Enabling RADIUS Authentication

You can use a RADIUS directory to authenticate users and assign groups of users to user roles for administering your appliance. The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the RADIUS directory to user roles.

Note
If an external user changes the user role for their RADIUS group, the user should log out of the appliance and then log back in. The user will have the permissions of their new role.

Before you begin

The Shared Secret key for access to the RADIUS server must be no more than 48 characters long.

Procedure

Step 1

[New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.

Step 2

Choose Management Appliance > System Administration > Users page and click Enable.

Step 3

Select the Enable External Authentication check box.

Step 4

Select RADIUS for the authentication type.

Step 5

Enter the host name for the RADIUS server.

Step 6

Enter the port number for the RADIUS server. The default port number is 1812.

Step 7

Enter the Shared Secret key for the RADIUS server.

Note
When enabling external authentication for a cluster of Email Security appliances, enter the same Shared Secret key on all appliances in the cluster.

Step 8

Enter the number of seconds that the appliance waits for a response from the server before timing out.

Step 9

Select whether to use Passphrase Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) for the authentication protocol.

Step 10

(Optional) Click Add Row to add another RADIUS server. Repeat Steps 6 and 7 for each RADIUS server that your appliance uses for authentication.

When you define multiple external servers, the appliance connects to the servers in the order defined on the appliance. You might want to define multiple external servers to allow for failover in case one server is temporarily unavailable.

Step 11

Enter the amount of time to store external authentication credentials in the web user interface.

Note
If the RADIUS server uses one-time passphrases, for example passphrases created from a token, enter zero (0). When the value is set to zero, AsyncOS does not contact the RADIUS server again to authenticate during the current session.

Step 12

Configure Group Mapping:

Setting

Description

Map externally authenticated users to multiple local roles (Recommended)

AsyncOS assigns RADIUS users to appliance roles based on the RADIUS CLASS attribute. CLASS attribute requirements:

  • 3 character minimum

  • 253 character maximum

  • no colons, commas, or newline characters

  • one or more mapped CLASS attributes for each RADIUS user (With this setting, AsyncOS denies access to RADIUS users without a mapped CLASS attribute.)

For RADIUS users with multiple CLASS attributes, AsyncOS assigns the most restrictive role. For example, if a RADIUS user has two CLASS attributes, which are mapped to the Operator and Read-Only Operator roles, AsyncOS assigns the RADIUS user to the Read-Only Operator role, which is more restrictive than the Operator role.

These are the appliance roles ordered from least restrictive to most restrictive:

  • Administrator

  • Email Administrator

  • Web Administrator

  • Web Policy Administrator

  • URL Filtering Administrator (for web security)

  • Custom user role (email or web)

If a user is assigned multiple Class attributes that are mapped to custom user roles, the last class attribute on the list on the RADIUS server will be used.

  • Technician

  • Operator

  • Read-Only Operator

  • Help Desk User

  • Guest

Map all externally authenticated users to the Administrator role

AsyncOS assigns RADIUS users to the Administrator role.

Step 13

(Optional) Click Add Row to add another group. Repeat step 11 for each group of users that the appliance authenticates.

Step 14

Submit and commit your changes.