Authenticate administrators using RADIUS or TACACS+ methods

You can authenticate administrators and Web Portal users using RADIUS or TACACS+ authentication methods.

Before you begin

You must have an external authentication server that provides RADIUS or TACACS+ authentication methods.

The Management Server’s internal user database does not allow external authentication servers to query the administrator account information. To use external authentication, you must manually create an account both in the SMC for defining the permissions and in the external directory for logon authentication. The administrator’s user name for the Management Server and for the directory that the external authentication server uses must match exactly.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Add one of the following types of server elements to integrate the external server, then define the shared secret used in the communications in the server element.
    • Add a RADIUS Authentication Server element, then add a RADIUS Authentication Method.
      Note: To use a RADIUS Authentication Server that has an IPv6 address, the Management Server must also have an IPv6 address.
    • Add a TACACS+ Authentication Server element, then add a TACACS+ Authentication Method.
    • Add an Active Directory Server element, then add a RADIUS Authentication Method.
  2. Add an Access rule that allows traffic from your Management Server to the external authentication server.
  3. Select Configuration, then browse to Network Elements.
  4. Browse to Network Elements > Servers.
  5. Right-click the Management Server, then select Properties.
  6. From the RADIUS Method or TACACS+ Method drop-down list, select the authentication protocol for authenticating the Management Server’s communications with the external authentication server.

    The supported RADIUS authentication protocols are PAP, CHAP, MSCHAP, MSCHAP2, and EAP-MD5.

    The supported TACACS+ authentication protocols are ASCII, PAP, CHAP, and MSCHAP.

    CAUTION:
    To guarantee the security of the SMC, communications between the Management Server and the external authentication server must remain confidential. We recommend transferring these connections over secure networks only.
  7. (RADIUS Authentication Servers only) Set up the external server for use with the Management Server.
    1. Define the Management Server as a RADIUS client on your server.
    2. Define the same authentication method on your server as you selected in the Management Server properties in the previous step.
  8. In the Management Client, configure RADIUS or TACACS+ authentication in the properties of each Administrator or Web Portal User account.
    1. Select Configuration, then browse to Administration.
    2. Select Access Rights > Administrators.
    3. Right-click an Administrator element, then select Properties.
    4. From the Authentication drop-down list, select RADIUS or TACACS+.
    5. From the Authentication Method drop-down list, select an Authentication Method element, or click Select to select a different Authentication Method element.
    6. Click OK.