You can configure administrator authentication against a RADIUS server.
After you have completed the RADIUS server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you specify the username but not the password. You also specify the SPP assignment, trusted host list, and access profile for that user.
If RADIUS is enabled, when a user logs in, an authentication request is made to the remote RADIUS server. If authentication succeeds, and the user has a configuration on the System > Admin > Administrators page, the SPP assignment, trusted host list, and access profile are applied. If the user does not have a configuration on the System > Admin > Administrators page, these assignments are obtained from the Default Access Strategy settings described in Table 78.
Before you begin:
Figure 137: RADIUS server configuration page
Settings | Guidelines |
---|---|
Enable | Unique name. No spaces or special characters. |
Primary Server Name/IP | IP address of the primary RADIUS server. |
Primary Server Secret | RADIUS server shared secret. |
Secondary Server Name/IP | Optional. IP address of a backup RADIUS server. |
Secondary Server Secret | Optional. RADIUS server shared secret. |
Port | RADIUS port. Usually, this is 1812. |
Auth Protocol |
|
Test Connectivity | |
Test Connectivity | Select to test connectivity using a test username and password specified next. Click the Test button before you save the configuration. |
Username | Username for the connectivity test. |
Password | Corresponding password. |
Default Access Strategy for remote RADIUS user | |
System Admin | If enabled, the user is regarded as a system administrator with access to all SPPs. |
Service Protection Profile | If this administrator is not a system administrator, select the profile that this account manages. |
Trusted Hosts | Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture. Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify. Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network. If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal. To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask: 192.0.2.2/32 2001:0db8:85a3:::8a2e:0370:7334/128 To allow login attempts from any IP address (not recommended), enter: 0.0.0.0/0.0.0.0 .Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0 ), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in. |
Default Access Profile | Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords. Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile. |
config system authentication radius set state {enable|disable} set primary-server <ip> set primary-secret <string> set backup-server <ip> set backup-secret <string> set port <port> set authprot {auto|chap|mschap|mschapv|pap} set is-system-admin {yes|no} set dft-domain <SPP> set dft-accprofile <profile> set dft-trusted-hosts <CIDR list> end |