Configure RADIUS Authentication Service

RADIUS authentication is an optional method for users to log into the PacketWise browser interface, command-line interface, and customer portal. Using third-party RADIUS servers enables you to have central configuration of user accounts.

Note: To perform this task from PolicyCenter, you must first select a unit or draft configuration in the Configurations window. Then select the Setup tab from the right pane of this window, and proceed to step 2 of the procedure below.

In addition to configuring the server as described below, you need to do some configuration at the RADIUS server or Internet Authentication Service so that it will work with PacketWise.

To configure PacketWise to work with a RADIUS authentication server:

1. Click the setup tab.

2. From the Choose Setup Page list, choose RADIUS Client. The RADIUS Client Settings screen appears.  show screen

3. In the Authentication field, select on.

4. Select an Authentication method:

• PAP (Password Authentication Protocol): With PAP, the user name and password are transmitted in clear, unencrypted text. If you select the PAP authentication method, Packeteer recommends you increase security by logging into the PacketWise browser interface via HTTPS. ASCII or PAP authentication is required for RADIUS configurations that require access to clear text passwords (for example, when passwords are stored and maintained in a database external to the RADIUS server).
  
  
• CHAP (Challenge Handshake Authentication Protocol): In some environments, CHAP may be preferred for greater security. The RADIUS server sends a challenge that consists of a session ID and an arbitrary challenge string, and the user name and password are encrypted before they are sent back to the server.
  
  
• MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is similar to CHAP, but with MS-CHAP authentication, the RADIUS server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords. If you select the MS-CHAP authentication method, Packeteer recommends you increase security by logging into the PacketWise browser interface via HTTPS.
  
  Note: MS-CHAP v1 and v2 are supported. PacketWise attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied, PacketWise re-attempts authentication with MS-CHAP v1.

5. In the Primary Authentication Host field, enter the IP address or DNS name of the RADIUS server.

6. Optional: To access the RADIUS server with a specific port, enter a number in the Port field.

If the field is left blank, the default port will be used.

7. In the Shared Secret field, enter the designated secret.

8. Optional: Specify a Secondary Authentication Host to use in case the primary RADIUS server is not accessible. Be sure to specify its Shared Secret as well.

9. If necessary, adjust the Retry limit.

By default, if the RADIUS server fails to respond, the RADIUS client will try to log onto the server three times before reporting a server failure. You can select a value between 1 and 10. If you have specified a secondary authentication host, the RADIUS client will alternate attempts to log onto each server.

10. If necessary, adjust the Retry interval.

By default, the RADIUS client waits 5 seconds before retrying a login when the RADIUS server fails to respond. You can select a value between 1 and 30 seconds.

11. Click apply changes.

After you have configured a RADIUS authentication server, users will be prompted for a user name and password when logging into PacketWise. For more information, see Log In and Out with RADIUS.

See also:

RADIUS Authentication Troubleshooting

Configure RADIUS Accounting Service