About the Page
The Authentication: RADIUS page gives you the ability to use remote authentication dial-in user service (RADIUS) to authenticate users via an external directory server. The page provides an interface to choose the RADIUS authentication method and an interface to define the RADIUS servers.
Note: Be aware that using auto-login profiles doesn’t trigger RADIUS authentication and RADIUS accounting requests. The first time a user signs in to download an auto-login connection profile, they can authenticate against the RADIUS server, but after that, auto-login connection profiles authenticate using only a certificate and bypass credential-based authentication of the RADIUS server.
RADIUS in use
The first section displays whether RADIUS is the default authentication method for users and groups. By default, this section displays “RADIUS is NOT in use”, and the default authentication method is local. When you set RADIUS as the default, it displays “RADIUS in use”.
RADIUS Authentication Methods
Select RADIUS Authentication Method
Access Server supports RADIUS protocol for three methods:
- PAP: password authentication protocol; sends the username and password in plaintext.
- CHAP: Challenge handshake authentication protocol; masks the username and password by encrypting the communication.
- MS-CHAP v2: Microsoft challenge handshake authentication protocol version 2; Microsoft’s version of CHAP that also masks the username and password by encrypting the communication.
We recommend using CHAP or MS-CHAP v2, however there are situations where using PAP is situationally as secure as the former methods such as if your VPN doesn’t need to send its traffic over the internet or where the RADIUS server or agent is deployed on the same host where Access Server is running.
When you enable case-sensitive login, Access Server uses case-sensitive username matching. The user admin is a different user from Admin; the two different users have their own settings.
If you disable case-sensitive login, you could have a lowercase user, admin, on Access Server and an uppercase user, Admin, on the RADIUS server, but both users will have the same rights granted by Access Server.
Note: If you turn on case-sensitive login, each time you try to sign in with a different case username, Access Server creates a new user, for example: admin, Admin, or ADMIN.
This section allows you to configure RADIUS servers for authentication. Access Server supports the configuration of up to five RADIUS servers.
Allow RADIUS authentication
Set the toggle to Yes for allowing RADIUS authentication for assigned users and groups in addition to the default authentication method. For example, you can create administrators for Access Server that use local authentication, and use RADIUS authentication for VPN users.
With the toggle set to No, RADIUS authentication isn’t used as an additional authentication method.
Note: If you set RADIUS as the default authentication, your users and groups assigned to the default method authenticate against RADIUS, whether or not this toggle is set to Yes.
Hostname or IP Address
Specify the hostname or IP address for each RADIUS server.
Specify the shared secret. The RADIUS server must be configured with the same shared secret.
The port where the RADIUS protocol sends UDP packets. The default port is 1812.
The port where the RADIUS protocol listens for accounting requests. The default port is 1813. The accounting port is only required when you enable RADIUS accounting.
Enable RADIUS accounting
When enabled, Access Server sends accounting requests to the RADIUS server via the accounting port.
Authentication: RADIUS gives you the ability to configure RADIUS servers for user authentication and (optionally) accounting. You can configure up to five RADIUS servers for authentication. Overall, this page makes RADIUS configuration easy and quick to use.