Configure RADIUS Authentication

  1. Under CONFIGURE > User Management > Remote Authentication, select RADIUS from the Mode drop-down menu.

  1. Select the preferred Radius Remote Authentication policy to be applied:

    • Radius DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at log in are incorrect or if the account does not exist on the remote server, the user is denied access.

    • Radius Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM attempts to authenticate the user using a local account as per a regular local log in.

  2. Enter the authentication Timeout value to apply.
    The timeout value specifies the number of seconds to wait for a response from the server before trying the next server.

    Note: The timeout value is global and applied to all authentication methods when you set the value on one authentication method.

  3. Add the Address and optionally the Port of the authentication server.

  4. Add the Address and optionally the Port of the RADIUS accounting server.

  5. Select whether Message-Authenticator is required for server responses.
    The default setting is Do not require Message-Authenticator. If the default setting is left, RADIUS responses may be subject to BlastRADIUS attack.

  6. Add and confirm the Server password, also known as the RADIUS Secret.

  7. Select the preferred Radius Server Authentication method to apply.

    Note: The method defaults to PAP if not configured. Ensure that the selected method is supported by the remote server.

  8. Click Apply.

Note: Multiple servers can be added. The RADIUS subsystem will query them in a round-robin fashion.

To provide group membership, RADIUS must be configured to provide a list of group names via the Framed-Filter-Id attribute. The following configuration snippet shows how this can be configured for FreeRADIUS:

operator1 Auth-Type := System
Framed-Filter-ID = ":group_name=west_coast_admin,east_coast_user:"

Note: The Framed-Filter-ID attribute must be delimited by the colon character.