Using RADIUS Authentication

You can use Remote Authentication Dial-In User Service (RADIUS) to authenticate both UTM-1 appliance users and Remote Access VPN Clients trying to connect to the UTM-1 appliance.

Note: When RADIUS authentication is in use, the UTM-1 appliance must have a certificate.

When a user tries to log in to the UTM-1 Portal, the UTM-1 appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged in.

By default, all RADIUS-authenticated users are assigned the set of permissions specified in the UTM-1 Portal's RADIUS page. However, you can configure the RADIUS server to pass the UTM-1 appliance a specific set of permissions to grant the authenticated user, instead of these default permissions. This is done by configuring the RADIUS Vendor-Specific Attribute (VSA) with a set of attributes containing permission information for specific users. If the VSA is configured for a user, then the RADIUS server passes the VSA to the UTM-1 appliance as part of the response to the authentication request, and the gateway assigns the user permissions as specified in the VSA. If the VSA is not returned by the RADIUS server for a specific user, the gateway will use the default permission set for this user.

In addition, you can configure the RADIUS server to pass the UTM-1 appliance a Secure HotSpot session timeout value. When the RADIUS server's Session-Timeout Attribute is configured, HotSpot users will be logged out after the specified session timeout has elapsed.

Finally, you can track network usage, by configuring RADIUS accounting. When this option is enabled, the UTM-1 appliance sends session information to the RADIUS server at the begining and end of a user session, including the unique session identifier, session start/end time, and additional statistical data. This data can then be used to charge the user for network usage and to compile performance reports. For example, when Secure HotSpot is enabled, you can use RADIUS accounting to measure HotSpot sessions and bill HotSpot users accordingly. You can also use third-party products with the RADIUS server to analyze RADIUS accounting data and generate performance reports for Secure HotSpot usage.

Note: You can configure the UTM-1 appliance to send accounting information to the RADIUS server throughout the entire session. This allows for richer data collection. For information, refer to the Embedded NGX CLI Reference Guide.

To use RADIUS authentication

Click Users in the main menu, and click the RADIUS tab.
The RADIUS page appears.
Complete the fields using the following table.
Click Apply.
To restore the default RADIUS settings, do the following:
1. Click Default.
  A confirmation message appears.
2. Click OK.
  The RADIUS settings are reset to their defaults. For information on the default values, refer to the following table.
If desired, configure user permissions and/or the HotSpot session timeout on the RADIUS server.
See Configuring RADIUS Attributes.

See Also

Managing Users

Changing Your Login Credentials

Adding and Editing Users

Adding Quick Guest HotSpot Users

Viewing and Deleting Users

Setting Up Remote VPN Access for Users

Configuring RADIUS Attributes

RADIUS Page Fields

In this field…	Do this…
Primary/Secondary RADIUS Server	Configure the primary and secondary RADIUS servers. By default, the UTM-1 appliance sends a request to the primary RADIUS server first. If the primary RADIUS server does not respond after three attempts, the UTM-1 appliance will send the request to the secondary RADIUS server.
Address	Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To clear the text box, click Clear.
Port	Type the port number on the RADIUS server’s host computer. The default port number is 1812.
Shared Secret	Type the shared secret to use for secure communication with the RADIUS server.
Realm	If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: <username>@<realm> For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log in to the UTM-1 Portal, the UTM-1 appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”. This field is optional.
Timeout	Type the interval of time in seconds between attempts to communicate with the RADIUS server. The default value is 3 seconds.
RADIUS Accounting	Select this option to enabling RADIUS accounting on the server. The Accounting Port field and the Advanced Accounting area appear.
Accounting Port	Type the port number on the RADIUS server's host computer to use for RADIUS accounting purposes. The default port number is 1813.
RADIUS User Permissions	If the RADIUS VSA (Vendor-Specific Attribute) is configured for a user, the fields in this area will have no effect, and the user will be granted the permissions specified in the VSA. If the VSA is not configured for the user, the permissions configured in this area will be used.
Administrator Level	Select the level of access to the UTM-1 Portal to assign to all users authenticated by the RADIUS server. The levels are: No Access: The user cannot access the UTM-1 Portal. Read Only: The user can log in to the UTM-1 Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page. For example, you could assign this administrator level to technical support personnel who need to view the Event Log. Read/Write: The user can log in to the UTM-1 Portal and modify system settings. The default level is No Access.
VPN Remote Access	Select this option to allow all users authenticated by the RADIUS server to connect to this UTM-1 appliance using their VPN client. For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users.
Web Filtering Override	Select this option to allow all users authenticated by the RADIUS server to override Web Filtering. This option only appears if the Web Filtering service is defined.
HotSpot Access	Select this option to allow all users authenticated by the RADIUS server to access the My HotSpot page. For information on Secure HotSpot, see Configuring Secure HotSpot.
Remote Desktop Access	Select this option to allow all users authenticated by the RADIUS server to log in to the my.firewall portal, view the Active Computers page, and remotely access computers' desktops, using the Remote Desktop feature. Note: Authenticated users can perform these actions, even if their level of administrative access is "No Access". For information on Remote Desktop, see Using Remote Desktop.
Users Manager	Select this option to allow all users authenticated by the RADIUS server to log in to the UTM-1 Portal and add, edit, or delete "No Access"-level users, but not modify other system settings. For example, you could assign this administrator level to clerks who need to manage HotSpot users.
Advanced Accounting	If you enabled RADIUS accounting, this area appears.
Send Periodic Updates	Select this option to specify that the UTM-1 appliance should send accounting information to the RADIUS server throughout a user session. If you do not select this option, the UTM-1 appliance will only send accounting information to the RADIUS server at the beginning and end of the session.
Update Interval	The interval of time in seconds, at which the UTM-1 appliance should send accounting information to the RADIUS server during a session. The default value is 0.