The Advanced Authentication server provides a built-in RADIUS server that can authenticate any RADIUS client using one of the chains configured for the event.
The built-in RADIUS server supports only the PAP method.
The RADIUS server supports the following authentication methods:, , , , , , , , , , and methods.
By design, Advanced Authentication does not support the single-factor authentication with a, , , , , and method for RADIUS. These methods cannot be the first or single method in a chain. It is recommended to use it in a two-factor chain with the method.
To configure pre-defined RADIUS Server event, perform the following steps:
Clicknext to the event.
Ensure thatis set to .
Select the chains that you want to assign to the event.
Clickto add and assign a RADIUS Client to the event:
Specify the IP address of the RADIUS Client in.
Specify the RADIUS Client name in.
Specify the RADIUS Client secret and confirm the secret.
Ensure that the RADIUS Client is set to.
Click next to the RADIUS Client.
Add more RADIUS Clients if required.
Set filter-id attribute in an authentication response to the RADIUS Client.to to enable the RADIUS server to return all the groups of a user in the
By default the option is set to filter-id attribute in the authentication response.and the RADIUS server does not return the
Specify the preferred user groups in filter-id attribute to the RADIUS Client.to allow the RADIUS server to return only the specified groups of a user in the
If you set the filter-id attribute.to and the is empty, all the groups of a user are returned in the
You can specify any attribute you want to return instead of the Filter-ID attribute in . For example, you can specify the class attribute in and the class attribute will be returned instead of the Filter-Id attribute. By default, the Filter-Id attribute is returned in an authentication response to the RADIUS Client.
NOTE:It is recommended to enable theoption and specify the preferred user groups because in large environments a user can be part of many groups and as a result, the list of all groups that are returned by the RADIUS server can be large. The size of RADIUS response exceeds the maximum size of RADIUS packet.
(Optional) Specifywhile adding custom RADIUS server event. You must use the same NAS ID on the configured RADIUS clients to associate them with the custom RADIUS server event.
Setto , if you want to allow repository locked-out users to be authenticated on the Advanced Authentication. By default, is set to and users locked on repository is not allowed to authenticate.
IMPORTANT:If you use more than one chain with the RADIUS server, follow one of the following ways:
Each chain assigned to the RADIUS event may be assigned to a different LDAP group. For example,chain is assigned to a users group, chain is assigned to a HOTP users group. If a RADIUS user is a member of both groups, the top group is used.
By default, the top chain specified in the <username>&<chain shortname> in . For example, pjones&sms. Ensure that you have specified the short names for chains. Some RADIUS clients such as FortiGate do not support this option.event in which all the methods are enrolled is used. But, you can authenticate with the RADIUS authentication using another chain from the list when specifying
NOTE:If you use the LDAP Password+Smartphone chain, you can use an offline authentication by specifying the password in the format <LDAP Password>&<Smartphone OTP>. For example, Q1w2e3r4&512385. This option is supported for LDAP Password+OATH TOTP, Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP.
When you want to add multiple RADIUS clients, you can add them to the predefined RADIUS Server event. But all the RADIUS clients will use the same authentication chain(s). If you want to configure specific authentication chain(s) for different RADIUS clients, then you must create a custom RADIUS event. While adding the custom RADIUS event ensure to specify NAS ID that is essential to associate clients with the custom RADIUS event.
For more information about the custom RADIUS event, see Creating a RADIUS Event.
NOTE:If the RADIUS log files are overflown of records with the error Discarding duplicate request from client, you can increase the timeout on the RADIUS Client. The optimal timeout value needs to be determined by experimenting. It must not exceed 60 seconds.
You can customize prompt messages of the authentication methods that are configured for the RADIUS event. The customized prompt messages are displayed when a user initiates authentication to RADIUS event using the configured methods.
For more information about customizing prompt message for RADIUS event, see Customizing Prompt Messages of the Authentication Methods for RADIUS Event.
If you have configured a multi-factor chain such as LDAP Password&SMS OTP or any other combination chain, some users (during the authentication) might not be able to specify the <Password>&<OTP> in a single line (because of the Password length limit in RADIUS). In this case, you can configure the existing RADIUS Client by performing the following steps:
Specify an LDAP password inand send the authentication request.
Advanced Authentication server returns the access-challenge response with State=<some value> (example: State=WWKNNLTTBxP6QYfiZIpvscyt7RYrYsGag4h8s0Rh8R) and Reply-Message=SMS OTP. You will receive an SMS with a one-time password on the registered mobile.
Specify the OTP in State=<value> where, value is the value that is obtained in step 1.and add an additional RADIUS attribute with
Send the authentication request.
The following are the examples of integration with a RADIUS Server: