Adding or Editing a Domain with RADIUS Authentication
To configure a domain with RADIUS authentication
On the Portals > Domains page,
Click Add Domain or the Configure icon for the domain to edit.
The Add Domain or Edit Domain page displays.
If adding the domain, select RADIUS from the Authentication type menu. The RADIUS configuration fields are displayed.
If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users selects to log in to the Secure Mobile Access portal.
Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, MSCHAP, or MSCHAPV2.
Under Primary Radius server, enter the IP address or domain name of the RADIUS server in the RADIUS server address field.
Enter the RADIUS server port in the RADIUS server port field.
If required by your RADIUS configuration, enter an authentication secret in the Secret password field.
Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS server in the RADIUS server address field.
Enter the backup RADIUS server port in the RADIUS server port field.
If required by the backup RADIUS server, enter an authentication secret for the backup RADIUS server in the Secret password field.
Enter the test user ID in the Test User ID field.
Enter the test password in the Test Password field.
Enter a number (in seconds) for RADIUS timeout in the RADIUS Timeout (Seconds) field.
Enter the maximum number of retries in the Max Retries field.
Optionally, if using RADIUS for group-based access, select Use Filter-ID for RADIUS Groups.
Optionally, select User Client IP for RADIUS Server Logging to use the client IP instead of the SMA IP address for RADIUS logging.
Click the name of the layout from the Portal name drop-down menu.
If you selected the Authentication Protocol for your RADIUS server as MSCHAP or MSCHAPV2, you have the option to select Allow password changes. Note that if you enable password changes, you must also deploy the LAN Manager authentication.
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
Domain name: %USERDOMAIN%
Active Directory username: %ADUSERNAME%
Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
Select Only allow users listed locally to only allow users that are configured locally, but to still use RADIUS to authenticate.
Select Auto-assign groups at login to assign users to a group when they log in. Users logging into RADIUS domains are automatically assigned in real time to Secure Mobile Access groups based on their external RADIUS filter-IDs. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.
Optionally select One-time passwords to enable the One-time password feature. A drop-down menu appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured – Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users – All users must use the One Time Password feature. Users who do not have a One Time Password email address configured is not allowed to login.
using domain name – Users in the domain use the One Time Password feature. One Time Password emails for all users in the domain is sent to email@example.com.
If you select using domain name, an E-mail domain field appears following the drop-down menu. Type in the domain name where one-time password emails are sent (for example, abc.com).
Optionally select Always on VPN to allow uninterrupted VPN access. Three additional fields appear:
Allow user to disconnect and enter a domain in the E-mail domain: window.
Allow accessing network if VPN fail to connect.
Don’t connect VPN in Trusted Network.
Select an option from the Require Device Register drop-down menu:
Select Use Global Settings to apply global settings to domain.
Select Enable to enable this feature, no matter what is selected for global setting.
Select Disable to disable this feature, no matter what is selected for global setting.
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.
Click Configure next to the RADIUS domain you added.
Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password field.
Click Test. The SMA appliance connects to your RADIUS server.
If you receive the message Server not responding, check your user ID and password and click the General tab to verify your RADIUS settings. Try running the test again.