Remote Access Dial-In User Service (RADIUS) is a networking protocol providing authentication, authorization, and accounting. The Barracuda NextGen Firewall F-Series can use RADIUS authentication for IPsec, Client-to-Site, and SSL VPN.
Configure RADIUS authentication
To configure RADIUS for external authentication with the Barracuda NextGen Firewall F-Series,
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
- In the left navigation pane, select RADIUS Authentication.
- Click Lock.
- From the Configuration Mode menu on the left, select Advanced View.
- Enable RADIUS as external directory service.
- In the Radius Server Address / Port fields, enter the IP address and port of the RADIUS server (default: port
1812
). - In the Radius Server Key section, define the pre-shared secret to authorize requests. (Do not use backslashes.)
- From the Group Attribute Delimiter list, you can select how groups are delimited in a list. To explicitly specify a delimiter character, select the Other checkbox and enter the character in the Group Attribute Delimiter field.
- From the Group Attribute Usage list, you can select the group information that is used (e.g.:
CN=…, OU=…, DC=…
). You can select:- All (default) – Complete string
- First – Only the first group
- Last – Only the last group
- If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list.
- Enter the NAS identifier, IP address, and port if your RADIUS servers requires you to set NAS credentials.
- Enable OTP preserves State if a One-Time Password server (e.g., Symantec VIP Enterprise Gateway 9.0) requires the RADIUS response to contain the 'State' attribute.
- Click Send Changes and Activate.
RADIUS authentication through the remote management tunnel
To allow remote F-Series Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound BOX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled.