Skip to main content

Tutorial: Manage the RADIUS Authentication Method from the Command-line Interface

Abstract

Use this tutorial to manage RADIUS as an authentication method for Access Server from the command-line interface.

Overview

Use this tutorial to find the commands necessary to manage the RADIUS authentication method for Access Server.

Usernames and passwords are stored in a central database and accessed through a RADIUS server in RADIUS authentication mode. You can integrate Access Server with directory services using RADIUS. After creating a user in the directory server, you must add this user to Access Server to set user-specific properties like auto-login privilege, group assignment, and static IP. You can do this via the Admin Web UI or the command line. Once the user is present in Access Server with the same name as in the directory server, when this user signs in, Access Server looks up this user in User Permissions and automatically applies the user-specific properties specified there. If you notice that properties aren’t applied, ensure the name is correct. The user name in the directory is leading here.

You can define all configuration parameters in the Admin Web UI under "Authentication" and "RADIUS" via the command line. You can only set some settings from the command line. We list all available options below.

Access Server supports up to five RADIUS servers. In the Admin Web UI, you configure their settings with a row for each server. You can set each setting for server 0, server 1, and so on when using commands. Our examples set the values for server 0, the first server displayed in the Admin Web UI list.

Prerequisites

  • Root privileges on your Access Server's console.

  • A directory service that supports RADIUS.

Commands to configure RADIUS

  • Set authentication mode to RADIUS:

    sacli --key "auth.module.type" --value "radius" ConfigPut
sacli start

  • Set the RADIUS authentication method. There are three options (the default is pap):

    • pap

    • chap

    • mschap2

    sacli --key "auth.radius.0.auth_method" --value <VALUE> ConfigPut
sacli start

  • Define the friendly RADIUS server name:

    sacli --key "auth.radius.0.name" --value <FRIENDLY_NAME> ConfigPut
sacli start

  • Define the RADIUS hostname or IP address:

    sacli --key "auth.radius.0.server.0.host" --value <FQDN_OR_IP_ADDRESS> ConfigPut
sacli start

  • Define the shared secret:

    sacli --key "auth.radius.0.server.0.secret" --value <SHARED_SECRET> ConfigPut
sacli start

  • Set the authentication port (default is 1812):

    sacli --key "auth.radius.0.server.0.auth_port" --value "1812" ConfigPut
sacli start

  • Set the accounting port (default is 1813):

    sacli --key "auth.radius.0.server.0.acct_port" --value "1813" ConfigPut
sacli start

  • Enable RADIUS accounting:

    sacli --key "auth.radius.0.acct_enable" --value "true" ConfigPut
sacli start

  • Enable RADIUS authentication once you've finished the configuration:

    sacli --key "auth.radius.0.enable" --value True ConfigPut
sacli start

Optional configuration commands

  • Set the number of authentication attempts sent to the RADIUS server (default is 1):

    sacli --key "auth.radius.0.per_server_retries" --value "1" ConfigPut
sacli start

  • Set the RADIUS server timeout in seconds (default is 30):

    sacli --key "auth.radius.0.per_server_timeout" --value <SECONDS> ConfigPut
sacli start

  • Enable case-sensitive account name matching (the user admin is different from Admin):

    sacli --key "auth.radius.0.case_sensitive" --value "true" ConfigPut
In this section: