allows both reading and writing.
The Didactum monitoring system offers three types of permission lists:
1.) Server permission lists:
- SRead – read access list;
- SWrite – write access list;
Here is the list of resources for Didactum monitoring systems in relation to RADIUS:
- accesskeys – management of iButton access keys and RFID cards;
- cameras – management of video cameras connected to the Didactum IP alarm servers;
- canbus – management of the CAN bus (Control Area Network) of the Didactum monitoring systems 400/500/500DC/600/700;
- deviirt – management of virtual sensors and devices;
- elements – management of elements connected to the Didactum monitoring systems;
- GSM – management of the GSM modem;
- groups – management of group functions;
- languages – management of language settings of the Didactum monitoring system;
- log – management of log files;
- logics – management of logic schemes / alarm rules of the Didactum monitoring systems;
- modules – management of modules and expansion units connected to the Didactum monitoring systems;
- notify – management of notification types (email alarm, SMS alarm, SNMP traps, siren, etc.);
- relay – management of relay outputs integrated in the Didactum monitoring systems 500/500DC/600/700;
- sdcard – management of SD card readers built into the Didactum monitoring systems 400/500/500DC/600/700;
- system – runtime management of the Linux operating system;
- users – user management;
- view – management of the graphical user interface / web GUI of the Didactum monitoring system.
Warning: Please do not specify the identifier “users”, as this could allow a user without administrator rights to view the profiles of other users.
2.) Client permissions list (web interface):
- CRead – read access list;
- CWrite – write access list;
The list of client resource IDs is defined solely via the web interface. These are not used and should be listed as “all”.
3.) Permission lists for object groups:
- GRead – list of group IDs with read‑only access;
- GWrite – list of group IDs with write access;
Group permission lists consist of group IDs (positive integers). Two special values are supported:
- all – full access to all IDs (full admin access);
- none – no access to IDs.
Note: No groups are defined in the system by default. Access is only possible via the permission definition “all”.
As of 30/11/2015. Technical changes reserved.