Configuring RADIUS or TACACS/TACACS+

These are the options to enable connectivity between Virtual Systems and a RADIUS or TACACS/TACACS+ server:

• Shared configuration: All authentication servers are accessible by all Virtual Systems through the VSX Gateway. This is the default option.
• Private configuration: Authentication servers are accessed directly by the Virtual System and use the Virtual System cluster IP address as the source address.

For Multi-Domain Server configurations, make sure that you configure the SecurID or Remote Authentication settings of the Domain Management Server that manages the Virtual Systems.

Configuring Shared Authentication

Configure shared authentication so that all the Virtual Systems on the VSX Gateway authenticate to the remote RADIUS or TACACS/TACACS+ server.

To configure shared authentication for RADIUS or TACACS/TACACS+:

1. Configure shared authentication on the Virtual Systems.
   1. Connect with SmartConsole to the Management Server.
   2. From the Gateways & Servers view or Object Explorer, double-click the Virtual System.

      The Virtual Systems General Properties window opens.

   3. From the navigation tree, select Other > Authentication.
   4. Make sure that RADIUS or TACACS and Shared are selected.
   5. Click OK.

      Do all of the previous steps for each Virtual System.

   6. Install the policy on the Virtual Systems.
2. For cluster configurations, on the Management Server of the VSX Cluster, make sure that Hide NAT is disabled.

   On Multi-Domain Server, work in the context of the Target Domain Management Server that manages the Virtual System.

   1. Open the applicable table.def file. See sk98339.
   2. Make sure that the no_hide_services_ports parameter contains the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+. The default ports are:
      • RADIUS - 1645
      • TACACS/TACACS+ - 49

      Sample RADIUS parameter with Hide NAT disabled:

      no_hide_services_ports = { <49, 6>, <49, 17>, <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <1645, 17> };

   3. Save the file.
   4. In SmartConsole, install the policy on the Virtual Systems.

Configuring Private Authentication

For private configurations, the active and standby Virtual Systems use the same encryption key to authenticate to the remote RADIUS or TACACS/TACACS+ server.

For High Availability configurations, make sure that the Active and Standby Virtual Systems on each VSX Cluster Member use the same VIP address.

To configure private authentication:

1. Configure private authentication on the VSX Gateway and the Virtual Systems.
   1. Connect with SmartConsole to the Management Server.
   2. From the left navigation panel, click Gateways & Servers.
   3. Double-click the VSX Gateway object.

      The General Properties view opens.

   4. From the navigation tree, select Other > Legacy Authentication.
   5. Make sure that RADIUS or TACACS are selected.
   6. Click OK.

      Do all of the previous steps for each Virtual System.

   7. Install the policy on the Virtual Systems.
2. For VSX Cluster configurations:

   On the Management Server, make sure that Hide NAT is enabled.

   For Multi-Domain Server, use the Domain Management Server that manages the Virtual System.

   1. Edit the applicable table.def file (see sk98339) in a plain-text editor.
   2. Make sure that the no_hide_services_ports parameter DOES NOT contain the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+.

      The default ports are:

      • RADIUS - 1645
      • TACACS/TACACS+ - 49

      Sample parameter with Hide NAT enabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };

   3. Save the changes in the file.
   4. From SmartConsole, install the Access Control Policy on the Virtual Systems object.