Related Topics
Configure RADIUS Server Authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUS authentication, see How RADIUS Server Authentication Works.
Authentication Key
The authentication messages to and from the RADIUS server use an authentication key, not a password. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, there is no communication between the client and server.
RADIUS Authentication Methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password Authentication Protocol) authentication.
For authentication with L2TP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2).
For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS supports the EAP (Extensible Authentication Protocol) framework.
For Mobile VPN with IKEv2 authentication, RADIUS supports EAP-MSCHAPv2.
Before You Begin
Before you configure your Firebox to use your RADIUS authentication server, you must have this information:
- Primary RADIUS server — IP address and RADIUS port
- Secondary RADIUS server (optional) — IP address and RADIUS port
- Shared secret — Case-sensitive password that is the same on the device and the RADIUS server
- Authentication methods — Set your RADIUS server to allow the authentication method your device uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise
Use RADIUS Server Authentication with Your Device
To use RADIUS server authentication with your Firebox, you must:
- Add the IP address of the Firebox to the RADIUS server as described in the documentation from your RADIUS vendor.
- Enable and specify the RADIUS server in your Firebox configuration.
- Add RADIUS user names or group names to your policies.
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Server list, select RADIUS.
The RADIUS server settings appear.
- Select the Enable RADIUS Server check box.
- In the IP Address text box, type the IP address of the RADIUS server.
- In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645. - In the Passphrase text box, type the shared secret between the device and the RADIUS server.
The shared secret is case-sensitive, and it must be the same on the device and the RADIUS server. The shared secret cannot include only space characters. - In the Confirm text box, type the shared secret again.
- Type or select the Timeout value.
The timeout value is the amount of time the device waits for a response from the authentication server before it tries to connect again. - In the Retries text box, type the number of times the device tries to connect to the authentication server (the timeout is specified above) before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type an attribute value. The default group attribute is FilterID, which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies. - In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. To change the duration, from the drop-down list, select Minutes or Hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts will not try this server until it is marked as active again. - To add a backup RADIUS server, in the Secondary Server Settings section, select the Enable Secondary RADIUS Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server. - Click Save.
- Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the RADIUS tab.
- Select the Enable RADIUS server check box.
- In the IP Address text box, type the IP address of the RADIUS server.
- In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645. - In the Secret text box, type the shared secret between the device and the RADIUS server.
The shared secret is case-sensitive, and it must be the same on the device and the RADIUS server. The shared secret cannot include only space characters. - In the Confirm Secret text box, type the shared secret again.
- Type or select the Timeout value.
The timeout value is the amount of time the device waits for a response from the authentication server before it tries to connect again. - In the Retries text box, type or select the number of times the device tries to connect to the authentication server (the timeout is specified above) before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type or select an attribute value. The default group attribute is FilterID, which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies. - In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. To change the duration, from the drop-down list, select minutes or hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts will not try this server until it is marked as active again. - To add a backup RADIUS server, select the Backup Server Settings tab, and select the Enable a backup RADIUS server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server. - Click OK.
- Save the Configuration File.
See Also
About Third-Party Authentication Servers
Use Users and Groups in Policies
WPA/WPA2 Enterprise Authentication with RADIUS
RADIUS Authentication with Active Directory For Mobile VPN Users