You can integrate LiveAssurance and an external RADIUS server in your environment for web authentication. You can leverage the RADIUS authentication for user access bypassing the local authentication provided by LiveAssurance.
LiveAssurance supports a single integration with RADIUS. You can either use
LDAP or RADIUS integration as your centralized authentication mechanism.
Note: This
feature only supports the PAP method for web access.
RADIUS Setup
To configure RADIUS integration, perform the following steps:
-
Select Settings in the sidebar, then select Integrations.
-
Select .
-
Configure the following parameters:
- Host Address—enter the host address.
- Port—enter the port number used for RADIUS server authentication. By default, the UDP port is 1812.
- Shared secret—enter the shared secret.
- user name—enter a temporary username for the purpose of testing the connection to the RADIUS server. This will not be stored in LiveAssurance.
- Password—enter a temporary password for the purpose of testing the connection to the RADIUS server. This will not be stored in LiveAssurance.
- Select default role—select a default role which will be assigned to new users. To support a different role, you can change the role from the local user database once the user has successfully authenticated with the RADIUS server and the username has been added to the local user database. The username defined in LiveAssurance matches the username in the RADIUS repository.
-
Select Test.
Note:
- LiveAssurance always attempts to use the local authentication mechanism first. If you do not allow local users in your environment, you can simply remove all the local users from the local database. The username “admin” should not be removed as it is required to recover the server in an unexpected event.
- When an authentication request is received and the the username does not exist in the local database, LiveAssurance will use the external authentication mechanism. If RADIUS is configured and it is active, LiveAssurance will forward the authentication request to the RADIUS server. LiveAssurance does not store the passwords locally. If the RADIUS server does not successfully authenticate the username and password, access is not granted even though the username may be in the local database.
- When a new user attempts to log in for the first time, LiveAssurance does not have the username in its local database. LiveAssurance forwards the request to the RADIUS server for authentication and authorization. If the request is accepted, LiveAssurance adds the new user to its local database and assigns the user the default role.
- When an existing user logs in to LiveAssurance, LiveAssurance will authenticate the user using the local database. In other words, enabling RADIUS integration will not impact existing users. However, if your policy is not to have local users, simply remove all the local users to force authentication using the RADIUS server. Once the user is successfully authenticated by the RADIUS server, the username will be re-added to the local database. You will then have the option to change the role from the default role.