RADIUS-based User Authentication
You can implement a third-party, RADIUS server in your network for authenticating Web / Telnet management users and thereby, preventing unauthorized access. RADIUS allows you to define different passwords for different interface users, with centralized management of the password database. When RADIUS is used, logging into the Web / Telnet interfaces is performed through the RADIUS server. The device verifies the authenticity of the username and password with the RADIUS server.
An alternative is to use an LDAP server, as discussed in the previous section.
|
➢
|
To enable RADIUS-based user authentication: |
|
1.
|
Open the Authentication Server page (Setup menu > Administration tab > WEB & CLI folder > Authentication Server), and then configuring the following parameters: |
|
●
|
'Enable RADIUS Access Control': Enable |
|
●
|
'Use RADIUS for Web/Telnet Login': Enable |
Enabling RADIUS for Web User Authentication
|
2.
|
Open the RADIUS Servers table (Setup menu > IP Network tab > AAA Servers folder > RADIUS Servers), and then configure the RADIUS authentication server for authenticating the device with the RADIUS server: |
Configuring RADIUS Servers for Management User Authentication
|
3.
|
You can enhance security for incoming and outgoing RADIUS packets, using RADIUS attribute 80 (Message-Authenticator): |
|
●
|
Outgoing RADIUS messages: You can enable the device (Network Access Server / NAS), using the [RadiusPapRequireMsgAuthTx] parameter, to include the Message-Authenticator attribute in all Access-Request RADIUS packets sent to the RADIUS server. This is applicable only to the Password Authentication Protocol (PAP) authentication method.
|
|
●
|
Incoming RADIUS messages: You can enable the device, using the [RadiusRequireMsgAuthRx] parameter, to require the presence of the Message-Authenticator attribute in all incoming Accept-Accept RADIUS messages from the RADIUS server. If the attribute is not present, the device rejects the message and denies user login. This is applicable to Digest and PAP authentication methods.
|