Configure RADIUS Server Authentication

RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.

With Fireware v12.5, you can now configure more than one RADIUS server. With this change, you can no longer configure a SecurID server. You must configure a RADIUS server and enable SecurID for that server.

For more information on RADIUS authentication, see How RADIUS Server Authentication Works.

Authentication Key

The authentication messages to and from the RADIUS server use an authentication key, not a password. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, there is no communication between the client and server.

RADIUS Authentication Methods

For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password Authentication Protocol) authentication.

For authentication with L2TP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2).

For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS supports the EAP (Extensible Authentication Protocol) framework.

For Mobile VPN with IKEv2 authentication, RADIUS supports EAP-MSCHAPv2.

RADIUS and Multi-Factor Authentication

You can use RADIUS server authentication with multi-factor authentication (MFA).

If a user does not respond to an MFA challenge, the Firebox marks the RADIUS server as dead for the Dead Time duration. The Firebox does not send authentication requests for other users to the RADIUS server during this time. To avoid this issue, we recommend that you change the default Dead Time value in the Firebox RADIUS settings:

  • If you configure only a primary RADIUS server, specify a Dead Time of 0 minutes.
  • If you also configure a backup RADIUS server, specify a Dead Time of 1 minute.

Before You Begin

Before you configure your Firebox to use your RADIUS authentication server, you must have this information for each RADIUS server you want to configure:

  • Primary RADIUS server — IP address and RADIUS port
  • Secondary RADIUS server (optional) — IP address and RADIUS port
  • Shared secret — Case-sensitive password that is the same on the device and the RADIUS server
  • Authentication methods — Set your RADIUS server to allow the authentication method your device uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise

Use RADIUS Server Authentication with Your Device

To use RADIUS server authentication with your Firebox, you must:

  • Add the IP address of the Firebox to the RADIUS server as described in the documentation from your RADIUS vendor.
  • Enable and specify the RADIUS server in your Firebox configuration.
  • Add RADIUS user names or group names to your policies.

With Fireware v12.5, you may add multiple RADIUS servers. If you use SecurID, you will enable it on the RADIUS server instead of a separate SecurID configuration.

See Also

About Third-Party Authentication Servers

Use Users and Groups in Policies

WPA/WPA2 Enterprise Authentication with RADIUS

RADIUS Authentication with Active Directory For Mobile VPN Users

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search