Configure a RADIUS Authentication Object

Configure external authentication to allow management users to be authenticated using a RADIUS server

Note

You must have administrator privileges to perform this task.

Procedure

Step 1

In the External Authentication Object page, select RADIUS from the Authentication Method drop-down list and enter appropriate values in these fields:

  1. Check the Enabled Message Authenticator check box to require the Message-Authenticator attribute in all RADIUS responses, ensuring that every response from the RADIUS server is securely verified by the Firewall Threat Defense.

    This feature is enabled by default for new RADIUS servers. We recommend you enable it for existing servers after the upgrade. Disabling message authenticators may expose your firewalls to potential attacks. Ensure that your RADIUS server has the Message-Authenticator configuration.

  2. Define users on the RADIUS server using the Service-Type attribute.

    This is the list of supported values for the Service-Type attribute:

    • Administrator (6)—Provides Config access authorization to the CLI. These users can use all commands in the CLI.

    • NAS Prompt (7) or any level other than 6—Provides Basic access authorization to the CLI. These users can use read-only commands, such as show commands, for monitoring and troubleshooting purposes.

    The names must be Linux-valid usernames:

    • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

    • All lowercase

    • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

    Alternatively, you can predefine users in the external authentication object (see Step t_configure_external_authentication_623_and_later_2.html#task_hx5_5hy_1cb__step_Shell_Access_Filter). To use the same RADIUS server for the Firewall Threat Defense and Cloud-Delivered Firewall Management Center while using the Service-Type attribute method for the Firewall Threat Defense, create two external authentication objects that identify the same RADIUS server: one object includes the predefined CLI Access Filter users (for use with the Cloud-Delivered Firewall Management Center), and the other object leaves the CLI Access Filter empty (for use with Firewall Threat Defenses).

  3. Enter a Name and optional Description.

Step 2

For the Primary Server, enter a Host Name/IP Address.

Note

If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

Step 3

(Optional) Change the Port from the default.

Step 4

Enter a RADIUS Secret Key.

Step 5

(Optional) Enter the Backup Sever parameters.

Step 6

Enter RADIUS-Specific Parameters.

  • Timeout (Seconds)—Enter the number of seconds before rolling over to the backup connection. The default is 30.

  • Retries—Enter the number of times the primary server connection should be tried before rolling over to the backup connection. The default is 3.

Step 7

(Optional) Enter a comma-separated list of usernames in the Administrator CLI Access User List field. For example, enter jchrichton, aerynsun, rygel.

You may want to use the CLI Access Filter method for Firewall Threat Defense so you can use the same external authentication object with Firewall Threat Defense and other platform types. Note that if you want to use RADIUS-defined users, you must leave the CLI Access Filter empty.

Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid usernames:

  • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

  • All lowercase

  • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

Note

If you want to only define users on the RADIUS server, you must leave this section empty.

Step 8

Click Save.