SonicWall SonicOS - RADIUS Configuration for Authentication Manager - RSA Ready Implementation Guide
a year ago

This article describes how to integrate SonicWall SonicOS with Authentication Manager using RADIUS.

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using RADIUS.
Procedure

  1. Sign in to Security Console.
  2. Go to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server.

  1. Click the RADIUS > RADIUS Clients > Add New.
  2. On the Add RADIUS Client page, enter the following:
    1. Client Name: Enter a descriptive name for the RADIUS client.
    2. IPv4 Address: Enter the IP address of the RADIUS client.
    3. Make / Model: Select SonicWall.
    4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.

  1. Click Save & Create Associated RSA Agent.
  2. On the Add New Authentication Agent page, click Save, and confirm by clicking Yes, Save Agent.

Notes

  • RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
  • The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

 

Configure SonicWall SonicOS

Perform these steps to configure SonicWall SonicOS using RADIUS.
Procedure

  1. Log in to SonicWall Management app.
  2. In the top menu, select the Device tab. Go to Users > Settings
  3. Select RADIUS as the User Authentication Method
  4. Click Configure next to Configure RADIUS.

  1. In the RADIUS Configuration popup window, select the Settings tab and click ADD to add a RADIUS Server.

  1. Enter the Hostname or IP address of the RSA RADIUS server and specify the appropriate port (the default RADIUS port is 1812).
  2. In the Shared Secret field, enter the shared secret used in the RSA Cloud Authentication Service configuration. 
  3. Click Save. 

  1. In the RADIUS Configuration window, go to the General Settings tab, set the RADIUS Server Timeout to 60 seconds, and adjust the Retries to 3.

  1. Go to the RADIUS Users tab and choose the mechanism for setting user group memberships from the available options.
  2. If you do not plan to retrieve user group information from RADIUS, select Local configuration only.
  3. Select the appropriate group from the Default user group drop-down menu for all RADIUS users.
  4. Click Save.

  1. Scroll to the bottom of the screen and click Accept.
  2. Go to the Network tab in the top menu and select IPSec VPN > Rules and Settings.
  3. To configure the WAN Group VPN policy, select it and click the edit icon to make modifications.

  1. Click the General tab and enter a shared secret. You can leave the other settings at their default values.

  1. Go to the Advanced tab and enable the Require authentication of VPN clients by XAUTH toggle switch.
  2. Navigate to the User group for XAUTH users and select the appropriate group to grant permission. Ensure that this group has VPN access to the desired subnets.

  1. Click the Client tab and set Cache XAUTH User Name and Password on Client to Single Session.
  2. Click Save.

  1. Go to SSL VPN > Server Settings in the left pane. Enable the WAN option.

  1.  On the SSL VPN Server Settings page, enable Use RADIUS toggle switch and select the MSCHAPv2 mode radio button.

  1. Select the Device tab in the top menu and go to Users > Local Users and Groups. 
  2.  Click the arrow next to All RADIUS Users to collapse its options. Hover over the Everyone group and click the edit icon to modify the user group settings.

  1. Go to the VPN Access tab and choose the different networks that should be accessible to VPN users.
  2. Click Save.

Notes

  • If your organization expects multiple remote users, enabling WAN GroupVPN is advisable for better management and security. However, if only a few users need access, you might consider whether the added complexity of enabling WAN GroupVPN is necessary, as it is not strictly required for the Global VPN Client (GVC) in SonicOS.
  • SSL VPN is not mandatory for RADIUS authentication in SonicOS, but it is highly beneficial for secure remote access. You can use RADIUS for user authentication without an SSL VPN if your setup does not require remote access.


Return to SonicWall SonicOS - RSA Ready Implementation Guide

Related Articles

Trending Articles

Don't see what you're looking for?