WatchGuard Technologies SSL VPN Water Heater User Manual


 
Using RADIUS Servers for Authentication and Authorization
72 Firebox SSL VPN Gateway
To specify RADIUS server authentication
1Click the Authentication tab.
2In Realm Name, type a name for the authentication realm that you will create, select One Source,
and then click Add.
If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will
specify settings. Realm names are case-sensitive and can contain spaces.
Note
If you want the Default realm to use RADIUS authentication, remove the Default realm as described in
“Changing the Authentication Type of the Default Realm” on page 65.
3In Select Authentication Type, choose RADIUS Authentication and click OK.
The dialog box for the authentication realm opens.
4In Server IP Address, type the IP address of the RADIUS server.
5In Server Port, type the port number. The default port number is 1812.
6In Server Secret, type the RADIUS server secret.
The server secret is configured manually on the RADIUS server and on the Firebox SSL VPN Gateway.
7 If you use a secondary RADIUS server, enter its IP address, port, and server secret.
Note
Make sure you use a strong shared secret. A strong shared secret is one that is at least eight characters
and includes a combination of letters, number, and symbols.
To configure RADIUS authorization
1Click the Authorization tab and in Authorization Type, select RADIUS Authorization.
You can use the following authorization types with RADIUS authentication:
RADIUS authorization
Local authorization
LDAP authorization
No authorization
2 Complete the settings using the attributes defined in IAS.
For more information about the values for these fields, see “To configure Microsoft Internet Authentication Service
for Windows 2000 Server” on page 70.
3Click Submit.
Choosing RADIUS Authentication Protocols
The Firebox SSL VPN Gateway supports implementations of RADIUS that are configured to use the Pass-
word Authentication Protocol (PAP) for user authentication. Other authentication protocols such as the
Challenge-Handshake Authentication Protocol (CHAP) are not supported.
If your deployment of Firebox SSL VPN Gateway is configured to use RADIUS authentication and your
RADIUS server is configured to use PAP, you can strengthen user authentication by assigning a strong
shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of
uppercase and lowercase letters, numbers, and punctuation and are at least 22 keyboard characters
long. If possible, use a random character generation program to determine RADIUS shared secrets.
To further protect RADIUS traffic, assign a different shared secret to each Firebox SSL VPN Gateway
appliance. When you define clients on the RADIUS server, you can also assign a separate shared secret to
each client. If you do this, you must configure separately each Firebox SSL VPN Gateway realm that uses