Auth/RADIUS/TACACS+ Tab
Administration > General Settings > Users & Authentication > Auth/RADIUS/TACACS+
This tab displays the configured settings for authentication and authorization.
If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported.
All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.
Authentication and Authorization
Authentication and Authorization Fields
Field | Description |
---|---|
Appliance | Name of the appliance selected. |
Authentication Order | When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence: Authentication Order First, Order Second, and Order Third. |
Authorization Map Order | Map ordering determines which server is used first. Select the map ordering from the drop-down list: Local-Only, Remote-First, and Remote-Only. The default (and recommended) value is Remote-First. |
Authorization Default Role | Default role assigned for authorization. The default (and recommended) value is admin. |
Authentication | Process of validating that the end user, or a device, is who they claim to be. |
Authorization | Action of determining what a user is allowed to do. Generally, authentication precedes authorization. |
Map Order | Default (and recommended) value is Remote First. |
RADIUS and TACACS+
RADIUS and TACACS+ Server Fields
Field | Description |
---|---|
Server Type | RADIUS or TACACS+. |
Auth Port | For RADIUS, the default value is 1812. For TACACS+, the default value is 49. |
Auth Type | [TACACS+] The options are pap or ascii. |
Timeout | If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template. |
Retries | Number of attempts allowed before lockout. |
Enabled | Whether or not the server is enabled. |
Auth/RADIUS/TACACS+ Edit Row
Select the Authentication Order and Authorization information in this dialog box. You can also add a RADIUS and TACACS+ Server by clicking Add under each section.
Authentication Order
Choose which authentication database you want to be First, Second, and Third from the designated drop-down lists.
Authorization Information
Select the Map Order and the Default Role from the designated drop-down lists.
This tab displays the configured settings for authentication and authorization.
If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported.
All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.
Authentication and Authorization
Authentication and Authorization Fields
Field | Description |
---|---|
Authentication | Process of validating that the end user, or a device, is who they claim to be. |
Authorization | Action of determining what a user is allowed to do. Generally, authentication precedes authorization. |
Authentication Order | When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence. Default is Local-first. |
Map Order | Default (and recommended) value is Remote First. |
Default Role | Default (and recommended) value is admin. |
RADIUS and TACACS+
RADIUS and TACACS+ Server Fields
Field | Description |
---|---|
Order | Method RADIUS and TACAC+ specifies first– local first. |
Auth Port | For RADIUS, the default value is 1812. For TACACS+, the default value is 49. |
Auth Type | [RADIUS] The options are pap or chap. [TACACS+] The options are pap or ascii. |
Enabled | Whether or not the server is enabled. |
Retries | Number of attempts allowed before lockout. |
Server Type | RADIUS or TACACS+. |
Timeout | If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template. |
Use Appropriate RADIUS Configuration Options
Follow the steps below to use the CHAP Protocol option for RADIUS authentication. Doing so avoids potential security vulnerabilities.
-
In Orchestrator, assure that CHAP is selected for RADIUS authentication. Go to Orchestrator > Authentication.
The Authentication dialog box opens.
-
Select the RADIUS server and click edit to open the Remote Authentication Server dialog box.
-
For Authentication Type, choose CHAP from the drop-down list.
-
Click Save to save your settings.
-
On the RADIUS server, assure that the
clients.conf
file contains the following command:require_message_authenticator = yes
As an example of where to find this file, on a FreeRADIUS server, the path is here:
/etc/raddb/clients.conf
-
Verify that this configuration is in effect by using TCP dump in Orchestrator or via the CLI on your EdgeConnect. You should see that the CHAP message authenticator is included in packets that are exchanged with the RADIUS server.
NOTE: If this configuration is not in effect, the RADIUS server will still work and a security vulnerability will exist.