The security appliance can use RADIUS servers for user authentication for network access. The RADIUS server uses the Framed-Filter-ID attribute to store user and user group information, and checks the user’s credentials by using the Password Authentication Protocol (PAP) authentication scheme.
When a user authenticates, the security appliance verifies the user’s credentials through the RADIUS server. The RADIUS server returns the authentication results to the security appliance. For a valid RADIUS user, the security appliance checks its user group service policy from the local database and permits access. For an invalid RADIUS user, the security appliance blocks access.
1. Click Users > User Authentication.
2. Choose RADIUS as the authentication method.
3. Click Configure to configure the RADIUS settings.
4. In the Settings tab, choose the RADIUS group for authentication and configure the global timeout and retry settings.
• Global RADIUS Settings: Specify the global timeout and retry settings for the selected RADIUS servers:
– RADIUS Server Timeout: Enter the number of seconds that the connection can exist before re-authentication is required. The range is 1-60 seconds. The default value is 3 seconds.
– Retries: Enter the number of times that the security appliance will try to contact the RADIUS server. The range is 0-10 attempts. The default value is 2.
The security appliance first sends a request message to the primary RADIUS server. If there is no response from the primary RADIUS server, the security appliance waits the number of seconds that you set in the RADIUS Server Timeout field, and then sends another request message. This continues for the number of times that you set in the Retries field (or until there is a valid response). If there is no valid response from the primary RADIUS server after the specified number of retries, the security appliance uses the secondary RADIUS server for the next authentication attempt. If the secondary server also fails to respond after the specified number of retries, the connection is dropped.
• RADIUS Servers: Choose the RADIUS group index from the drop-down list. The RADIUS server settings of the selected group are displayed. You can edit these settings here but the settings you specify will replace the default settings of the selected group. To maintain the RADIUS server settings, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers.
5. In the RADIUS Users tab, enter the following information:
• Allow Only Users Listed Locally: Click On to allow only the RADIUS users who also are present in the local database to login, or click Off to disable it.
• Mechanism for Setting User Group Memberships for RADIUS Users: Select one of the following mechanisms to configure the user group memberships for RADIUS users:
– Use RADIUS Filter-ID: Find the user group information by using the Framed-Filter-ID attribute from the RADIUS server.
For example, the RADIUS server has three user groups (Group1, Group2, and Group3) and the local database has two user groups (Group1 and Group2). The following table displays the user group membership settings.
In the above table, if the User1 in the RADIUS server belongs to the Group1 but the User1 in the local database belongs to the Group2, then the User1 will belong to the Group1 after the user passes the RADIUS authentication. If the User1 in the RADIUS server belongs to the Group3 but the local database has not the Group3, then the User1 will be set to the specified default group.
– Local Configuration Only: Find the user group information from the local database only.
For example, the RADIUS server has three user groups (Group1, Group2, and Group3) and the local database has two user groups (Group1 and Group2). The following table displays the user group membership settings.
In the above table, if the User1 in the RADIUS server belongs to the Group1 but the User1 in the local database belongs to the Group2, then the User1 will belong to the Group2 after the user passes the RADIUS authentication. If the User1 does not exist in the local database, it will be set to the specified default group.
• Default User Group to Which All RADIUS Users Belong: Choose a local user group as the default group to which the RADIUS users belong. If the group does not exist in the local database when getting user group information from the RADIUS server, the RADIUS user will be automatically set to the specified local user group.
6. In the Test tab, enter the user’s credentials in the User and Password fields, and then click the Test button to verify whether the RADIUS user is valid.
7. Click OK to save your settings.