|
|
|
|
|
To authenticate against usernames and passwords stored in a remote database table, MOVEit Transfer can use the MOVEit RADIUS/ODBC Authentication service. This service accepts RADIUS requests from MOVEit Transfer and then looks up the attempted username and password from a local ODBC source.
Almost any database can be supported with this mechanism, as the service uses an arbitrary ODBC connection string and generic SQL queries. (MySQL and SQL Server examples are provided.)
The most secure way to run this service is to install it on the same machine as the database server; in this case all usernames and passwords are protected with the encrypted RADIUS channel. A less secure way is to install this service on a different internal machine; in this case the username and password is encrypted between MOVEit Transfer and the box running the MOVEit RADIUS/ODBC Authentication service, but is probably not encrypted between the MOVEit RADIUS/ODBC server and the database server. The least secure way is to install this service on the MOVEit Transfer system itself; in this case the username and password are sent in the clear between MOVEit Transfer and an internal database server.
To install the MOVEit RADIUS/ODBC Authentication service, you need to download and install the following packages:
The MOVEit RADIUS-ODBC Authentication SERVER will install as a Microsoft Service, so you can start and stop it with the Services control panel or a net stop/start moveitradius command from the command prompt. Unlike some other MOVEit services, MOVEit RADIUS-ODBC service itself has no user interface. Serious errors encountered by the service are logged in the Application event log under MOVEitRADIUS.
There is also a GUI configuration CLIENT installed with the MOVEit RADIUS-ODBC Authentication package. This client can be started from the START menu via Programs | MOVEit DMZ | Configure MOVEit RADIUS.
In the following example, a system called dotnet.corp.stdnet.com is running MOVEit Transfer. A second system called jglshuttle.corp.stdnet.com hosts both the username/password database service and the MOVEit ODBC-RADIUS Authentication service.
The usernames and passwords are stored in a (MySQL) database called radiustest in a table called userlookup.
On MOVEit Transfer, an administrator sets up a remote RADIUS authentication source to point to jglshuttle.corp.stdnet.com and enters the shared secret.
RADIUSODBC04.gif" width="532" height="229" alt="RADIUSODBC04.gif (10704 bytes)"/>
Finally, to configure the MOVEit RADIUS-ODBC service, an administrator opens the Configure MOVEit Radius utility and enters the following values:
The values on this dialog are used in the following way by the MOVEit RADIUS-ODBC service
Make sure to fill in ALL values, otherwise the MOVEit RADIUS-ODBC service will likely NOT work.
All values set using this configuration dialog are saved to the HKLM\SOFTWARE\Standard Networks\MOVEitRadius registry entry. The values of the Shared Secret and the Database Password are encrypted here, and can only be set through this dialog. To use new settings, the MOVEit RADIUS service must be restarted.
One way to test the operation of the configured MOVEit RADIUS-ODBC service is to try signing on with registered users from a properly configured MOVEit Transfer session. RADIUS messages and errors will appear in the MOVEit Transfer debug log when the debug level is set to DEBUG ALL.
An alternate way to test the operation of this (or any) RADIUS service is to download and run the MOVEitRADIUSTestClient (available in the Distribution \ MOVEit \ DMZ \ Extras folder on the MOVEit support site, https://www.ipswitchft.force.com/kb/knowledgeProduct?c=MOVEit_DMZ).
WARNING: Do NOT install the MOVEit RADIUS Test Client on your MOVEit Transfer machine. The interaction of some underlying libraries used by both the test client and MOVEit Transfer could cause MOVEit Transfer to NOT authenticate RADIUS users.
Installation
The RADIUS test client requires the use of the .NET Framework. Install the framework before proceeding. Installation of the RADIUS test client involves extracting the contents of a ZIP file into a single folder on your test machine. (MOVEit Wizard can unzip this file if another ZIP utility is not available.) Make sure to install the test client on the machine you intend to test from. Running the client from a remote file server may cause permissions problems that could keep the client from running correctly. If you see the error The .Net framework did not grant the permission...., this is most likely the cause.
Operation
The MOVEit RADIUS test client is a graphical utility named MOVEitExtAuthTest.exe. Run it by double-clicking on the file. Then, fill in the appropriate information for the RADIUS server you wish to test, and click the Authenticate button.
Diagnosing RADIUS
The following screenshots show the MOVEit RADIUS test client in action as it encounters one successful signon and three different common problems.
Connected OK, Authenticated OK:
Connected OK, Bad Username or Password:
Failed to Connect - Invalid Host:
Failed to Connect - RADIUS Service Not Listening (Wrong Server?):
