Previous Topic

Next Topic

Book Contents

Book Index

Using RADIUS Authentication

Linked Diagram TemplateLinked Diagram Template

You can use Remote Authentication Dial-In User Service (RADIUS) to authenticate both UTM-1 appliance users and Remote Access VPN Clients trying to connect to the UTM-1 appliance.

Note: When RADIUS authentication is in use, Remote Access VPN Clients must have a certificate.

When a user tries to log in to the UTM-1 Portal, the UTM-1 appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged in.

By default, all RADIUS-authenticated users are assigned the set of permissions specified in the UTM-1 Portal's RADIUS page. However, you can configure the RADIUS server to pass the UTM-1 appliance a specific set of permissions to grant the authenticated user, instead of these default permissions. This is done by configuring the RADIUS Vendor-Specific Attribute (VSA) with a set of attributes containing permission information for specific users. If the VSA is configured for a user, then the RADIUS server passes the VSA to the UTM-1 appliance as part of the response to the authentication request, and the gateway assigns the user permissions as specified in the VSA. If the VSA is not returned by the RADIUS server for a specific user, the gateway will use the default permission set for this user.

In addition, you can configure the RADIUS server to pass the UTM-1 appliance a Secure HotSpot session timeout value. When the RADIUS server's Session-Timeout Attribute is configured, HotSpot users will be logged out after the specified session timeout has elapsed.

To use RADIUS authentication

  1. Click Users in the main menu, and click the RADIUS tab.

    The RADIUS page appears.

  2. Complete the fields using the following table.
  3. Click Apply.
  4. To restore the default RADIUS settings, do the following:
    1. Click Default.

      A confirmation message appears.

    2. Click OK.

      The RADIUS settings are reset to their defaults. For information on the default values, refer to the following table.

  5. If desired, configure user permissions and/or the HotSpot session timeout on the RADIUS server.

    See Configuring RADIUS Attributes.

See Also

Managing Users

Changing Your Login Credentials

Adding and Editing Users

Adding Quick Guest HotSpot Users

Viewing and Deleting Users

Setting Up Remote VPN Access for Users

Configuring RADIUS Attributes

Previous Topic

Next Topic

RADIUS Page Fields

In this field…

Do this…

Primary/Secondary RADIUS Server

Configure the primary and secondary RADIUS servers.

By default, the UTM-1 appliance sends a request to the primary RADIUS server first. If the primary RADIUS server does not respond after three attempts, the UTM-1 appliance will send the request to the secondary RADIUS server.

Address

Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service.

To clear the text box, click Clear.

Port

Type the port number on the RADIUS server's host computer.

The default port number is 1812.

Shared Secret

Type the shared secret to use for secure communication with the RADIUS server.

Realm

If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: <username>@<realm>

For example, if you set the realm to "myrealm", and the user "JohnS" attempts to log in to the UTM-1 Portal, the UTM-1 appliance will send the RADIUS server an authentication request with the username "JohnS@myrealm".

This field is optional.

Timeout

Type the interval of time in seconds between attempts to communicate with the RADIUS server.

The default value is 3 seconds.

RADIUS User Permissions

If the RADIUS VSA (Vendor-Specific Attribute) is configured for a user, the fields in this area will have no effect, and the user will be granted the permissions specified in the VSA.

If the VSA is not configured for the user, the permissions configured in this area will be used.

Administrator Level

Select the level of access to the UTM-1 Portal to assign to all users authenticated by the RADIUS server.

The levels are:

  • No Access: The user cannot access the UTM-1 Portal.
  • Read Only: The user can log in to the UTM-1 Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page. For example, you could assign this administrator level to technical support personnel who need to view the Event Log.
  • Read/Write: The user can log in to the UTM-1 Portal and modify system settings.

The default level is No Access.

VPN Remote Access

Select this option to allow all users authenticated by the RADIUS server to connect to this UTM-1 appliance using their VPN client.

For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users.

Web Filtering Override

Select this option to allow all users authenticated by the RADIUS server to override Web Filtering.

This option only appears if the Web Filtering service is defined.

HotSpot Access

Select this option to allow all users authenticated by the RADIUS server to access the My HotSpot page.

For information on Secure HotSpot, see Configuring Secure HotSpot.

 

Remote Desktop Access

Select this option to allow all users authenticated by the RADIUS server to log in to the my.firewall portal, view the Active Computers page, and remotely access computers' desktops, using the Remote Desktop feature.

Note: Authenticated users can perform these actions, even if their level of administrative access is "No Access".

For information on Remote Desktop, see Using Remote Desktop.

Users Manager

Select this option to allow all users authenticated by the RADIUS server to log in to the UTM-1 Portal and add, edit, or delete "No Access"-level users, but not modify other system settings.

For example, you could assign this administrator level to clerks who need to manage HotSpot users.