PANEL_radiusProps

Configuring RADIUS Authentication

For an introduction to RADIUS authentication in SonicOS Enhanced, see Using RADIUS for Authentication . If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down list on the Users > Settings page, the Configure button becomes available.

A separate Configure button for RADIUS is also available if you selected Browser NTLM authentication only from the Single-sign-on method drop-down list, or in various cases where configuration elsewhere may require that RADIUS be used. The configuration process is the same.

The actual authentication method is selected automatically when using RADIUS, so there are no configuration options for it in the RADIUS configuration window. RADIUS is fully secure in any mode, including its standard mode (often inaccurately referred to as PAP mode1 ) as well as CHAP, MSCHAP, and MSCHAPv2, so there is generally no reason to force RADIUS CHAP mode versus standard RADIUS mode. The only reason to choose MSCHAP/MSCHAPv2 is to make use of the password updating feature these offer, and this can be configured elsewhere.

The following points describe the selection of authentication methods when using RADIUS:

 
With L2TP, the relevant RADIUS protocol is automatically selected according to the PPP protocol being used.
 
With VPN including Global VPN Client, RADIUS MSCHAP/MSCHAPv2 mode can be forced to allow password updating. This can be selected in the VPN > Advanced page and the SSL VPN > Server Settings page.
 
Other scenarios all involve authenticating internal users and there is no need to provide a mechanism for password update (they can do it locally on their PCs). Standard RADIUS mode is used in this case.
 
The Allow HTTP login with RADIUS CHAP mode option on the Users > Settings page allows users to log in via HTTP rather than HTTPS when using RADIUS to authenticate them. CHAP mode provides a challenge protocol for authentication so that the browser does not send the user’s password in the clear over HTTP.

To configure RADIUS settings:

Step 1
Click Configure to set up your RADIUS server settings on the SonicWALL. The RADIUS Configuration window is displayed.
Step 2
Under Global RADIUS Settings , type in a value for the RADIUS Server Timeout (seconds) . The allowable range is 1-60 seconds with a default value of 5.
Step 3
In the Retries field, enter the number of times the SonicWALL will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, with a recommended setting of 3 RADIUS server retries.

RADIUS Servers

In the RADIUS Servers section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network.

Step 1
In the Primary Server section, type the host name or IP address of the RADIUS server in the Name or IP Address field.
Step 2
Type the RADIUS server administrative password or “shared secret” in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
Step 3
Type the Port Number for the RADIUS server to use for communication with the SonicWALL. The default is 1812.
Step 4
In the Secondary Server section, optionally type the host name or IP address of the secondary RADIUS server in the Name or IP Address field.
Step 5
Type the RADIUS server administrative password or “shared secret” in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
Step 6
Type the Port Number for the secondary RADIUS server to use for communication with the SonicWALL. The default is 1812.

RADIUS Users

On the RADIUS Users tab you can specify what types of local or LDAP information to use in combination with RADIUS authentication. You can also define the default user group for RADIUS users.

RADIUS Users Settings

To configure the RADIUS user settings:

Step 1
On the RADIUS Users tab, select Allow only users listed locally if only the users listed in the SonicWALL database are authenticated using RADIUS.
Step 2
Select the mechanism used for setting user group memberships for RADIUS users from the following choices:
 
Select Use SonicWALL vendor-specific attribute on RADIUS server to apply a configured vendor-specific attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
 
Select Use RADIUS Filter-ID attribute on RADIUS server to apply a configured Filter-ID attribute from the RADIUS server. The attribute must provide the user group to which the user belongs.
 
Select Use LDAP to retrieve user group information to obtain the user group from the LDAP server. You can click the Configure button to set up LDAP if you have not already configured it or if you need to make a change. For information about configuring LDAP, see Configuring the SonicWALL Appliance for LDAP .
 
If you do not plan to retrieve user group information from RADIUS or LDAP, select Local configuration only .
 
For a shortcut for managing RADIUS user groups, check Memberships can be set locally by duplicating RADIUS user names . When you create users with the same name locally on the security appliance and manage their group memberships, the memberships in the RADIUS database will automatically change to mirror your local changes.
Step 3
If you have previously configured User Groups on the SonicWALL, select the group from the Default user group to which all RADIUS users belong drop-down list.

Creating a New User Group for RADIUS Users

In the RADIUS User Settings screen, you can create a new group by choosing Create a new user group... from the Default user group to which all RADIUS users belong drop-down list:

Step 1
Select Create a new user group... The Add Group window displays.

 

Step 2
In the Settings tab, enter a name for the group. You may enter a descriptive comment as well.
Step 3
In the Members tab, select the members of the group. Select the users or groups you want to add in the left column and click the -> button. Click Add All to add all users and groups.
 
Note
You can add any group as a member of another group except Everybody and All RADIUS Users . Be aware of the membership of the groups you add as members of another group.
Step 4
In the VPN Access tab, select the network resources to which this group will have VPN Access by default.
 
Note
Group VPN access settings affect remote clients and SSL VPN Virtual Office bookmarks.
Step 5
If you have Content Filtering Service (CFS) on your security appliance, you can configure the content filtering policy for this group on the CFS Policy tab. See “Security Services > Content Filter” for instructions on registering for and managing the SonicWALL Content Filtering Service.

RADIUS with LDAP for user groups

When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users:

When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server.

 
Note
If this mechanism is not selected, and one-time password is enabled, a RADIUS user will be receive a one-time password fail message when attempting to log in through SSL VPN.

Clicking the Configure button launches the LDAP configuration window.

Note that in this case LDAP is not dealing with user passwords and the information that it reads from the directory is normally unrestricted, so operation without TLS could be selected, ignoring the warnings, if TLS is not available (e.g. if certificate services are not installed with Active Directory). However, it must be ensured that security is not compromised by the SonicWALL doing a clear-text login to the LDAP server – e.g. create a user account with read-only access to the directory dedicated for the SonicWALL’s use. Do not use the administrator account in this case.

RADIUS Client Test

In the RADIUS Configuration dialog box, you can test your RADIUS Client user name, password and other settings by typing in a valid user name and password and selecting one of the authentication choices for Test . Performing the test will apply any changes that you have made.

To test your RADIUS settings:

Step 1
In the User field, type a valid RADIUS login name.
Step 2
In the Password field, type the password.
Step 3
For Test , select one of the following:
 
Password authentication : Select this to use the password for authentication.
 
CHAP : Select this to use the Challenge Handshake Authentication Protocol. After initial verification, CHAP periodically verifies the identity of the client by using a three-way handshake.
 
MSCHAP : Select this to use the Microsoft implementation of CHAP. MSCHAP works for all Windows versions before Windows Vista.
 
MSCHAPv2 : Select this to use the Microsoft version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows.
Step 4
Click the Test button. If the validation is successful, the Status messages changes to Success . If the validation fails, the Status message changes to Failure .

To complete the RADIUS configuration, click OK .

Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialog box.


1

Standard mode RADIUS is a secure back end that can be used with various front ends, including the insecure PPP PAP protocol. The SonicWALL network security appliance uses it with a secure front end over HTTPS/SSL or IPSec, and so the entire authentication channel from the user to the RADIUS server is secure (even if PPP PAP is used with L2TP, it is secure since it runs over IPSec).