Support Center > Search Results > SecureKnowledge Details
Authentication is not working on SecurePlatform with RADIUS groups
Symptoms
  • When you add the "any" group as a RADIUS group on the SecurePlatform machine, via the 'radius groups add' command, authentication works fine.

  • When the user is defined on the RADIUS Server, but you only defined the RADIUS group, to which the user belongs on, the SecurePlatform machine, the following error message is received:
    "Invalid administrator credentials or administrator is locked out. Please try again".

  • On the RADIUS Server, the log file records that the user is authenticated correctly.
Cause

You cannot login to a SecurePlatform shell with a user that is defined on the RADIUS Server, but who belongs to a RADIUS group that is only defined on SecurePlatform.

SecurePlatform first receives "Accept" from the RADIUS Server, and then checks that the RADIUS group that was sent from the RADIUS Server is a valid group.


Solution

SecurePlatform users can be authenticated using the RADIUS server in two ways:

  • By configuring the local user authentication via the RADIUS server. In this case it is necessary to define all users that will be authenticated by the RADIUS server on every SecurePlatform machine, and it is NOT required to define any RADIUS groups.
  • By defining the list of RADIUS groups. All users that belong to the RADIUS groups defined on SecurePlatform will be able to authenticate and perform login, if the same group is defined on the RADIUS server. (The option utilizing RADIUS groups allows more flexibility, by eliminating the need to define all RADIUS users on each SecurePlatform machine.)


Note: There is a special RADIUS group called "any". When this group is present in the group list of the SecurePlatform machine, ALL users defined on the RADIUS server will be able to login to the SecurePlatform machine.

After users and groups are configured in RADIUS, the RADIUS client then handles authentication and examines the specified RADIUS class to retrieve the user's groups. (The Radius "Class" attribute holds the group name).

Once the RADIUS group has been retrieved, the RADIUS client maps the RADIUS group to the appropriate RADIUS client group.

Proceed as follows:

On the RADIUS Server, modify the RADIUS group to include a Class attribute. The attribute value should be the RADIUS group name.

If this does not work, use a different attribute. For example: Reply-Message attribute is number 18. Then, change the :radius_groups_attr (18) property. The default value is "25" (for Class).

After defining the Class attribute with the RADIUS group name, it is possible to login to the SecurePlatform shell with the user.

For more detailed information, refer to the SecurePlatform R71 Administration Guide.

This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment