Administration Tasks Not Performed in the Web Manager : Configuring Groups for Use with Authentication Servers : Configuring group authorization for RADIUS authentication

Configuring group authorization for RADIUS authentication
The two tasks listed below must be done to configure groups for RADIUS authentication.
The RADIUS server’s administrator must define the desired groups and assign users to the groups.
See To configure groups on a RADIUS authentication server:.
The OnBoard appliance’s administrator must configure the RADIUS server on the OnBoard appliance.
The following list defines the values to define when configuring a RADIUS authentication server on the OnBoard appliance as shown below.
auth1 server[:port] secret [time-out] [retries]
acct1 server[:port] secret [time-out] [retries]
where:
auth1: The first RADIUS authentication server.
acct1: The first RADIUS accounting server.
server: The RADIUS server address.
port: Optional. The default port name is radius and is looked up through /etc/services.
secret: The shared password required for communication between the OnBoard appliance and the RADIUS server.
retries: The number of times each RADIUS server is tried before another is contacted.
time-out: The default is 3 seconds. How long the OnBoard appliance should wait for the RADIUS server’s response.
To configure groups on a RADIUS authentication server:
1.
2.
3.
NOTE: If the Frame-Filter-Id already exists, append the group_name declaration to the string starting with a colon (:). Make sure a final semi-colon (;) is at the end of the declaration, as shown in the example.
4.
To configure a RADIUS authentication server on the OnBoard appliance:
1.
2.
Open the /etc/raddb/server file for editing or create the file.
3.
Make an entry for the RADIUS server (auth1), an accounting server (acct1) and if desired, make an entry for a second RADIUS authentication server (auth2) and for a second accounting server (acct2), by performing the following steps for each server.
4.
# For proper security, this file SHOULD have permissions 0600,
# that is readable by root, and NO ONE else. If anyone other than
# root can read this file, then they can spoof responses from the server!
# #
There are 3 fields per line in this file. There may be multiple
# lines. Blank lines or lines beginning with '#' are treated as
# comments, and are ignored. The fields are:
#
# server[:port] secret [timeout]
#
# the port name or number is optional. The default port name is
# "radius", and is looked up from /etc/services The timeout field is
# optional. The default timeout is 3 seconds.
#
# If multiple RADIUS server lines exist, they are tried in order. The
# first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used.
#
# The timeout field controls how many seconds the module waits before
# deciding that the server has failed to respond.
#
# server[:port] shared_secret timeout (s)
# 127.0.0.1 secret 1
# other-server other-secret 3
OUR.RADIUS.SERVER.IP:1645 OurSecret 1 3
5.
6.
7.
8.
9.
The following screen example shows entries that define the RADIUS authentication server and the accounting server to be the same server with the same IP address, sets the secret to cyclades, the time-out to 5 seconds and the number of retries to 5.
NOTE: Always configure both parameters auth1 and acct1.
10.
NOTE: Multiple RADIUS servers can be configured in this file. The servers are tried in the order in which they appear. If a server fails to respond, the next configured server is tried.