6.10 RADIUS Integration
You can integrate Indeni and an external RADIUS server in your environment for web authentication. You can leverage the RADIUS authentication for user access bypassing the local authentication provided by Indeni.
Indeni supports a single integration with RADIUS. You can either use LDAP or RADIUS integration as your centralized authentication mechanism.
Please Note: This feature only supports the PAP method for web access.
To configure RADIUS integration, perform the following steps:
- Navigate to Settings > Integrations, select RADIUS from the ADD NEW INTEGRATIONS drop down menu.
- Provide the Host Address.
- Enter the Port used for RADIUS server authentication. By default, the UDP port is 1812.
- Enter the Shared secret.
- Enter the temporary user name for the purpose of testing the connection to the RADIUS server. This will not be stored in Indeni.
- Enter the password. The password is used for testing the connection and it will not be stored.
- Select a default role. New users will be assigned the default role. To support a different role, you can change the role from the local user database once the user has successfully authenticated with the RADIUS server and the username has been added to the local user database. The username defined in Indeni matches the username in the RADIUS repository.
Indeni always attempts to use the local authentication mechanism first. If you do not allow local users in your environment, you can simply remove all the local users from the local database. The username “admin” should not be removed as it is required to recover the server in an unexpected event.
When an authentication request is received and the the username does not exist in the local database, Indeni will use the external authentication mechanism. If RADIUS is configured and it is active, Indeni will forward the authentication request to the RADIUS server. Indeni does not store the passwords locally. If the RADIUS server does not successfully authenticate the username and password, access is not granted even though the username may be in the local database.
When a new user attempts to log in for the first time, Indeni does not have the username in its local database. Indeni forwards the request to the RADIUS server for authentication and authorization. If the request is accepted, Indeni adds the new user to its local database and assigns the user the default role.
When an existing user logs in to Indeni, Indeni will authenticate the user using the local database. In other words, enabling RADIUS integration will not impact existing users. However, if your policy is not to have local users, simply remove all the local users to force authentication using the RADIUS server. Once the user is successfully authenticated by the RADIUS server, the username will be re-added to the local database. You will then have the option to change the role from the default role.