Setting ScreenOS Authentication Options Using General Auth Settings

The authentication screens contain the following device-wide authentication options you can configure on a security device.

For devices running ScreenOS 5.2, you can configure some general settings that determine how the security device handles authentication session cleanup and authentication requests.

Clearing RADIUS Sessions

Occasionally, overcharging can occur when a wireless user is assigned the same IP address that was used for a previously closed connection by a different user. Because the IP addresses are the same for both connections, the first wireless user might be charged for the second user’s connection time. You can prevent this problem by configuring the security device to clear RADIUS sessions for a specific IP address when the RADIUS accounting-stop message is received for that connection.

To enable session cleanup for a security device, in the device navigation tree, select Auth > General. Configure a RADIUS Accounting Listener port that monitors the connection for accounting-stop messages, and then select the option RADIUS Accounting Cleanup Action: Session Cleanup.

Assigning an Authentication Request Interface

By default, the security device sends authentication requests using the route defined in the route table. For devices running ScreenOS 5.2, you can configure a specific outgoing source interface for requests sent to an authentication server. You might need to specify a specific interface for auth requests destined for a VPN tunnel or to route all auth requests through the same interface for authentication monitoring.

To configure a source interface, in the device navigation tree, select Auth > General, and then click the Add icon in the Source Interface used for Outgoing Auth Request area. Select the Authentication Server object that represents the authentication server receiving the request, and then select an interface on the device through which requests are sent.

Note: For details on configuring Authentication Server objects, see the Network and Security Administration Guide.

After you specify a source interface for auth requests, the security device routes all auth requests destined for a RADIUS, LDAP, or SecurID server through that interface (one source interface per authentication server object).

Related Documentation