Configuring User Authentication through RADIUS

The TCA 8000 and TCA 8500 Timing Servers support RADIUS server authentication, local authentication, or both based on the configured authentication order to authenticate the user logging in to the Timing Server.

When you configure the authentication order as RADIUS server authentication followed by the local authentication, the Timing Server passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Server allows the user to login. If all the configured RADIUS servers fail to authenticate the user or configured RADIUS servers are not available, then the Timing Server performs the local authentication and allows the user to login after successful local authentication. The Timing Server blocks the logging user if both RADIUS and local authentication fails.

When you configure the authentication order as local authentication followed by the RADIUS server authentication, the Timing Server performs the local authentication to grant access to the logging user. If the local authentication fails to authenticate the user, then the Timing Server passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Server allows the user to login. If all configured RADIUS servers fail to authenticate the user, then the Timing Server denies access to the logging user.

When you configure the authentication order as RADIUS server authentication only, the Timing Server passes the information about the logging user to the configured RADIUS servers for authentication. If any one of the RADIUS server successfully authenticates the user, then the Timing Server allows the user to login. If all configured RADIUS servers fail to authenticate the user, then the Timing Server denies access to the logging user. If all configured RADIUS servers are not available, then the Timing Server performs local authentication and allows the user to login after successful local authentication.

When you configure the authentication order as local authentication only, the Timing Server performs the local authentication to grant or deny access to the user logging in to the Timing Server.

Note:

  • The selection of RADIUS authentication server to authenticate user is based on the order in the RADIUS authentication server list.
  • The user authentication process is implemented only for the Access Request, Access Reject, and Access Accept messages.
  • The user authentication process is not supported for shell users.

The user authentication process protects the Timing Server from being accessed by unauthorized persons. The usage of RADIUS authentication servers provides the following advantages:

To configure user authentication process:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 14.

    Figure 14: Timing Server Config Page—RADIUS Pane (Authentication)

    Timing Server Config Page—RADIUS Pane (Authentication)
  3. Configure the RADIUS authentication server details.
  4. Click the Save button to save the authentication server configuration.
  5. Select the authentication order.
  6. Click the Apply button to apply the configured authentication order.

The following sections describe RADIUS authentication server configuration and authentication order configuration:

Adding a New RADIUS Authentication Server Entry

To add a new RADIUS authentication server entry to the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 14.
  3. In the Server IP field, enter the IP address of the RADIUS authentication server to be used for user authentication.
  4. In the Port field, enter the port through which the specified RADIUS authentication server is contacted for user authentication.
  5. In the Retry field, enter the number of attempts should be made for contacting the specified RADIUS authentication server.
  6. In the Timeout field, enter the time in seconds till which the Timing Server waits for a response from the specified RADIUS authentication server.
  7. In the Secret Word field, enter the password shared with the specified RADIUS authentication server.
  8. Click the Save button to add the RADIUS authentication server entry in the RADIUS Authentication Servers window and memory.

Deleting a RADIUS Authentication Server Entry

To delete a RADIUS authentication server entry from the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 14.
  3. In the RADIUS Authentication Servers window, click the RADIUS authentication server entry to be deleted.
  4. Click the Delete button to remove the entry from the RADIUS Authentication Server window and memory.

Modifying RADIUS Authentication Server Entry Details

To modify the details of a RADIUS authentication server entry existing in the authentication server list:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 14.
  3. In the RADIUS Authentication Servers window, select the RADIUS authentication server entry to be modified.
  4. Click the Edit button to populate the values of the selected RADIUS authentication server entry in the Server IP, Port, Retry, Timeout, and Secret Word fields.
  5. Modify the populated values.
  6. Click the Save button to save the changes done in the selected RADIUS authentication server entry.

Configuring Authentication Order

To configure the authentication order:

  1. Click the Config tab.
  2. Locate the RADIUS tab across the top tabs of the Config page. See Figure 14.
  3. In the first drop box, select the type of authentication to be performed initially. Select:
    • radius—To authenticate the user using the configured RADIUS authentication servers.
    • local—To authenticate the user using local settings.
  4. In the second drop box, select the type of authentication to be performed on failure or unavailability of initial authentication. Select:
    • radius—To authenticate the user using the configured RADIUS authentication servers.
    • local—To authenticate the user using local settings.
  5. Click the Apply button to save the authentication order.