RADIUS provides authentication, accounting, and authorization functions. The NIOS appliance supports authentication using the following RADIUS servers: FreeRADIUS, Microsoft, Cisco, and Funk.
When NIOS authenticates administrators against RADIUS servers, NIOS acts similarly to a network access server (NAS), which is a RADIUS client that sends authentication and accounting requests to a RADIUS server. Figure 4.5 The following figure illustrates the RADIUS authentication process.Anchor
Authentication using a RADIUS server
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
- Configure at least one RADIUS authentication server group. For more information, see the Configuring a RADIUS Authentication Server Group section.
- Define admin groups for the admins that are authenticated by the RADIUS servers and specify their privileges and settings. The group names in NIOS must match the admin group names on the RADIUS server. See See About Admin Groups for information about defining admin groups.
- In the authentication policy, add the RADIUS server groups and the admin groups that match those on the RADIUS server. You can also designate an admin group as the default group for remote admins. NIOS assigns admins to this group when it does not find a matching group for a remote admin. See See Defining the Authentication Policy for more information about configuring the policy.
...
- From the Administration tab, click the Authentication Server Groups tab.
- Click the Add icon in the RADIUS Services subtab.
- In the Add RADIUS Authentication Service wizard, complete the following:
- Name: Enter the name of the server group.
- RADIUS Servers: Click the Add icon and enter the following:
- Server Name or IP Address: Enter the FQDN or the IP address of the RADIUS server that is used for authentication.
- Comment: Enter additional information about the RADIUS server.
- Authentication Port: The destination port on the RADIUS server. The default is 1812. This field is required only if you do not enable accounting on the RADIUS server. This field is not required if you enable accounting to configure an accounting-only RADIUS server.
- Authentication Type: Select either PAP or CHAP from the drop-down list. The default is PAP.
- Shared Secret: Enter the shared secret that the NIOS appliance and the RADIUS server use to encrypt and decrypt their messages. This shared secret is a value that is known only to the NIOS appliance and the RADIUS server.
- Enable Accounting: Select this to enable RADIUS accounting for the server so you can track an administrator's activities during a session. When you enable accounting, you must enter a valid port number in the Accounting Port field.
- Accounting Port: The destination port on the RADIUS server. The default is 1813.
- Connect through Management Interface: Select this so that the NIOS appliance uses the MGMT port for administrator authentication communications with just this RADIUS server.
- Disable server: Select this to disable the RADIUS server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server.
- Click Test to test the configuration. If the NIOS appliance connects to the RADIUS server using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the RADIUS server, the appliance displays a message indicating an error in the configuration.
- Click Add to add the server to the list.
When you add multiple RADIUS servers, the appliance lists the servers in the order you added them. This list also determines the order in which the NIOS appliance attempts to contact a RADIUS server. You can move a server up or down the list by selecting it and clicking the up or down arrow.
...
- Note that you can also delete a RADIUS server by selecting it and clicking the Delete icon.
- Authentication: Optionally, modify the authentication settings. These settings apply to all RADIUS servers that you configure on the NIOS appliance.
- Timeout(s): Specify the number of seconds that the appliance waits for a response from the RADIUS server.
- Retries: Specify how many times the appliance attempts to contact an authentication RADIUS server.
...
- The default is 5.
If you have configured multiple RADIUS servers for authentication and the NIOS appliance fails to contact the first server in the list, it tries to contact the next server, and so on. - Accounting: Optionally, modify the Accounting settings
- The default is 5.
...
- :
- Timeout(s): Specify the number of seconds that the appliance waits for a response from the RADIUS server.
- Retries: Specify how many times the appliance attempts to contact an accounting RADIUS server. The default is 1000.
- Mode: Specifies how the appliance contacts the RADIUS servers. The default is Ordered List.
- Ordered List: The Grid member always selects the first RADIUS server in the list when it sends an authentication request. It queries the next server only when the first server is considered down.
- Round Robin: The Grid member sends the first authentication request to a server chosen randomly in a group. If there is no response from the server, the Grid member selects the next server in the group.Continued attempts are performed sequentially until it selects the last server in the group. Then it starts with the first server in the group and continues the selection process until all the servers have been attempted.
- Comment: Enter useful information about the RADIUS service.
- Disable: Select this to disable RADIUS authentication for the servers listed in the table.
- :
...
- Save the configuration and click Restart if it appears at the top of the screen.
Note that the following fields in the wizard do not apply to this feature: Enable NAC Filter, Cache Time to Live, and Recovery Interval. They are used with the NAC Integration feature described in Authenticated DHCP.