Link Search Menu Expand Document

Auth/RADIUS/TACACS+ Tab

Administration > General Settings > Users & Authentication > Auth/RADIUS/TACACS+

This tab displays the configured settings for authentication and authorization.

If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported.

All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.

Authentication and Authorization

Authentication and Authorization Fields

Field Description
Appliance Name of the appliance selected.
Authentication Order When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence: Authentication Order First, Order Second, and Order Third.
Authorization Map Order Map ordering determines which server is used first. Select the map ordering from the drop-down list: Local-Only, Remote-First, and Remote-Only. The default (and recommended) value is Remote-First.
Authorization Default Role Default role assigned for authorization. The default (and recommended) value is admin.
Authentication Process of validating that the end user, or a device, is who they claim to be.
Authorization Action of determining what a user is allowed to do. Generally, authentication precedes authorization.
Map Order Default (and recommended) value is Remote First.

RADIUS and TACACS+

RADIUS and TACACS+ Server Fields

Field Description
Server Type RADIUS or TACACS+.
Auth Port For RADIUS, the default value is 1812.

For TACACS+, the default value is 49.
Auth Type [TACACS+] The options are pap or ascii.
Timeout If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.
Retries Number of attempts allowed before lockout.
Enabled Whether or not the server is enabled.

Auth/RADIUS/TACACS+ Edit Row

Select the Authentication Order and Authorization information in this dialog box. You can also add a RADIUS and TACACS+ Server by clicking Add under each section.

Authentication Order

Choose which authentication database you want to be First, Second, and Third from the designated drop-down lists.

Authorization Information

Select the Map Order and the Default Role from the designated drop-down lists.

This tab displays the configured settings for authentication and authorization.

If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported.

All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.

Authentication and Authorization

Authentication and Authorization Fields

Field Description
Authentication Process of validating that the end user, or a device, is who they claim to be.
Authorization Action of determining what a user is allowed to do. Generally, authentication precedes authorization.
Authentication Order When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence. Default is Local-first.
Map Order Default (and recommended) value is Remote First.
Default Role Default (and recommended) value is admin.

RADIUS and TACACS+

RADIUS and TACACS+ Server Fields

Field Description
Order Method RADIUS and TACAC+ specifies first– local first.
Auth Port For RADIUS, the default value is 1812.
For TACACS+, the default value is 49.
Auth Type [RADIUS] The options are pap or chap.
[TACACS+] The options are pap or ascii.
Enabled Whether or not the server is enabled.
Retries Number of attempts allowed before lockout.
Server Type RADIUS or TACACS+.
Timeout If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.

Use Appropriate RADIUS Configuration Options

Follow the steps below to use the CHAP Protocol option for RADIUS authentication. Doing so avoids potential security vulnerabilities.

  1. In Orchestrator, assure that CHAP is selected for RADIUS authentication. Go to Orchestrator > Authentication.

    The Authentication dialog box opens.

  2. Select the RADIUS server and click edit to open the Remote Authentication Server dialog box.

  3. For Authentication Type, choose CHAP from the drop-down list.

  4. Click Save to save your settings.

  5. On the RADIUS server, assure that the clients.conf file contains the following command: require_message_authenticator = yes

    As an example of where to find this file, on a FreeRADIUS server, the path is here: /etc/raddb/clients.conf

  6. Verify that this configuration is in effect by using TCP dump in Orchestrator or via the CLI on your EdgeConnect. You should see that the CHAP message authenticator is included in packets that are exchanged with the RADIUS server.

    NOTE: If this configuration is not in effect, the RADIUS server will still work and a security vulnerability will exist.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America