Enabling and Configuring RADIUS on the CMP System

By default, RADIUS Authentication is disabled in the CMP system. Enabling authentication requires admin privileges. The admin user is always authenticated against the local database record; thus, the admin user is best suited to setting up RADIUS authentication (see Creating a User Profile).

Two configuration parameters must match with the configuration that was put on the RADIUS server:

Source of User Credentials must match up with the user configuration in the RADIUS server, but this will also depend on what is configured in the next parameter.
If Action if missing credentials is set to Use following defaults, then a user will be authenticated as long as the password is correct. This user could log in even though the Class is not valid:
Sample User for RADIUS Server
```
test      Cleartext-Password := "2931txy"
          Class = "noone"
```
- If Action if missing credentials is set to Reject, then the configuration of the user will depend on the configuration of Source of User Credentials.

To enable RADIUS authentication and accounting:

Log in to the CMP system as admin.
From the System Administration section of the navigation pane, select User Management.
The content tree displays the User Management group.
From the content tree, select External Authentication.
The External Authentication page opens. By default, external authentication is disabled.
Click Modify.
The External Authentication page becomes editable.
In the Configuration section, select Enable RADIUS Authentication.
Configuration and RADIUS Services configuration fields appear.
Select to Enable RADIUS Accounting.
This feature is disabled by default. When enabled, the CMP system sends an Accounting-Start message to the accounting server when a user logs in, and an Accounting-Stop message when the user logs out. These messages contain a session ID attribute that uniquely identifies the user session so that it can be matched between Start and Stop.
Select the Destination for Accounting Messages from the list.
Available options include:
- Both Primary and Secondary (default)
  Specifies that accounting messages generated for each user session are sent to both the primary and (when configured) secondary RADIUS servers.
- Primary (Secondary on error)
  Accounting messages are sent only to the primary server, as long as it is reachable. If the primary accounting server is unreachable, messages are sent to the secondary accounting server.
Enter the NAS IP Address (required).
The IP address, in IPv4 or IPv6 format, of the network access server. By default, this is the local host address.
Select when to Use local authentication from the list.
Available options include:
- When RADIUS servers timeout (default)
- When both RADIUS servers timeout or reject
- Never
  Note: Fallback to local authentication is never used. However, the admin user is always authenticated locally.
Select the Source of User Credentials from the list.
Available options include:
- RADIUS Class
  The value of the Class attribute returned by the server determines both the role and scope.
- Oracle VSAs
  The value of Oracle VSAs returned by the server determines the role and scope.
Select an Action if Missing Credentials.
Available options include:
- Reject
  If you select this option, a user whose login credentials are missing is not logged in.
- Use following defaults
  Select a setting for each of the following attributes:
  - Default Role
    The role assigned if the user credentials are missing or mismatched. The default role is Viewer.
  - Default Scope
    The scope assigned if the user credentials are missing or mismatched. The default scope is Global.
In the RADIUS Services section, edit the following fields:
1. Configure the Primary RADIUS Authentication Server:
  - Server
    The FQDN or IP address (in IPv4 or IPv6 format) assigned to the primary authentication server.
    Note: To disable the primary server, delete its IP address.
  - Port
    The IP port number of the primary server. The default value is port 1812.
  - Timeout (seconds)
    The length of time the CMP system waits for a response from the server. The default value is 3 seconds.
  - Retries
    The number of times the CMP system tries to send a message to the server. The default value is 3 times.
  - Shared Secret
    A password-like string that must exactly match between the CMP system and the secret attribute configured in the entry for this CMP system in the clients.conf file in the RADIUS server.
    Note: If the two values do not match, the server ignores all messages from the CMP system.
2. Configure theSecondary RADIUS Authentication Server:
  If configured, the secondary authentication server uses the same fields as the primary authentication server.
3. Configure the Primary RADIUS Accounting Server:
  - Server
    The FQDN or IP address (in IPv4 or IPv6 format) assigned to the primary accounting server.
  - Port
    The IP port number of the Primary RADIUS Accounting server. The default value is port 1813.
  - Timeout (seconds)
    The length of time the CMP system waits for a response from the server. The default value is 3 seconds.
  - Retries
    The number of times the CMP system tries to send a message to the server. The default value is 3 times.
  - Shared Secret
    A password-like string that must exactly match between the CMP system and the secret attribute configured in the entry for this CMP system in the clients.conf file in the RADIUS server.
    Note: If the two values do not match, the server ignores all messages from the CMP system.
4. Secondary RADIUS Accounting Server
  If configured, the secondary accounting server uses the same fields as the primary accounting server.
Click Save.

RADIUS Authentication and Accounting is configured.