< Home

Configuring RADIUS SSO

This section describes how to configure RADIUS Single Sign-On (SSO).

Context

To implement RADIUS SSO, a RADIUS server and a NAS must have been deployed on the network, and the FW can receive RADIUS accounting packets transmitted between the NAS and RADIUS server. Even if RADIUS accounting packets do not pass through the FW, the RADIUS accounting packets must be mirrored to the FW.

If the packets exchanged between the user and NAS or between the NAS and RADIUS server need to pass through the FW, configure an authentication policy not to authenticate these packets and ensure that the security policies on the FW can permit these packets.

If a user is authenticated by the RADIUS server and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the RADIUS server.

Procedure

  1. Choose Object > User > a specific authentication domain and set Internet Access Authentication Mode to SSO authentication.
  2. In SSO Settings, select the check box of RADIUS SSO.
  3. Configure RADIUS SSO parameters.

    Parameter

    Description

    Proxy Mode

    Mode for the FW to obtain RADIUS accounting packets:

    • In-path: The FW is deployed between the NAS device and RADIUS server and can directly obtain RADIUS accounting packets between them.
    • Out-of-path: The FW is connected in out-of-path mode to the NAS device to receive the accounting packets that the NAS device proactively sends to the FW. This working mode requires that the NAS be able to send accounting packets to the FW.
    • Mirroring: The FW must use switch mirroring or optical splitting to obtain the mirrored accounting packets.

    Target Interface

    Port for the FW to receive RADIUS accounting packets (destined to port 1813 or 1646).

    The interface can be a Layer-2 physical interface, Layer-3 physical interface, subinterface of a Layer-2 or Layer-3 physical interface, Layer-2 Eth-Trunk interface, Layer-3 Eth-Trunk interface, or subinterface of a Layer-2 or layer-3 Eth-Trunk interface.

    Management port (MEth 0/0/0 or GigabitEthernet 0/0/0) cannot receive mirroring packets.

    In mirroring mode, interfaces can receive only RADIUS packets and discard other packets.

    In in-path and out-of-path modes, interfaces can receive RADIUS packets and forward other packets.

    Shared Key

    Shared key for encrypting the communication packets between the FW and NAS device.

    This parameter applies only when the proxy mode is Out-of-path. In such cases, the FW and NAS device need to communicate.

    Server IP Address/Port

    IP address and accounting port (usually 1813 or 1646) of the RADIUS server.

    MAC Address As User Name Preferentially

    Configure a RADIUS SSO user to log in to the FW with the MAC address as the user name.

    Before using this function, you must create a local user whose MAC address serves as the user name on the FW. Otherwise, the RADIUS SSO user must use the authenticated user name to log in.

    RADIUS Attribute as a Security Group

    If you need to use the RADIUS attribute as a security group and control policies based on the security group, enable this function.

    When this function is enabled, the FW parses the RADIUS attribute in RADIUS accounting packets and uses the attribute as the user's security group.

    Ensure that the FW has the parsed security group (parsed attribute). Otherwise, the parsed security group will not be recorded in the online user table.

    RADIUS Attribute Type

    Select a standard or vendor-defined RADIUS attribute as a security group.

    A RADIUS accounting packet contains 256 attribute fields, and the attribute ID ranges from 0 to 255. The attribute whose ID is 26 is an extended attribute, which is defined by the vendor. Other attributes are standard attributes.

    RADIUS Attribute ID

    Specify the RADIUS ID that the FW needs to parse. The FW uses the parsed attribute as the security group.

    For a vendor-defined attribute, the ID here refers to the sub-attribute ID. For example, the value 40 means to parse sub-attribute 40 of attribute 26, and the sub-attribute is used as the security group.

    Security Group Separator

    Specify the separator of the security group.

    If the attribute parsed by the FW contains the specified separator, the user belongs to multiple security groups. For example, if the parsed attribute is a,b and the configured separator is ,, the user belongs to both security groups a and b. If no separator is configured, the user belongs to security group a,b.

  4. Optional: Configure RADIUS SSO information synchronization. For details, see Managing Online Users.
Parent Topic: Configuring SSO
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >