When you want to add multiple RADIUS clients, you can add them to the predefined RADIUS Server event. But all the RADIUS clients will use the same authentication chain(s). If you want to configure specific authentication chain(s) for different RADIUS clients, then you must create a custom RADIUS event. To add a custom RADIUS event, perform the following steps:
Click Events > New Event.
Specify a name for the event.
Ensure that Is enabled is set to ON.
Select RADIUS from Event Type.
Select the chains that you want to assign to the event.
(Conditional) In Risk Policy, select the policy that you want to assign to this event for assessing the risk associated with a login attempt.
(Conditional) Click Create New Policy to create a new risk policy for this event.
Clicking this option opens the Risk Settings page.
IMPORTANT:Risk Policy and Create New Policy options are available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.
Set Logon with Expired Password with one of the following options based on your requirement:
Allow: Select this option to allow users to log in to the event with the expired LDAP password.
Ask to change: If the password has expired this option prompts users to change the password during logon. Change in the LDAP Password is supported only for the Active Directory repositories. However, the LDAP Password change in Advanced Authentication is not allowed when the LDAP Servers in the Repository settings are configured with port 389. The LDAP server rejects the new password.
Deny: Select this option to deny access to the event with the expired LDAP password. When the access is denied, the following message is displayed to users:
You must change your password to logon.
Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.
Set Return groups on logon to ON if you want to retrieve the group details of users who authenticated to the event in the authentication response.
With Return groups on logon set to ON, if Groups is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in Groups.
The RADIUS protocol according to RFC has a 4KB limit of response size. The authentication response might exceed the set limit, if a user is a member of several groups. Therefore, it is recommended to use Groups to limit the groups' in the response.
By default, Return groups on logon is set to OFF, the groups of users authenticated to the event are not returned in the response.
Select the Allow to logon to this event by shared authenticator option to allow users to login using shared authenticators. By default this option is disabled for the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.
Configure Input Rule
Configure Chain Selection Rule
Configure Result Specification Rule
You can configure the above RADIUS rules in RADIUS Options policy also. For more information about configuring the RADIUS rules in RADIUS Options Policy, see RADIUS Options.
The rules configured in RADIUS Options policy are called Global level rules and rules configured in RADIUS event are called Event level rules. All the RADIUS rules are executed in the following order.
Input rule configured in Global level rules.
Event Selection rule configured in Global level rules.
Input rule configured in Event level rules.
Chain selection rule configured in Event level rules.
Chain selection rule configured in Global level rules (if no chain in Event level rules).
Authenticate the user.
Result specification configured in Global level rules.
Result specification configured in Event level rules.
Click Save.