By default, RADIUS Authentication is disabled in the
CMP system. Enabling authentication requires admin privileges. The
admin user is always authenticated against the local database record; thus, the
admin user is best suited to setting up RADIUS authentication (see
Creating a User Profile).
Two configuration parameters must match with the configuration that was put on the RADIUS server:
- Source of User Credentials must match up with the user configuration in the RADIUS server, but this will also depend on what is configured in the next parameter.
- If Action if missing credentials is set to Use following defaults, then a user will be authenticated as long as the password is correct. This user could log in even though the Class is not valid:
Sample User for RADIUS Server
test Cleartext-Password := "2931txy"
Class = "noone"
- If Action if missing credentials is set to Reject, then the configuration of the user will depend on the configuration of Source of User Credentials.
To enable RADIUS authentication and accounting:
- Log in to the CMP system as admin.
- From the System Administration section of the navigation pane, select User Management.
The content tree displays the User Management group.
- From the content tree, select External Authentication.
The External Authentication page opens. By default, external authentication is disabled.
- Click Modify.
The External Authentication page becomes editable.
- In the Configuration section, select Enable RADIUS Authentication.
Configuration and RADIUS Services configuration fields appear.
- Select to Enable RADIUS Accounting.
This feature is disabled by default. When enabled, the CMP system sends an Accounting-Start message to the accounting server when a user logs in, and an Accounting-Stop message when the user logs out. These messages contain a session ID attribute that uniquely identifies the user session so that it can be matched between Start and Stop.
- Select the Destination for Accounting Messages from the list.
Available options include:
- Both Primary and Secondary (default)
Specifies that accounting messages generated for each user session are sent to both the primary and (when configured) secondary RADIUS servers.
- Primary (Secondary on error)
Accounting messages are sent only to the primary server, as long as it is reachable. If the primary accounting server is unreachable, messages are sent to the secondary accounting server.
- Enter the NAS IP Address (required).
The IP address, in IPv4 or IPv6 format, of the network access server. By default, this is the local host address.
- Select when to Use local authentication from the list.
Available options include:
- Select the Source of User Credentials from the list.
Available options include:
- Select an Action if Missing Credentials.
Available options include:
- In the RADIUS Services section, edit the following fields:
- Configure the Primary RADIUS Authentication Server:
- Server
The FQDN or IP address (in IPv4 or IPv6 format) assigned to the primary authentication server.
Note: To disable the primary server, delete its IP address.
- Port
The IP port number of the primary server. The default value is port 1812.
- Timeout (seconds)
The length of time the CMP system waits for a response from the server. The default value is 3 seconds.
- Retries
The number of times the CMP system tries to send a message to the server. The default value is 3 times.
- Shared Secret
A password-like string that must exactly match between the
CMP system and the
secret attribute configured in the entry for this
CMP system in the
clients.conf file in the RADIUS server.
Note: If the two values do not match, the server ignores all messages from the CMP system.
- Configure theSecondary RADIUS Authentication Server:
If configured, the secondary authentication server uses the same fields as the primary authentication server.
- Configure the Primary RADIUS Accounting Server:
- Server
The FQDN or IP address (in IPv4 or IPv6 format) assigned to the primary accounting server.
- Port
The IP port number of the Primary RADIUS Accounting server. The default value is port 1813.
- Timeout (seconds)
The length of time the CMP system waits for a response from the server. The default value is 3 seconds.
- Retries
The number of times the CMP system tries to send a message to the server. The default value is 3 times.
- Shared Secret
A password-like string that must exactly match between the
CMP system and the
secret attribute configured in the entry for this
CMP system in the
clients.conf file in the RADIUS server.
Note: If the two values do not match, the server ignores all messages from the CMP system.
- Secondary RADIUS Accounting Server
If configured, the secondary accounting server uses the same fields as the primary accounting server.
- Click Save.
RADIUS Authentication and Accounting is configured.