You are here: Home > Device Configuration and Network Management > Aruba Gateways > Configuring Authentication Servers

Configuring RADIUS Authentication Server

To configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server, complete the following steps:

1. From the app selector, click Gateway Management.

2. From the group selection filter bar, select the SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateway that you want to configure.

3. Click Security > Auth Servers.

4. Click + under All Servers.

5. Enter a name for the new server.

6. Enter the IP address for the new server.

7. To configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, select RADIUS as the server type.

8. In the All Servers table, select the name of the new RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and configure parameters described in Table 1.

Table 1: RADIUS Server Configuration Parameters

Code

Description

Name

Name of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

IP address / hostname

IP address or FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the authentication server. The maximum supported FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. length is 63 characters. Default: N/A

Secure radius

Enable this option to secure communication between the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and the Branch Gateway. Specify values for the following parameters:

Secure auth port—The destination port for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  over TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. . By default, the value is set to 2083.

Radsec trusted CA name—The CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate that is uploaded as a Trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. if the Radsec server uses a certificate signed by a CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..

Radsec server cert name—The server certificate that is uploaded.

Radsec client cert—The client certificate sent to the Radsec server.

Auth port

Authentication port of this server. The default value is 1812.

Acct port

Accounting port of this server. The default value is 1813.

Shared key

Shared secret between the Branch Gateway and the authentication server. The maximum length is 128 characters.

Retype key

Retype shared secret key.

Timeout

Maximum time, in seconds, that the Branch Gateway waits before timing out the request and resending it. The default value is 5 seconds.

Retransmits

Maximum number of retries sent to the server by the Branch Gateway before the server is marked as down. The default value is 3.

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. ID

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to use in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP

The NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address to be sent in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets from that server.

Use MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input.

Use MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. hash of cleartext password.

Enable

Enable the use of IPv4 address for the server.

Lowercase MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses

Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address with lowercase in the authentication and accounting requests to this server.

Use IP address for calling station ID

Enables using the IP address as the calling station ID.

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address delimiter

Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address with the following delimiters in the authentication and accounting requests of this server:

colon: Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as XX:XX:XX:XX:XX:XX

dash: Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as XX-XX-XX-XX-XX-XX

none: Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as XXXXXXXXXXXX

oui-nic: Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as XXXXXX-XXXXXX

Service-type of FRAMED-USER

Send the service-type as FRAMED-USER instead of LOGIN-USER. For more information, see RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Service-Type Attribute on page 176.

CPPM credentials

If you are using ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. as the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, provide user credentials for ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server.

9. Click Save Settings.

Configuring an RFC 3576 Server

You can configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to send user disconnect, CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. , and session timeout messages as described in RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. ).”

To configure an RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576 server, complete the following steps:

1. From the app selector, click Gateway Management.

2. From the group selection filter bar, select the SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateway device that you want to configure.

3. Click Security > Auth Servers.

4. Click + under All Servers.

5. Select RFC 3576 from the Type drop-down list.

6. Enter the IP address for the new server.

7. Enter the server authentication key into the Key and Retype key fields.

8. Click Save Settings.

/*]]>*/