Create RADIUS or TACACS+ Authentication Server elements

You can authenticate end-user access through Firewalls and administrator’s logons to the SMC against external authentication servers that support either the RADIUS or TACACS+ protocol.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to User Authentication.
  2. Right-click Servers and select New > RADIUS Authentication Server or New > TACACS+ Authentication Server.
  3. Configure the settings on the General tab.
  4. (Optional) Click the Secondary IP Addresses tab and add more IP addresses.
    These IP addresses are only used in Access rules and routing. Firewalls always use the main IP address of the RADIUS or TACACS+ authentication server when they contact the authentication server.
  5. (Optional) If you want the RADIUS or TACACS+ authentication server to be monitored by the Log Server, click the Monitoring tab and configure the monitoring settings.
  6. Click OK.
  7. Configure the RADIUS or TACACS+ authentication server to accept connections from your Firewall engines:
    • Make sure that the shared secret is entered identically in the Management Client and on the RADIUS or TACACS+ authentication server.
    • The identity that the Firewall provides to the server is the IP address of the interface that has been selected as the value for the IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests or the IPv6 Identity for Authentication Requests or IPv6 Identity for Authentication Requests in the Firewall’s Interface Options.
      Note: The IP address used as the identity is a name only. The interface and IP address used for the authentication-related connections is selected based on the Firewall’s routing information just like for any other connection.

Result

The connections to RADIUS or TACACS+ authentication servers are allowed in the predefined Firewall Template. Make sure your Access and NAT rules for user authentication are configured correctly for these connections.

RADIUS Authentication Server Properties dialog box

Use this dialog box to define RADIUS Authentication Server properties.

Option Definition
General tab
Name The name of the element.
IP Address

Specifies the server IP address.

IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address.

Resolve Automatically resolves the IP address of the server from a domain name in the Name field.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
Port

(Optional)

Specifies the port number if the server communicates on a port other than the default port. The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add a IPv4 Access rule to allow the traffic.
Shared Secret Specifies the secret key for communication with the RADIUS authentication server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Number of Retries Specifies the number of times Firewalls try to connect to the RADIUS authentication server if the connection fails.
Timeout Specifies the time (in seconds) that Firewalls wait for the RADIUS authentication server to reply.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the server right-click menu. Click Select to select a Tools Profile element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Authentication Methods tab
Name Shows the name of the Authentication Method.
Type

Shows the authentication type.

  • RADIUS — The RADIUS protocol is used.
  • TACACS+ — The TACACS+ protocol is used.
Comment Double-click the cell to enter a comment.
Add Opens the Select Element dialog box and adds the selected authentication method to the Authentication Methods list.
Edit Opens the Properties dialog box for the selected authentication method.
Remove Removes the selected authentication method.
Option Definition
Secondary IP Addresses tab
Secondary IP Addresses

Specifies any additional device IP addresses. You can enter the additional IP addresses here instead of creating more elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing.

Add Adds a row to the table.
Remove Removes the selected IP address from the list.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

TACACS+ Authentication Server Properties dialog box

Use this dialog box to define Terminal Access Controller Access-Control System (TACACS+) Authentication Server properties.

Option Definition
General tab
Name The name of the element.
IP Address

Specifies the server IP address.

IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address.

Resolve Automatically resolves the IP address of the server.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
Port

(Optional)

Enter the port number if the server communicates on a port other than the default port. The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add an IPv4 Access rule to allow the traffic.
Shared Secret Enter the secret key for communication with the TACACS+ authentication server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Number of Retries Enter the number of times Firewalls try to connect to the TACACS+ authentication server if the connection fails.
Timeout Enter the time (in seconds) that Firewalls wait for the TACACS+ authentication server to reply.
Clear Text Replies Select to enable the Firewall to accept unencrypted replies from the TACACS+ authentication server.
Accepted by Firewall Enable if you want the Firewall to accept unencrypted replies.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the server right-click menu. Click Select to select a Tools Profile element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Authentication Methods tab
Name Enter a name for the authentication method.
Type Shows the selected authentication type.
  • RADIUS — The RADIUS protocol is used.
  • TACACS+ — The TACACS+ protocol is used.
Comment Double-click the cell to enter a comment.
Add Opens the Select Element dialog box and adds the selected authentication method to the Authentication Methods list.
Edit Opens the Properties dialog box for the selected authentication method.
Remove Removes the selected authentication method.
Option Definition
Secondary IP Addresses tab
Secondary IP Addresses

Specifies any additional device IP addresses. You can enter the additional IP addresses here instead of creating more elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing.

Add Adds a row to the table.
Remove Removes the selected IP address from the list.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.