Configure RADIUS Server Authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUS authentication, see How RADIUS Server Authentication Works.
The authentication messages to and from the RADIUS server use an authentication key, not a password. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, there is no communication between the client and server.
RADIUS Authentication Methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password Authentication Protocol) authentication.
For authentication with L2TP or PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2).
For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS supports the EAP (Extensible Authentication Protocol) framework.
Before You Begin
Before you configure your XTM device to use your RADIUS authentication server, you must have this information:
- Primary RADIUS server — IP address and RADIUS port
- Secondary RADIUS server (optional) — IP address and RADIUS port
- Shared secret — Case-sensitive password that is the same on the XTM device and the RADIUS server
- Authentication methods — Set your RADIUS server to allow the authentication method your XTM device uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise
Use RADIUS Server Authentication with Your XTM Device
To use RADIUS server authentication with your XTM device, you must:
- Add the IP address of the XTM device to the RADIUS server as described in the documentation from your RADIUS vendor.
- Enable and specify the RADIUS server in your XTM device configuration.
- Add RADIUS user names or group names to your policies.
To enable and specify the RADIUS server(s) in your configuration, from Fireware XTM Web UI:
- Select the RADIUS tab.
- Select Authentication > Servers.
The Authentication Servers page appears.
- From the Server list, select RADIUS.
The RADIUS server settings appear.
- Select the
Enable RADIUS Server check box.
- In the IP Address text box, type the IP address of the RADIUS server.
- In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645.
- In the Passphrase text box, type the shared secret between the XTM device and the RADIUS server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the RADIUS server.
- In the Confirm text box, type the shared secret again.
- Type or select the Timeout value.
The timeout value is the amount of time the XTM device waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type the number of times the XTM device tries to connect to the authentication server (the timeout is specified above) before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type an attribute value. The default group attribute is FilterID, which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the XTM device. For example, engineerGroup or financeGroup. This information is then used for access control. The XTM device matches the FilterID string to the group name configured in the XTM device policies.
- In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. To change the duration, from the drop-down list, select Minutes or Hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts will not try this server until it is marked as active again.
- To add a backup RADIUS server, in the Secondary Server Settings section, select the Enable Secondary RADIUS Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server.
- Click Save.
About Third-Party Authentication Servers
Use Authorized Users and Groups in Policies
WPA and WPA2 Enterprise Authentication
Configure RADIUS Server Authentication with Active Directory Users and Groups For Mobile VPN Users