Remote Access Dial-In User Service (RADIUS) is a networking protocol providing authentication, authorization, and accounting. The Barracuda NextGen Firewall F-Series can use RADIUS authentication for IPsec, Client-to-Site, and SSL VPN.
Before You Begin
When using RADIUS for OTP authentication (eg., LinOTP, privacyIDEA) you must enable the option Always use Session Password in the NextGen Admin Client Settings, otherwise authentication will fail. For more information, see NextGen Admin Settings.
Configure RADIUS Authentication
To configure RADIUS for external authentication with the Barracuda NextGen Firewall F-Series,
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
- In the left navigation pane, select RADIUS Authentication.
- Click Lock.
- From the Configuration Mode menu on the left, select Advanced View.
- Enable RADIUS as external directory service.
- In the Radius Server Address / Port fields, enter the IP address and port of the RADIUS server (default: port
In the Radius Server Key section, define the pre-shared secret to authorize requests.
- From the Group Attribute Delimiter list, you can select how groups are delimited in a list. To explicitly specify a delimiter character, select the Other checkbox and enter the character in the Group Attribute Delimiter field.
- From the Group Attribute Usage list, you can select the group information that is used (e.g.:
CN=…, OU=…, DC=…). You can select:
- All (default) – Complete string
- First – Only the first group
- Last – Only the last group
- If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list.
- Enter the NAS identifier, IP address, and port if your RADIUS servers requires you to set NAS credentials.
- Enable OTP preserves State if a One-Time Password server (e.g., Symantec VIP Enterprise Gateway 9.0) requires the RADIUS response to contain the 'State' attribute.
- Click Send Changes and Activate.
RADIUS Authentication Through the Remote Management Tunnel
To allow remote F-Series Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound BOX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled.