Print Download PDF Send Feedback

Previous

Next

Configuring RADIUS or TACACS/TACACS+

These are the options to enable connectivity between Virtual Systems and a RADIUS or TACACS/TACACS+ server:

For Multi-Domain Server configurations, make sure that you configure the SecurID or Remote Authentication settings of the Domain Management Server that manages the Virtual Systems.

Included Topics

Configuring Shared Authentication

Configuring Private Authentication

Configuring Shared Authentication

Configure shared authentication so that all the Virtual Systems on the VSX Gateway authenticate to the remote RADIUS or TACACS/TACACS+ server.

To configure shared authentication for RADIUS or TACACS/TACACS+:

  1. Configure shared authentication on the Virtual Systems.
    1. Open SmartDashboard.
    2. From the Network Objects tree, double-click the Virtual System.

      The Virtual Systems General Properties window opens.

    3. From the navigation tree, select Other > Authentication.
    4. Make sure that RADIUS or TACACS and Shared are selected.
    5. Click OK.

      Do all of the previous steps for each Virtual System.

    6. Install the policy on the Virtual Systems.
  2. For cluster configurations, on the Security Management Server of the VSX Gateway make sure that Hide NAT is disabled.
    1. Open the table.def file.
      • Gaia, SecurePlatform, IPSO - $FWDIR/lib/table.def
      • Windows - %FWDIR%\lib\table.def
    2. Make sure that the no_hide_services_ports parameter contains the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+. The default ports are:
      • RADIUS - 1645
      • TACACS/TACACS+ - 49

      Sample RADIUS parameter with Hide NAT disabled:

      no_hide_services_ports = { <49, 6>, <49, 17>, <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <1645, 17> };

    3. Save the file.
    4. From SmartDashboard, install the policy on the VSX Gateway.

Configuring Private Authentication

For private configurations, the active and standby Virtual Systems use the same encryption key to authenticate to the remote RADIUS or TACACS/TACACS+ server.

For High Availability configurations, make sure that the active and standby Virtual Systems on each cluster member use the same VIP.

To configure private authentication:

  1. Configure private authentication on the VSX Gateway and the Virtual Systems.
    1. Open SmartDashboard.
    2. From the Network Objects tree, double-click the VSX Gateway.

      The VSX Gateway General Properties window opens.

    3. From the navigation tree, select Other > Authentication.
    4. Make sure that RADIUS or TACACS and Private are selected.
    5. Click OK.

      Do all of the previous steps for each Virtual System.

    6. Install the policy on the Virtual Systems.
  2. For cluster configurations, on the Security Management Server make sure that Hide NAT is enabled.

    For Multi-Domain Server, use the Domain Management Server that manages the Virtual System.

    1. Open the table.def file.
      • Gaia, SecurePlatform, IPSO - $FWDIR/lib/table.def
      • Windows - %FWDIR%\lib\table.def
    2. Make sure that the no_hide_services_ports parameter DOES NOT contain the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+.

      The default ports are:

      • RADIUS - 1645
      • TACACS/TACACS+ - 49

      Sample parameter with Hide NAT enabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };

    3. Save the file.
    4. From SmartDashboard, install the policy on the Virtual Systems.