Skip to main content

SonicWALL Aventail Integration Guide (RADIUS)

Introduction

Use this guide to configure the integration of a SonicWALL Aventail E-Class SRA appliance with a SecureAuth IdP RADIUS Server.

Instructions are provided for configuring token-based or username credential type RADIUS authentication servers.

Prerequisites

1. Admin access to the SonicWALL Aventail E-Class SRA appliance that is running on the network

2. Ensure SecureAuth IdP v9.0+ is running on the network

3. Admin access to the SecureAuth IdP RADIUS Server v2.3.9+ installed and running on the network

SecureAuth IdP RADIUS Server Configuration

On the RADIUS Clients page, add the SonicWALL Aventail appliance as a RADIUS client, using its NAS-IP address

SonicWall Aventail Configuration

Configure Token-based or Username Credentials for the RADIUS Server

44832778.png

1. From the main navigation menu on the Aventail Management Console( AMC), select Authentication Servers and then New

2. In the User store section, select RADIUS as the type of Authentication directory

3. Select the Credential type for SecureAuthIDP and then clickContinue

  • If Token / SecurID is selected...

follow the instructions for Token-based Credential Configuration

  • If Username / Password is selected...

follow the instructions for Username Credential Configuration

Token-based Credential Configuration

45384273.png

4. Enter a Name for the RADIUS authentication server

5. Type in the host name or IP address of the Primary RADIUS server

Specify port number 1812 as a colon-delimited suffix – this port is used for inbound RADIUS listening

6. Type in the host name or IP address of the secondary Secondary RADIUS server

If necessary, a port number can be appended following a colon ( : )

7. Type in the Shared secret password used to secure communications with the SecureAuth IdP RADIUS Server

This must be the same Shared Secret entered on the RADIUS Server Settings page on the SecureAuth IdP RADIUS Server

8. From the Match RADIUS groups by dropdown, select the attribute containing the groups of which the end-user is a member

Match RADIUS groups by

Result of selection

None

Group attribute is ignored

filterid attribute (11)

Match is made against FilterID attribute

class attribute (25)

Match is made against Class attribute

9. Enter the number of seconds comprising the length of time in the Connection timeout – this value specifies the maximum amount of time in which the authentication attempt to receive a reply from the RADIUS server will be valid

The default is 5 seconds, with a range from 5 to 300 seconds allowed

NOTE: SecureAuth recommends setting this value to at least 30 seconds to give end-users time to input their second authentication factor

10. (OPTIONAL) Click Advanced to expand that section to configure optional settings described in the next section of this document

11. Click Save

OPTIONAL: Configure Advanced RADIUS Settings
44832777.png

12. Enter the RADIUS Service type integer specifying the type of service being requested

For most RADIUS servers, type 1 is used for Login, and type 8 is used for Authenticate Only

13. Check the Suppress RADIUS success message box if messages that let end-users know if credentials are accepted should not appear

14. If the RADIUS Server is unable to accept the SonicWALL Aventail appliance host name, then enter either the NAS-Identifier or NAS-IP-Address

NOTE: Both entries can be made, but are not usually necessary

15. Select Customize authentication server prompts to change the prompts and other text that Windows users see when logging on the authentication server

For example, the Identity prompt could be changed so that the user who logs on using an employee identification sees Employee ID instead of Username

16. Click Save

Username Credential Configuration

45384277.png

4. Enter a Name for the RADIUS authentication server – in this example, SecureAuth Radius

5. Type in the host name or IP address of the Primary RADIUS server

Specify port number 1812 as a colon-delimited suffix – this port is used for inbound RADIUS listening

6. Optionally type in the host name or IP address of the secondary Secondary RADIUS server

If necessary, a port number can be appended following a colon ( : )

7. Type in the Shared secret password used to secure communications with the SecureAuth IdP RADIUS Server

This must be the same Shared Secret entered on the RADIUS Server Settings page on the SecureAuth IdP RADIUS Server

8. From the Match RADIUS groups by dropdown, select the attribute containing the groups of which the end-user is a member

Match RADIUS groups by

Result of selection

None

Group attribute is ignored

filterid attribute (11)

Match is made against FilterID attribute

class attribute (25)

Match is made against Class attribute

9. Enter the number of seconds comprising the length of time in the Connection timeout – this value specifies the maximum amount of time in which the authentication attempt to receive a reply from the RADIUS server will be valid

The default is 5 seconds, with a range from 5 to 300 seconds allowed

NOTE: SecureAuth recommends setting this value to at least 30 seconds to give end-users time to input their second authentication factor

10. Click Save

Realms Configuration
45384278.png

11. From the main navigation menu, click Realms

12. Click New to access the Configure Realm page, and configure General settings

13. Enter a Name for the SecureAuth IdP realm and optionally include a Description

14. Select the SecureAuth IdP RADIUS realm from the Authentication server dropdown – in this example, SecureAuth Radius

Group Authorization Configuration
45384276.png

15. Under Advanced Options, in the Group authorization section, Enable group affinity checking if different servers handle authentication and authorization

16. Select the Active Directory that will perform group affinity checking from the Server dropdown

17. Click Save

OPTIONAL: Add Active Directory Group
45384279.png

18. From the main navigation menu, click Realms and select the community for the realm

19. On the Configure Community page, the Members tab appears

20. The Members box includes the users or group that belong to this community

If necessary, click Edit and select the Active Directory (to perform group affinity checking) from the list of users and groups

21. Click Save

TROUBLESHOOTING: Configure Logging
45384275.png

1. From the main navigation menu, click Logging

2. Click the Configure Logging tab

3. Select the appropriate level of message detail for the services on the appliance

4. In the Syslog configuration section, configure the appliance to send system logs to one or more syslog servers, entering the IP addresses and port numbers of the syslog servers

5. Click Save