RADIUS is a standard authentication protocol running in client-server mode. It allows defining network access for remote users. This protocol is equipped with a server linked to an identification database (e.g. LDAP directory). The Stormshield Network firewall can act as a RADIUS client and can therefore address authentication requests for users wishing to pass through the Firewall, to an external RADIUS server. The user will only be authenticated on the Firewall if the RADIUS server accepts the authentication request sent by the Firewall.
All RADIUS transactions (communications between the Firewall and the RADIUS server) are themselves authenticated using a pre-shared secret, which is never transmitted over the network. This same secret will be used to encrypt the user password, which will pass through the Firewall and RADIUS server.
After having selected your authentication method from the left column, you may enter information about it in the right column, which sets out the following elements:
Access to the server
When the RADIUS method is selected, RADIUS authentication will be enabled. This menu will allow you to specify information relating to the external RADIUS server used and a backup RADIUS server. For each of them, the configuration requires the following information:
|Server||IP address of the RADIUS server.|
|Port||Port used by the RADIUS server. By default, the port 1812 / UDP named RADIUS is selected.|
|Pre-shared key||Key used for encrypting exchanges between the firewall and the RADIUS server.|
|Server||IP address of the backup server.|
|Port||Port used by the backup server if the main server is no longer available. By default, the port 1812 / UDP named RADIUS is selected.|
|Pre-shared key||Key used for encrypting exchanges between the firewall and the backup server.|
The firewall will attempt to connect twice to the “main” RADIUS server, and in the event of failure, will attempt to connect twice to the “backup” RADIUS server. If the backup RADIUS server responds, it will become the main RADIUS server. After 600 seconds, a new switch will take place, and the original “main” RADIUS server will become the “main” server again.