Configuring RADIUS Authentication

For an introduction to RADIUS authentication in SonicOS, see Using RADIUS for Authentication. If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down menu on the Users > Settings page, the Configure button becomes available.

A separate Configure button for RADIUS is also available if you selected Browser NTLM authentication only from the Single-sign-on method drop-down menu, or in various cases where configuration elsewhere may require that RADIUS be used. The configuration process is the same.

The actual authentication method is selected automatically when using RADIUS, so there are no configuration options for it in the RADIUS configuration window. RADIUS is fully secure in any mode, including its standard mode (often inaccurately referred to as PAP mode) as well as CHAP, MSCHAP, and MSCHAPv2, so there is generally no reason to force RADIUS CHAP mode versus standard RADIUS mode. The only reason to choose MSCHAP/MSCHAPv2 is to make use of the password updating feature these offer, and this can be configured elsewhere.

NOTE: Standard mode RADIUS is a secure back end that can be used with various front ends, including the insecure PPP PAP protocol. The SonicWall network security appliance uses it with a secure front end over HTTPS/SSL or IPsec, and so the entire authentication channel from the user to the RADIUS server is secure (even if PPP PAP is used with L2TP, it is secure as it runs over IPsec).

The following points describe the selection of authentication methods when using RADIUS:

Topics: