Access Server Admin Guide: RADIUS Authentication

About the Page

The Authentication: RADIUS page gives you the ability to use Remote Authentication Dial-in User Service (RADIUS) to authenticate users via an external directory server. The page provides an interface to choose the RADIUS authentication method and an interface to define the RADIUS servers.

Note: Be aware that auto-login profiles don’t trigger RADIUS authentication and RADIUS accounting requests. The first time a user signs in to download an auto-login connection profile, they can authenticate against the RADIUS server, but after that, auto-login connection profiles authenticate using only a certificate and bypass credential-based authentication of the RADIUS server.

RADIUS Settings

You can enable RADIUS authentication, accounting reports, and case-sensitive matching with the toggles in the RADIUS settings section.

Enable RADIUS authentication

Set the toggle to Yes to enable RADIUS authentication as the default authentication or for assigned users and groups.

With the toggle set to No, RADIUS authentication isn’t used as an additional authentication method.

Note: You can’t set RADIUS as the default authentication on the Authentication: Settings page, until you’ve configured RADIUS and set this toggle to Yes.

Enable RADIUS accounting

When enabled, Access Server sends accounting requests to the RADIUS server via the accounting port.

Account names are case-sensitive

When you set case-sensitive to Yes, Access Server uses case-sensitive username matching. The user admin is different from Admin; the two different users have their own settings.

If you set case-sensitive to No, you could have a lowercase user, admin, on Access Server and an uppercase user, Admin, on the RADIUS server, but Access Server grants both users the same rights.

Note: If you set case-sensitive to Yes, each time you try to sign in with a different case username, Access Server creates a new user, for example: admin, Admin, or ADMIN.

RADIUS Server

This section allows you to configure RADIUS servers for authentication. Access Server supports the configuration of up to five RADIUS servers.

Hostname or IP Address

Specify the hostname or IP address for each RADIUS server.

Shared Secret

Specify the shared secret. You must configure the RADIUS server with the same shared secret.

Authentication Port

Define the port where the RADIUS protocol sends UDP packets. The default port is 1812.

Accounting Port

Define the port where the RADIUS protocol listens for accounting requests. The default port is 1813, and the accounting port is only required when you enable RADIUS accounting.

RADIUS Authentication Method

Access Server supports RADIUS protocol for three methods:

1. PAP: password authentication protocol; sends the username and password in plaintext.
2. CHAP: Challenge handshake authentication protocol; masks the username and password by encrypting the communication.
3. MS-CHAP v2: Microsoft challenge handshake authentication protocol version 2 (MS-CHAP V2) is Microsoft’s version of CHAP that also masks the username and password by encrypting the communication.

We recommend using CHAP or MS-CHAP v2. There are situations where using PAP is situationally as secure as the former methods, such as if your VPN doesn’t need to send its traffic over the internet or where you deploy the RADIUS server or agent on the same host where Access Server is running.

Summary

Authentication: RADIUS allows you to configure RADIUS servers for user authentication and (optionally) accounting. You can configure up to five RADIUS servers for authentication. Overall, this page makes RADIUS configuration easy and quick to use.