SonicWall SonicOS - RADIUS Configuration for Cloud Authentication Service - RSA Ready Implementation Guide

a year ago

This article describes how to integrate SonicWall SonicOS with RSA Cloud Authentication Service using RADIUS.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using RADIUS.
Procedure

On the RADIUS Client page, enter the following details:
1. Name: Enter a descriptive name for the RADIUS Client.
2. IP Address: Enter the IP address of the RADIUS Client.
3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS Client and the RADIUS server.

Click Save, then Next Step.
Click Finish to complete the configuration.
Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

The RSA Cloud Authentication RADIUS server is configured to listen on UDP port 1812.
The Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

Perform these steps to configure SonicWall SonicOS using RADIUS.
Procedure

In the RADIUS Configuration popup window, select the Settings tab and click ADD to add a RADIUS Server.

Enter the Hostname or IP address of the RSA RADIUS server and specify the appropriate port (the default RADIUS port is 1812).
In the Shared Secret field, enter the shared secret used in the RSA Cloud Authentication Service configuration.
Click Save.

In the RADIUS configuration window, go to the General Settings tab, set the RADIUS Server Timeout (seconds) to 60 seconds, and adjust the Retries to 3.

Go to the RADIUS Users tab and choose the mechanism for setting user group memberships from the available options.
If you do not plan to retrieve user group information from RADIUS, select Local configuration only.
Select the appropriate group from the Default user group to which all RADIUS user belong dropdown menu for all RADIUS users.
Click Save.

Scroll to the bottom of the screen and click Accept.
Go to the Network tab in the top menu and select IPSec VPN > Rules and Settings.
To configure the WAN Group VPN policy, select it and click the edit icon to make modifications.

Click the General tab and enter a shared secret. You can leave the other settings at their default values.

Go to the Advanced tab and enable the Require authentication of VPN clients by XAUTH toggle switch.
Navigate to the User group for XAUTH users and select the appropriate group to grant permission. Ensure that this group has VPN access to the desired subnets.

Click the Client tab and set Cache XAUTH User Name and Password on Client to Single Session.
Click Save.

Go to SSL VPN > Server Settings in the left pane. Enable the WAN option.

On SSL VPN Server Settings page, enable the Use RADIUS toggle switch and select the MSCHAPv2 mode radio button.

Select the Device tab in the top menu and go to Users > Local Users and Groups.
Click the arrow next to All RADIUS Users to collapse its options. Hover over the Everyone group and click the edit icon to modify the user group settings.

Go to the VPN Access tab and choose the different networks that should be accessible to VPN users.
Click Save.

If your organization expects multiple remote users, enabling WAN GroupVPN is advisable for better management and security. However, if only a few users need access, you might consider whether the added complexity of enabling WAN GroupVPN is necessary, as it is not strictly required for the Global VPN Client (GVC) in SonicOS.
SSL VPN is not mandatory for RADIUS authentication in SonicOS, but it is highly beneficial for secure remote access. You can use RADIUS for user authentication without an SSL VPN if your setup does not require remote access.

Don't see what you're looking for?