You can configure Gaia to authenticate Gaia users even when they are not defined locally. This is a good way of centrally managing the credentials of multiple Security Gateways. To define non-local Gaia users, you define Gaia as a client of an authentication server.
Gaia supports these types of authentication servers:
RADIUS
RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication system that supports remote-access applications. User profiles are kept in a central database on a RADIUS authentication server. Client computers or applications connect to the RADIUS server to authenticate users.
You can configure your Gaia computer to connect to more than one RADIUS server. If the first server in the list is unavailable, the next RADIUS server in the priority list connects.
TACACS
The TACACS+ (Terminal Access Controller Access Control System) authentication protocol users a remote server to authenticate users for Gaia. All information sent to the TACACS+ server is encrypted.
Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported.
You can configure TACACS+ support separately for different services. The Gaia Portal service is one of those, for which TACACS+ is supported and is configured as the http service. When TACACS+ is configured for use with a service, Gaia contacts the TACACS+ server each time it needs to examine a user password. If the server fails or is unreachable, the user is authenticated via local password mechanism. If the user fails to authenticate via the local mechanism, the user is not allowed access.
Note - For TACACs authentication to work on a Virtual System, see the R80.10 VSX Administration Guide.
To configure a RADIUS server:
Step |
Description |
---|---|
1 |
In the navigation tree, click User Management > Authentication Servers. |
2 |
In the RADIUS Servers section, click Add. The Add New RADIUS Server window opens. |
3 |
Enter the RADIUS Server parameters: |
|
|
|
|
|
|
|
|
|
|
4 |
Click OK. |
5 |
Optional: Select the Network Access Server (NAS) IP address. This setting applies to all configured RADIUS servers. This parameter records the IP address, from which Gaia sends the RADIUS packet. This IP address is stored in the RADIUS packet, even when the packet goes through NAT, or some other address translation that changes the source IP address of the packet. The "NAS-IP-Address" is defined in RFC2865. If no NAS IP Address is chosen, the IPv4 address of the Gaia Management Interface is used (click Network Management > Network Interfaces > see the Management Interface section). |
6 |
Optional: Select RADIUS Users Default Shell (for details about the shells, see the Users). This setting applies to all configured RADIUS servers. |
7 |
Optional: Select the Super User ID - 0 or 96. This setting applies to all configured RADIUS servers. If the UID is 0, there is no need to run the |
8 |
Click Apply. |
To edit a RADIUS server:
Step |
Description |
---|---|
1 |
In the navigation tree, click User Management > Authentication Servers. |
2 |
Select the RADIUS server. |
3 |
Click Edit. The Edit RADIUS Server window opens. |
4 |
You can edit only the Host, UDP Port, Shared secret, and Timeout. |
5 |
Click OK. |
To delete a RADIUS server:
Step |
Description |
---|---|
1 |
In the navigation tree, click User Management > Authentication Servers. |
2 |
Select the RADIUS server. |
3 |
Click Delete. |
4 |
Click OK to confirm. |
Description
Use the aaa radius-servers
commands to add, configure, and delete Radius authentication servers.
Syntax
add aaa radius-servers priority <Priority> host <Hostname, or IP Address of RADIUS Server> [port <1-65535>] prompt-secret timeout <1-50> secret <Shared Secret> timeout <1-50> |
set aaa radius-servers priority <Priority> host <Hostname, or IP Address of RADIUS Server> new-priority <New Priority> port <1-65535> prompt-secret secret <Shared Secret> timeout <1-50> |
set aaa radius-servers NAS-IP<SPACE><TAB> default-shell<SPACE><TAB> super-user-uid <0 | 96> |
show aaa radius-servers list |
show aaa radius-servers priority <Priority> host port timeout |
show aaa radius-servers NAS-IP default-shell super-user-uid |
delete aaa radius-servers priority <Priority> |
delete aaa radius-servers NAS-IP |
Important - After you add, configure, or delete features, run the save config
command to save the settings permanently.
Parameters
Parameter |
Description |
|
Configures the RADIUS server priority. Enter an integer between -999 and 999 (default is 0). When there two or more configured RADIUS servers, Gaia connects to the RADIUS server with the highest priority. Low numbers have the higher priority. |
|
Configures the new priority for the RADIUS server. |
|
Configures the Host name or IP address (IPv4 or IPv6) of RADIUS server. |
|
Configures the UDP port used on RADIUS server. The default port is 1812 as specified by the RADIUS standard. The range of valid port numbers is from 1 to 65535. Port 1645 is non-standard, but is commonly used as alternative to port 1812. Warning - Firewall software frequently blocks traffic on port 1812. Make sure that you define a firewall rule to allow traffic on UDP port 1812 between the RADIUS server and Gaia. |
|
The system will prompt you to enter the Shared Secret. |
|
Configures the shared secret used for authentication between the RADIUS server and the Gaia. Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash. Make sure that the shared string defined on the Gaia matches the shared string defined on the RADIUS server. RFC 2865 recommends that the secret be at least 16 characters in length. Some RADIUS servers have a maximum string length for shared secret of 15 or 16 characters. See the documentation for your RADIUS server. |
|
Configures the timeout in seconds (from 1 to 5), during which Gaia waits for the RADIUS server to respond. The default value is 3. If there is no response after the configured timeout, Gaia tries to connect to a different configured RADIUS server. Set this timeout, so that the sum of all RADIUS server timeouts is less than 50. |
|
Optional. Configures the default shell for RADIUS Users (for details about the shells, see the Users). |
|
Optional. Configures the UID for the RADIUS super user. If the UID is 0, there is no need to run the |
|
Optional. This parameter records the IP address, from which Gaia sends the RADIUS packet. This IP address is stored in the RADIUS packet, even when the packet goes through NAT, or some other address translation that changes the source IP address of the packet. The "NAS-IP-Address" is defined in RFC2865. If no NAS IP Address is chosen, the IPv4 address of the Gaia Management Interface is used (run the |