Configure a RADIUS Server

This task is used to configure a RADIUS server domain for external user authentication.

• The RADIUS server must be configured to use the same shared secret string for all cluster nodes.
• The RADIUS server must be configured to return one or more attribute values in the authentication response message to represent the groups to which a user belongs.

1. Expand the Security Manager slider and select User Management > Authentication.
2. In the External authentication pane, select the RADIUS radio button and click Add.
   The RADIUS servers table becomes available for use.
3. In the Add a radius server pane, complete the following fields:

   Name	Description
   Address field	The IP address or DNS name of the RADIUS server.
   Port field	This field is pre-populated with the default RADIUS server listening port 1812. If you are using a different listening port on your RADIUS server, enter a new value.
   Shared secret field	Click Edit next to the field. In the Encrypted shared secret dialog box, enter the following parameters: Shared secret—The string assigned within the RADIUS server configuration to a given RADIUS client. Confirmed shared secret—The same shared secret string again to confirm your input.
   Password authentication mechanism drop-down list	PAP is chosen by default. The password authentication protocol (PAP) is an authentication protocol that uses a password in a point-to-point (PPP) session to validate users before allowing them to access server resources. Choose from the following options if you want to authenticate the user with another protocol: CHAP—The challenge-handshake authentication protocol (CHAP) authenticates a user or network host to an authentication entity to protect against replay attacks by the peer through the use of an incrementally changing identifier and a variable challenge value. MSCHAPV1—The Microsoft CHAP Version 1 (MS-CHAP v1) version of CHAP is used with RADIUS servers to authenticate wireless networks. In comparison with CHAP, MS-CHAPv1 is enabled by negotiating CHAP Algorithm 0x80 in the link control (authentication) protocol (LCP) option 3. LCP option 3 sends the Configure-Nack LCP packet type when all the LCP options are recognized, but the values of some options are not acceptable. Configure-Nack includes the offending options and their acceptable values). MS-CHAPv1 also provides an authenticator-controlled password change and authentication retry mechanisms, and defines failure codes, which are returned in the Failure packet message field. MSCHAPV2—The Microsoft CHAP Version 2 (MS-CHAPv2) uses the same authentication as MS-CHAPv1, except that CHAP Algorithm 0x81 is used instead of the CHAP Algorithm 0x80. EAPMD5—The extensible authentication protocol (EAP-MD5) offers minimal security and is used in wireless networks and point-to-point networks. EAP-MD5 enables a RADIUS server to authenticate a connection request by verifying an MD5 hash of a user password. The server sends the client a random challenge value, and the client proves its identity by hashing the challenge and its password with the MD5 hash. EAPMSCHAPV2—The protected extensible authentication protocol challenge-handshake authentication protocol (EAP-MSCHAPv2) allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory.
   Group attribute name field	This field is pre-populated with the attribute Filter-Id by default. Note: Change the default value if the RADIUS server's group attribute does not match. An attribute is necessary for the device to assign a user to a RADIUS group. This RADIUS attribute connects the user name with the attribute in order to place this user in a RADIUS group. The group attribute name is configured to be included in Access-Accept message that the RADIUS server returns to this device.

4. Click Apply.
   External users can now be authenticated by the RADIUS server. See the Add and Map a Local User Group to an External Domain User Group section of this chapter for more information.