For an introduction to RADIUS authentication in SonicOS Enhanced, see “Using RADIUS for Authentication” . If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down list on the Users > Settings page, the Configure button becomes available.
|
Step 1
|
Click
Configure
to set up your RADIUS server settings on the SonicWALL. The RADIUS
Configuration
window is displayed.
|
|
Step 2
|
Under
Global RADIUS Settings
, type in a value for the RADIUS Server Timeout (seconds)
. The allowable range is 1-60 seconds with a default value of 5.
|
|
Step 3
|
In the
Retries
field, enter the number of times the SonicWALL will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, with a recommended setting of 3 RADIUS server retries.
|
In the RADIUS Servers section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network.
|
Step 4
|
In the
Primary Server
section, type the host name or IP address of the RADIUS server in the Name or IP Address
field.
|
|
Step 5
|
Type the RADIUS server administrative password or “shared secret” in the
Shared Secret
field. The alphanumeric Shared Secret
can range from 1 to 31 characters in length. The shared secret is case sensitive.
|
|
Step 6
|
Type the
Port Number
for the RADIUS server to use for communication with the SonicWALL. The default is 1812.
|
|
Step 7
|
In the
Secondary
Server
section, optionally type the host name or IP address of the secondary RADIUS server in the Name or IP Address
field.
|
|
Step 8
|
Type the RADIUS server administrative password or “shared secret” in the
Shared Secret
field. The alphanumeric Shared Secret
can range from 1 to 31 characters in length. The shared secret is case sensitive.
|
|
Step 9
|
Type the
Port Number
for the secondary RADIUS server to use for communication with the SonicWALL. The default is 1812.
|
On the RADIUS Users tab you can specify what types of local or LDAP information to use in combination with RADIUS authentication. You can also define the default user group for RADIUS users.
To configure the RADIUS user settings:
|
Step 1
|
On the
RADIUS Users
tab, select Allow only users listed locally
if only the users listed in the SonicWALL database are authenticated using RADIUS.
|
|
Step 2
|
|
•
|
Select
Use SonicWALL vendor-specific attribute on RADIUS server
to apply a configured vendor-specific attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
|
|
•
|
Select
Use RADIUS Filter-ID attribute on RADIUS server
to apply a configured Filter-ID attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
|
|
•
|
Select
Use LDAP to retrieve user group information
to obtain the user group from the LDAP server. You can click the Configure button to set up LDAP if you have not already configured it or if you need to make a change. For information about configuring LDAP, see “Configuring the SonicWALL Appliance for LDAP”
.
|
|
•
|
If you do not plan to retrieve user group information from RADIUS or LDAP, select
Local
configuration only
.
|
|
•
|
For a shortcut for managing RADIUS user groups, check
Memberships can be set locally
by duplicating RADIUS user names
. When you create users with the same name locally on the security appliance and manage their group memberships, the memberships in the RADIUS database will automatically change to mirror your local changes.
|
|
Step 3
|
If you have previously configured User Groups on the SonicWALL, select the group from the
Default user group to which all RADIUS users belong
drop-down list.
|
In the RADIUS User Settings screen, you can create a new group by choosing Create a new user group... from the Default user group to which all RADIUS users belong drop-down list:
|
Step 1
|
Select
Create a new user group...
The Add Group window displays.
|
|
Step 2
|
In the
Settings
tab, enter a name for the group. You may enter a descriptive comment as well.
|
|
Step 3
|
In the
Members
tab, select the members of the group. Select the users or groups you want to add in the left column and click the ->
button. Click Add All
to add all users and groups.
|
|
Note
|
You can add any group as a member of another group except
Everybody
and All RADIUS
Users
. Be aware of the membership of the groups you add as members of another group.
|
|
Step 4
|
In the
VPN Access
tab, select the network resources to which this group will have VPN Access by default.
|
|
Step 5
|
If you have Content Filtering Service (CFS) on your security appliance, you can configure the
content filtering policy for this group on the CFS Policy
tab. See Security Services > Content Filter
for instructions on registering for and managing the SonicWALL Content Filtering Service.
|
When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users:
When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server.
|
Note
|
If this mechanism is
not
selected, and one-time password is enabled, a RADIUS user will be receive a one-time password fail message when attempting to login through SSL VPN.
|
Clicking the Configure button launches the LDAP configuration window.
Note that in this case LDAP is not dealing with user passwords and the information that it reads from the directory is normally unrestricted, so operation without TLS could be selected, ignoring the warnings, if TLS is not available (e.g. if certificate services are not installed with Active Directory). However, it must be ensured that security is not compromised by the SonicWALL doing a clear-text login to the LDAP server – e.g. create a user account with read-only access to the directory dedicated for the SonicWALL’s use. Do not use the administrator account in this case.
In the RADIUS Configuration dialog box, you can test your RADIUS Client user name, password and other settings by typing in a valid user name and password and selecting one of the authentication choices for Test . Performing the test will apply any changes that you have made.
|
Step 1
|
In the
User
field, type a valid RADIUS login name.
|
|
Step 2
|
In the
Password
field, type the password.
|
|
Step 3
|
For
Test
, select one of the following:
|
|
•
|
Password authentication
: Select this to use the password for authentication.
|
|
•
|
CHAP
: Select this to use the Challenge Handshake Authentication Protocol. After initial verification, CHAP periodically verifies the identity of the client by using a three-way handshake.
|
|
•
|
MSCHAP
: Select this to use the Microsoft implementation of CHAP. MSCHAP works for all Windows versions before Windows Vista.
|
|
•
|
MSCHAPv2
: Select this to use the Microsoft version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows.
|
|
Step 4
|
Click the
Test
button. If the validation is successful, the Status
messages changes to Success
. If the validation fails, the Status
message changes to Failure
.
|
To complete the RADIUS configuration, click OK .
Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialog box.