Step 1: Installing the RADIUS server on Windows Server
Since Didactum also provides English-language support pages, we have chosen the English version of Windows Server.
In Server Manager, right-click and select "Add Role and Features." Then select "Role-based or feature-based installation." Select "Network Policy and Access Services," add features, and click "Next," followed by "Install."
Once the installation is complete, open the Network Policy Server (NPS) console. First, you need to register the NPS in your domain. Right-click NPS and select "Register server in Active Directory."
Step 1: Adding a new RADIUS client
The next step is to add your Didactum infrastructure monitoring unit as a new RADIUS client.
Expand "RADIUS Clients and Servers," then right-click "RADIUS Clients" and select "New." Enter a name for your monitoring device, an IP address, and a shared secret key. This shared secret key must be identical on your Didactum monitoring system!
Step 2: Creating access groups in the domain
Open "Active Directory Users and Computers". Select your domain, right-click, then click "New" and select "Group". This group will be used to grant additional users access to the Didactum Rack Monitoring System.
Now add a new user by right-clicking, selecting "New," and then "User." On the "Dial-In" tab, set the "Network Access Permission" to "Control access through NPS Network Policy." Then add the new user to the group you created earlier.
Now set the user password. This password (SHA-1 hash code) will then be entered in plain text by the RADIUS user.
Step 3: Create a new network policy
With the support of access policies, we will connect the previously created RADIUS client records and domain security groups to the network-based Didactum monitoring systems. To do this, open the Network Policy Server Console. Expand "Policies," right-click on "Network Policies," and then simply click "New." Specify the policy name and select "Grant access" as the access permission to grant access.
On the next tab under "Conditions," we need to add the conditions under which this RADIUS policy will apply. Add a group that includes all users who should be allowed to use the RADIUS service:
n the next step, we configure the "Authentication Methods". Here, we deactivate all authentication methods and activate unencrypted authentication called "Unencrypted authentication (PAP, SPAP)":
Now, in the "Configure Settings" step, we delete all the default RADIUS attributes that are offered there by default (see screenshot below). Then, under "Custom," we select the "Vendor Specific" attribute. Enter the manufacturer/"Vendor" as "Custom" (User Defined) and then click "Add."
Next, under "Attribute Information," click "Add." Enter the manufacturer's code (for Didactum monitoring hardware, we select the official manufacturer's code 46501) and then configure the attributes by attribute number.
Each attribute has a name and an identification number. Since the RADIUS server doesn't have the codes of the monitoring hardware, we now need to enter the attributes with their corresponding numbers.
The table below provides further information:
Description of the attributes of the Didactum Monitoring Hardware:
Each user profile in the system can have "Read-Only" or "Read-Write" access to system resources.
Each resource in the system is compared with its corresponding access identifier.
Access control is performed using lists. The list is a text string consisting of comma-separated access identifiers.
Accordingly, there are two types of lists in the user profile: lists for read access and for write access (both recording and reading).
The system allows three types of permission lists:
A) Server access lists:
SRead - read access list;
SWrite - write access list;
Resource list (as of 01/2021):
accesskeys - management of access card reader keys and other compatible keys;
cameras - management of Didactum video cameras;
canbus - management of CAN bus;
devvirt - management of virtual devices (timers, PINGs, triggers);
elements - management of elements;
groups - management of groups;
gsm - management of internal Didactum modem; (if available in monitoring system)
languages - management of language files installed in the monitoring system;
log - management of system log;
logics - management of logic schemes available in the monitoring system;
module - management of modules;
notify - management of notifications (mail, SNMP traps, SMS);
relays - management of built-in relays;
sdcard - management of SD card (if available in monitoring system);
system - runtime management (hardened Linux OS);
users - user management;
view - control of web interface display.
Note: Do not define a default user (identifier), as such a user can otherwise view recordings of all other users! In such a case, the user rights stored in the monitoring system cannot be edited or deleted.
B) Client permission lists (Web interface):
CRead - read access list;
CWrite - write access list;
The list of client resource identifiers (web interface) is created and used exclusively by the client (via web interface). Therefore, the resource identifiers should be set to "all".
C) Permission lists for groups of objects:
GRead - list of groups with read-only access;
GWrite - list of groups with write access;
Group permission lists consist of group IDs and are intended to restrict client (web interface) access to group objects.
The format of these lists - identifiers separated by commas, in this case there are special control words:
all - full access to all identifiers means full administrative access;
none - access is completely prohibited.
By default, there are no groups in the Didactum monitoring system. The elements and modules of the monitoring hardware are also not subdivided into groups.
Access to elements and groups is only possible with "all" rights.
After you have specified all attributes, you will get a result as shown in the screenshot below. In our example, all users of the "RADIUS group" have full administrator rights for the Didactum monitoring system.