RADIUS server: Windows 2008 R2 server with NPS (Network Policy Server)
Before we start to configure the NPS, please configure 2 security groups on your AD, the first for read-write access type users and the other for read-only access type users.
Open the NPS console
Click on RADIUS Clients and Servers
Right click on RADIUS Clients and select New
Type in the name of the device
Type in the IP address of the device,
Note that this is the IP address that the device will use for reaching the RADIUS server according to the routing table, FW policy, NAT etc.
Type in a shared secret
Click on the Advanced tab and under vendor name make sure you select RADIUS Standard
Click on Policies
Right click on Network Policies and select New
We will have to create 2 new different policies, one for read-only access and the other for read-write policy.
Type in the policy name and click Next
On the Specify Conditions page click on Add and select Windows Groups
Select the read-write security group and click OK
Make sure Access granted is selected and click Next
Check CHAP and PAP and click Next
On the Configured Constraints you can enable idle and session timeout
On Configure Settings, select RADIUS Attributes -> Vendor Specific, and click Add
Select Vendor-Specific from the list and click Add
Click Add, select Enter Vendor Code, and type in 2620
Select Yes, It conforms
Click on Configure Attributes
On Vendor-assigned attribute number type 229
On Attribute format select String
On Attribute value type in radius-group-RW
Click OK, OK, OK and Close
Click Next and then Finish
Make sure the newly created policy is above the deny policies, by right click on the policy and select Move Up. Also make sure that following the condition we made there is no other policy which will take precedence over this one, else move it above it.
Repeat these steps and create one more policy for read-only access, give it appropriate name, and on the Configure Conditions -> Windows group select the RO group, and on Configure Attributes -> Attribute value change it to radius-group-RO.
Again make sure this policy is above the deny policies.
Now let’s configure the GAIA OS, log in into the web GUI
Select User Management -> Roles and click Add
In the Role Name type in radius-group-RW
Select on the Features list the required access (for adminRole select all items)
In Mark selected as choose Read/Write and click OK
Repeat these steps and create new role named radius-group-RO, select the appropriate items/features according to the access type you need to grant to read-only users, and select read-only for those items.
Next select User Management -> Authentication Servers and click Add
On Host type in your RADIUS server IP address
Type in the shared secret (the one that we used in NPS -> Network Device)
Click OK and then Apply
Now log out from the web GUI and test your settings by login again using your domain username and password (note that your domain account should be a member of the security group for firewall RO or RW access)
After that I highly recommend to change the admin password to something very complex and hard, keep it on password vault and never use it again else needed.
On my next post I will show how to configure RADIUS authentication for SmartConsole access.