Configuring User Authentication through RADIUS

The TCA6000 and TCA6500 Timing Clients support RADIUS server authentication, local authentication, or both based on the configured authentication order to authenticate the user logging in to the Timing Client.

When you configure the authentication order as RADIUS server authentication followed by the local authentication, the Timing Client passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Client allows the user to login. If all the configured RADIUS servers fail to authenticate the user or configured RADIUS servers are not available, then the Timing Client performs the local authentication and allows the user to login after successful local authentication. The Timing Client blocks the logging user if both RADIUS and local authentication fails.

When you configure the authentication order as local authentication followed by the RADIUS server authentication, the Timing Client performs the local authentication to grant access to the logging user. If the local authentication fails to authenticate the user, then the Timing Client passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Client allows the user to login. If all configured RADIUS servers fail to authenticate the user, then the Timing Client denies access to the logging user.

When you configure the authentication order as RADIUS server authentication only, the Timing Client passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Client allows the user to login. If all configured RADIUS servers fail to authenticate the user, then the Timing Client denies access to the logging user. If all configured RADIUS servers are not available, then the Timing Client performs local authentication and allows the user to login after successful local authentication.

When you configure the authentication order as local authentication only, the Timing Client performs the local authentication to grant or deny access to the user logging in to the Timing Client.

Note:

  • The selection of RADIUS authentication server to authenticate user is based on the order in the RADIUS authentication server list.
  • The user authentication process is implemented only for the Access Request, Access Reject, and Access Accept messages.
  • The user authentication process is not supported for shell users.

The user authentication process protects the Timing Client from being accessed by unauthorized persons. The usage of RADIUS authentication servers provides the following advantages:

To configure user authentication process:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 13.

    Figure 13: Timing Client Config Page—RADIUS Pane (Authentication)

    Timing Client Config Page—RADIUS Pane (Authentication)
  3. Configure the RADIUS authentication server details.
  4. Click the Save button to save the authentication server configuration.
  5. Select the authentication order.
  6. Click the Apply button to apply the configured authentication order.

The following sections describe RADIUS authentication server configuration and authentication order configuration:

Adding a New RADIUS Authentication Server Entry

To add a new RADIUS authentication server entry to the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 13.
  3. In the Server IP field, enter the IP address of the RADIUS authentication server to be used for user authentication.
  4. In the Port field, enter the port through which the specified RADIUS authentication server is contacted for user authentication.
  5. In the Retry field, enter the number of attempts should be made for contacting the specified RADIUS authentication server.
  6. In the Timeout field, enter the time in seconds till which the Timing Client waits for a response from the specified RADIUS authentication server.
  7. In the Secret Word field, enter the password shared with the specified RADIUS authentication server.
  8. Click the Save button to add the RADIUS authentication server entry in the RADIUS Authentication Servers window and memory.

Deleting a RADIUS Authentication Server Entry

To delete a RADIUS authentication server entry from the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 13.
  3. In the RADIUS Authentication Servers window, click the RADIUS authentication server entry to be deleted.
  4. Click the Delete button to remove the entry from the RADIUS Authentication Server window and memory.

Modifying a RADIUS Authentication Server Entry Details

To modify the details of a RADIUS authentication server entry existing in the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 13.
  3. In the RADIUS Authentication Servers window, select the RADIUS authentication server entry to be modified.
  4. Click the Edit button to populate the values of the selected RADIUS authentication server entry in the Server IP, Port, Retry, Timeout, and Secret Word fields.
  5. Modify the populated values.
  6. Click the Save button to save the changes done in the selected RADIUS authentication server entry.

Configuring Authentication Order

To configure the authentication order:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 13.
  3. In the first drop box, select the type of authentication to be performed initially. Select:
    • radius: To authenticate the user using the configured RADIUS authentication servers.
    • local: To authenticate the user using local settings.
  4. In the second drop box, select the type of authentication to be performed on failure or unavailability of initial authentication. Select:
    • radius: To authenticate the user using the configured RADIUS authentication servers.
    • local: To authenticate the user using local settings.
  5. Click the Apply button to save the authentication order.