On the Unified Access Gateway appliance, you must enable RADIUS authentication, enter the configuration settings from the RADIUS server, and change the authentication type to RADIUS authentication.

Prerequisites

  • Verify that the server to be used as the authentication manager server has the RADIUS software installed and configured. Set up the RADIUS server and then configure the RADIUS requests from Unified Access Gateway. Refer to your RADIUS vendor's setup guides for information about setting up the RADIUS server.

The following RADIUS server information is required.

  • IP address or DNS name of the RADIUS server.
  • Authentication port numbers. Authentication port is usually 1812.
  • Authentication type. The authentication types include PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP1, MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol, versions 1 and 2).
  • RADIUS shared secret that is used for encryption and decryption in RADIUS protocol messages.
  • Specific timeout and retry values needed for RADIUS authentication

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings Authenticating Settings section, click Show.
  3. Click the gearbox in the RADIUS line.
    Option Action
    Enable RADIUS Turn on this toggle to enable RADIUS authentication.
    Name* The name is radius-auth
    Authentication type* Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP, MSCHAP1, OR MSCHAP2.
    Shared secret* Enter the RADIUS shared secret.
    Number of Authentication attempts allowed * Enter the maximum number of failed login attempts when using RADIUS to log in. The default is three attempts.
    Number of attempts to RADIUS server* Enter the total number of retry attempts. If the primary server does not respond, the service waits for the configured time before retrying again.
    Server Timeout in Seconds*

    Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does not respond.

    The Max Server Timeout value depends on the RADIUS Servers configured.

    • If only primary RADIUS server is configured, Number of attempts to RADIUS server * Server Timeout in Seconds <= 120 seconds.
    • If both primary and secondary RADIUS server is configured, 2 * Number of attempts to RADIUS server * Server Timeout in Seconds <= 120 seconds.
    Radius Server Host name * Enter the host name or the IP address of the RADIUS server.
    Authentication Port* Enter the Radius authentication port number. The port is usually 1812.
    Realm Prefix (Optional) The user account location is called the realm.

    If you specify a realm prefix string, the string is placed at the beginning of the user name when the name is sent to the RADIUS server. For example, if the user name is entered as jdoe and the realm prefix DOMAIN-A\ is specified, the user name DOMAIN-A\jdoe is sent to the RADIUS server. If you do not configure these fields, only the user name that is entered is sent.

    Realm Suffix (Optional) If you configure a realm suffix, the string is placed at the end of the user name. For example, if the suffix is @myco.com, the user name [email protected] is sent to the RADIUS server.
    Name Id Suffix Enter the NameId as @somedomain.com. Is used to send additional content such as domain name to the RADIUS server or the RSA SecurID server. For example, if a user logs in as user1, then [email protected] is sent to the server.
    Login page passphrase hint Enter the text string to display in the message on the user login page to direct users to enter the correct Radius passcode. The default text string is Radius.

    You can customize the labels for username and passcode in Horizon settings. For example, if this field is configured with AD password first and then SMS passcode, the login page message would read Enter your Radius (For password: AD password first and then SMS passcode) user name and passcode.

    Enable basic MS-CHAPv2 validation Turn on this toggle to enable basic MS-CHAPv2 validation. If this toggle turned on, then the additional validation of response from the RADIUS server is skipped. By default, full validation will be performed.
    Enable secondary server Turn on this toggle to configure a secondary RADIUS server for high availability. Configure the secondary server information as described in step 3.
  4. Click Save.