Configure RADIUS Server Authentication

RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.

For more information on RADIUS authentication, see How RADIUS Server Authentication Works.

Authentication Key

The authentication messages to and from the RADIUS server use an authentication key, not a password. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, there is no communication between the client and server.

RADIUS Authentication Methods

For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password Authentication Protocol) authentication.

For authentication with PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2).

Before You Begin

Before you configure your Firebox or XTM device to use your RADIUS authentication server, you must have this information:

• Primary RADIUS server — IP address and RADIUS port
• Secondary RADIUS server (optional) — IP address and RADIUS port
• Shared secret — Case-sensitive password that is the same on the Firebox or XTM device and the RADIUS server
• Authentication methods — Set your RADIUS server to allow the authentication method your Firebox or XTM device uses: PAP or MS CHAP v2

Use RADIUS Server Authentication with Your Firebox or XTM Device

To use RADIUS server authentication with your Firebox or XTM device, you must:

• Add the IP address of the Firebox or XTM device to the RADIUS server as described in the documentation from your RADIUS vendor.
• Enable and specify the RADIUS server in your Firebox or XTM device configuration.
• Add RADIUS user names or group names to your policies.

To enable and specify the RADIUS server(s) in your configuration:

From Policy Manager:

1. Click .
   Or, select Setup > Authentication > Authentication Servers.
   The Authentication Servers dialog box appears.

2. Select the RADIUS tab.
   

3. To enable the RADIUS server, select the Enable RADIUSserver check box.
4. In the IP Address text box, type the IP address of the RADIUS server.
5. In the Port text box, make sure that the port number RADIUS uses for authentication appears. The default port number is 1812. Older RADIUS servers might use port 1645.
6. In the Secret text box, type the shared secret between the Firebox or XTM device and the RADIUS server.
   The shared secret is case-sensitive, and it must be the same on the Firebox or XTM device and the RADIUS server.
7. In the Confirm Secret text box, type the shared secret again.
8. Type or select the Timeout value.

The timeout value is the amount of time the Firebox or XTM device waits for a response from the authentication server before it tries to connect again.

9. In the Retries text box, type or select the number of times the Firebox or XTM device tries to connect to the authentication server (the timeout is specified above) before it reports a failed connection for one authentication attempt.
10. In the Group Attribute text box, type or select an attribute value. The default group attribute is FilterID, which is RADIUS attribute 11.

The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the Firebox or XTM device. For example, engineerGroup or financeGroup. This information is then used for access control. The Firebox or XTM device matches the FilterID string to the group name configured in the Firebox or XTM device policies.

11. In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list to change the duration.

After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts will not try this server until it is marked as active again.

12. To add a backup RADIUS server, select the Secondary Server Settings tab, and select the Enable a secondary RADIUS server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the same on the primary and backup RADIUS server.

For more information, see Use a Backup Authentication Server.

14. Click OK.
15. Save the Configuration File.

See Also

About Using Third-Party Authentication Servers

Use Authorized Users and Groups in Policies

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.