When you add an authentication domain you specify one authentication server. If your authentication domain has multiple authentication servers, you can add the other servers to the authentication domain in WatchGuard Cloud.
If you change the configured servers for an authentication domain, it could affect devices or services that use the authentication domain.
For each authentication server, the settings control how cloud-managed devices can connect to the server for user authentication.
Add a Server
To add a server to an authentication domain, from WatchGuard Cloud:
- If you are a Service Provider, select the name of the managed subscriber account.
- Select Configure > Authentication Domains.
The Authentication Domains page opens.
- Click the domain name to edit.
- Select the Servers tab.
- Click Add Server.
- Select the server type.
- Configure the settings for the selected server type.
Configure RADIUS Server Settings
To configure settings for a RADIUS server:
- In the Add servers settings, select RADIUS.
- From the RADIUS Server Type drop-down list, select RADIUS Authentication Server.
For access points, you can also add a RADIUS Accounting Server. A RADIUS accounting server monitors RADIUS traffic and collects data about client sessions, such as when sessions begin and end. Make sure you add a RADIUS authentication server to the authentication domain before you add a RADIUS accounting server. In many deployments, the Authentication and Accounting services are on the same RADIUS server and run on different ports.
- From the Type drop-down list, select the Host IPv4 or Host IPv6 IP address type.
- In the IP Address text box, type the IP address of the RADIUS server.
- In the Port text box, type the port number RADIUS uses for authentication. Most RADIUS servers use port 1812 by default (older RADIUS servers might use port 1645). Most RADIUS accounting servers use port 1813.
- In the Shared secret text box, type the shared secret for connections to the RADIUS server.
- In the Confirm shared secret text box, type the shared secret again.
- Click Save.
Make sure your RADIUS server is also configured to accept connections from each cloud-managed Firebox or access point as a RADIUS client.
Additional RADIUS Server Options
After you have configured and saved your RADIUS server basic settings, you can also configure these additional options:
- Timeout (Seconds) — In the Timeout text box, type a value in seconds. The timeout value is the amount of time the device waits for a response from the authentication server before it tries to connect again. The default value is 10 seconds.
- Retries — In the Retries text box, type the number of times the device tries to connect to the RADIUS server before it reports a failed connection for one authentication attempt. The default value is 3.
- Dead Time — In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. The default value is 10 minutes.
- Group Attribute — In the Group Attribute text box, type a value for the group attribute for the RADIUS server to retrieve group membership for users. The group the user is a member of is returned in the RADIUS FilterID attribute. This default RADIUS group attribute is 11.
- Interim Accounting Interval (Seconds) — In the Interim Accounting Interval text box, type the number of seconds between updates sent to a RADIUS accounting server. The default is 600 seconds (10 minutes).
For more information, see:
Configure Active Directory Server Settings
To configure settings for an Active Directory server:
- In the Add servers settings, select Active Directory.
- In the Server Address text box, type the domain name or IP address of your Active Directory server.
- (Optional) To enable secure SSL connections to your Active Directory server, select Enable secure SSL connections to your Active Directory Server (LDAPS).
- Click Save.