NGFW can transparently authenticate users who have already authenticated on an external RADIUS server. NGFW does not communicate with the RADIUS server; it only monitors the RADIUS accounting information redirected from the RADIUS client. The RADIUS accounting information includes the username and IP address. To configure this functionality, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a user in NGFW. |
Create the desired local users in NGFW. See the section Users. |
|
Step 2. Allow the Authorization agent service in the desired zone. |
In the Network ➜ Zones section, select the zone containing the interface to which RADIUS accounting information is to be sent. Allow the Authorization agent service. |
|
Step 3. Set a password for terminal server agents. |
In the NGFW console, go to the UserGate ➜ General settings ➜ Modules section, click the Configure button next to the Password for terminal service agent entry, and set a password for terminal service agent. This password will be used as the RADIUS secret at the time of configuring the RADIUS server. |
|
Step 4. Add the RADIUS accounting source in the NGFW web console. |
In the Users and devices ➜ Terminal servers section, add the RADIUS accounting information source, specifying the host name and IP address. |
|
Step 5. Configure RADIUS accounting. |
Configure the sending of RADIUS accounting information to NGFW, specifying the UserGate IP address as the server address and UDP 1813 as the port. Specify the terminal server agent password set at Step 3 as the RADIUS secret. The username should be sent in the RADIUS User-Name attribute (type=1), user's IP address in the RADIUS Framed-IP-Address attribute (type=8), and RADIUS server IP address in the RADIUS NAS_IP_Address (attribute type=4). For more details on configuring a RADIUS server, see the documentation for your RADIUS server and client. Important! The RADIUS accounting information update period should not exceed 120 seconds. |
Configured that way, NGFW will map the username to the user's IP address received from the RADIUS accounting server. Depending on the information being transmitted, NGFW will behave as follows:
|
Name |
Description |
|---|---|
|
The RADIUS server sent a username that does not exist in NGFW. |
The Accounting-Request will be responded to with an Accounting-Reject. The user data will not change. |
|
The RADIUS server sent an existing username and specified Acct-Status-Type = Start or Interim-Update. |
The IP address sent from RADIUS will be assigned to this user. The username will start appearing in logs for this IP address. The system will start applying user rules to the traffic that uses this IP address. If this user already has an IP address different from that sent from RADIUS, two and more IP addresses will be assigned to the user. If this IP address is already assigned to the user, nothing happens. If this IP address is assigned to another user, it will be removed from that user and assigned to the user specified in the request. |
|
The RADIUS server sent an existing username and specified Acct-Status-Type = Stop. |
The IP address sent from RADIUS will be removed from this user. The username will stop appearing in logs for this IP address. The system will stop applying user rules to the traffic that uses this IP address. |