For an introduction to RADIUS authentication in SonicOS Enhanced, see
“
Using RADIUS for Authentication
”
. If you selected RADIUS
or RADIUS + Local Users
from the Authentication
method for login
drop-down list on the Users > Settings page, the Configure
button becomes available.
A separate
Configure
button for RADIUS is also available if you selected Browser NTLM
authentication only
from the Single-sign-on method
drop-down list, or in various cases where configuration elsewhere may require that RADIUS be used. The configuration process is the same.
The actual authentication method is selected automatically when using RADIUS, so there are
no configuration options for it in the RADIUS configuration window. RADIUS is fully secure in any mode, including its standard mode (often inaccurately referred to as PAP mode1
) as well as CHAP, MSCHAP, and MSCHAPv2, so there is generally no reason to force RADIUS CHAP mode versus standard RADIUS mode. The only reason to choose MSCHAP/MSCHAPv2 is to make use of the password updating feature these offer, and this can be configured elsewhere.
The following points describe the selection of authentication methods when using RADIUS:
|
•
|
The
Allow HTTP login with RADIUS CHAP mode
option on the Users > Settings page allows users to log in via HTTP rather than HTTPS when using RADIUS to authenticate them. CHAP mode provides a challenge protocol for authentication so that the browser does not send the user’s password in the clear over HTTP.
|
To configure RADIUS settings:
Step 1
|
Click
Configure
to set up your RADIUS server settings on the SonicWALL. The RADIUS
Configuration
window is displayed.
|
Step 2
|
Under
Global RADIUS Settings
, type in a value for the RADIUS Server Timeout (seconds)
. The allowable range is 1-60 seconds with a default value of 5.
|
Step 3
|
In the
Retries
field, enter the number of times the SonicWALL will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, with a recommended setting of 3 RADIUS server retries.
|
In the
RADIUS Servers
section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network.
Step 1
|
In the
Primary Server
section, type the host name or IP address of the RADIUS server in the Name or IP Address
field.
|
Step 3
|
Type the
Port Number
for the RADIUS server to use for communication with the SonicWALL. The default is 1812.
|
Step 4
|
In the
Secondary
Server
section, optionally type the host name or IP address of the secondary RADIUS server in the Name or IP Address
field.
|
Step 6
|
Type the
Port Number
for the secondary RADIUS server to use for communication with the SonicWALL. The default is 1812.
|
On the
RADIUS Users
tab you can specify what types of local or LDAP information to use in combination with RADIUS authentication. You can also define the default user group for RADIUS users.
To configure the RADIUS user settings:
Step 1
|
On the
RADIUS Users
tab, select Allow only users listed locally
if only the users listed in the SonicWALL database are authenticated using RADIUS.
|
|
•
|
Select
Use SonicWALL vendor-specific attribute on RADIUS server
to apply a configured vendor-specific attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
|
|
•
|
Select
Use RADIUS Filter-ID attribute on RADIUS server
to apply a configured Filter-ID attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
|
|
•
|
Select
Use LDAP to retrieve user group information
to obtain the user group from the LDAP server. You can click the Configure button to set up LDAP if you have not already configured it or if you need to make a change. For information about configuring LDAP, see “
Configuring the SonicWALL Appliance for LDAP
”
.
|
|
•
|
For a shortcut for managing RADIUS user groups, check
Memberships can be set locally
by duplicating RADIUS user names
. When you create users with the same name locally on the security appliance and manage their group memberships, the memberships in the RADIUS database will automatically change to mirror your local changes.
|
In the RADIUS User Settings screen, you can create a new group by choosing
Create a new
user group...
from the Default user group to which all RADIUS users belong
drop-down list:
Step 1
|
Select
Create a new user group...
The Add Group window displays.
|
Step 2
|
In the
Settings
tab, enter a name for the group. You may enter a descriptive comment as well.
|
Step 3
|
In the
Members
tab, select the members of the group. Select the users or groups you want to add in the left column and click the ->
button. Click Add All
to add all users and groups.
|
Step 4
|
In the
VPN Access
tab, select the network resources to which this group will have VPN Access by default.
|
When RADIUS is used for user authentication, there is an option on the RADIUS Users page
in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users:
When
Use LDAP to retrieve user group information
is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server.
|
Note
|
If this mechanism is
not
selected, and one-time password is enabled, a RADIUS user will be receive a one-time password fail message when attempting to log in through SSL VPN.
|
Clicking the
Configure
button launches the LDAP configuration window.
Note that in this case LDAP is not dealing with user passwords and the information that it reads
from the directory is normally unrestricted, so operation without TLS could be selected, ignoring the warnings, if TLS is not available (e.g. if certificate services are not installed with Active Directory). However, it must be ensured that security is not compromised by the SonicWALL doing a clear-text login to the LDAP server – e.g. create a user account with read-only access to the directory dedicated for the SonicWALL’s use. Do not use the administrator account in this case.
In the RADIUS Configuration dialog box, you can test your RADIUS Client user name,
password and other settings by typing in a valid user name and password and selecting one of the authentication choices for Test
. Performing the test will apply any changes that you have made.
To test your RADIUS settings:
Step 1
|
In the
User
field, type a valid RADIUS login name.
|
Step 2
|
In the
Password
field, type the password.
|
Step 3
|
For
Test
, select one of the following:
|
|
•
|
CHAP
: Select this to use the Challenge Handshake Authentication Protocol. After initial verification, CHAP periodically verifies the identity of the client by using a three-way handshake.
|
|
•
|
MSCHAP
: Select this to use the Microsoft implementation of CHAP. MSCHAP works for all Windows versions before Windows Vista.
|
|
•
|
MSCHAPv2
: Select this to use the Microsoft version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows.
|
Step 4
|
Click the
Test
button. If the validation is successful, the Status
messages changes to Success
. If the validation fails, the Status
message changes to Failure
.
|
To complete the RADIUS configuration, click
OK
.
Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS
authentication prompts incoming VPN clients to type a User Name and Password into a dialog box.