Skip to main content
Hitachi Vantara Knowledge

User authentication through RADIUS servers (HNAS server only)

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for computers to connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The SMU acts as a RADIUS client component that communicates with the RADIUS server to validate logins. The RADIUS server is usually a background process running on a Unix or Microsoft Windows server.

RADIUS serves three functions:

  • Authenticates users or devices before granting them access to a network.
  • Authorizes those users or devices for certain network services.
  • Accounts for usage of those services.

The RADIUS server compatibility is as follows:

  • For IPv4 only, works with FreeRADIUS 2.1 or Windows 2003 Internet Authentication Service (IAS).
  • For IPv6, requires FreeRADIUS 2.2 or Windows 2008 Network Policy Server (NPS).

Configuring user authentication through a RADIUS server requires the following:

  • The RADIUS server must be set up and operational.
  • The SMU must be able to communicate with the RADIUS server using the network.
  • You must know the RADIUS server's:
    • IP address or DNS name.
    • Authentication port.
    • Shared secret for the SMU.

You can specify and prioritize multiple RADIUS servers for authentication.

NoteThe SMU contacts RADIUS servers in order of priority; the SMU will always try to contact higher priority servers before lower priority servers, and you cannot map SMU users to authenticate through a specific RADIUS server. If you specify an incorrect secret or there are network problems that prevent the SMU from communicating with the highest priority RADIUS server, the SMU will try to contact the secondary RADIUS server, then the third RADIUS server, then the next server, until the SMU has tried to contact all the RADIUS servers in the list.

Displaying list of RADIUS servers

  1. Navigate to Home SMU Administration RADIUS Servers.

    RADIUS Servers

Adding a RADIUS server

  1. Navigate to Home SMU Administration RADIUS Servers to display the RADIUS Servers page.

  2. Click add to display the Add RADIUS Server page.

    Add RADIUS Server

    Field/Item Description
    RADIUS server IP address or DNS name To connect with the RADIUS server, specify an IPv4 or IPv6 address, or a host name (host name is not recommended). An IP address is preferred, both because it eliminates the dependency on the network DNS sever(s), and to improve login performance.

    The SMU Network Configuration page (navigate to Home SMU Administration SMU Network Configuration) shows the active IP addresses. It is recommended that IPv4 on eth0 and the current IPv6 addresses be added to the "allowed client" list on each RADIUS server. For more information on setting up the SMU Network Configuration for IPv6, see the Network Administration Guide.

    Shared Secret Specify the shared secret.

    Some RADIUS Servers limit the length of the shared secret and require that it be comprised only of characters that can be typed on a keyboard which uses only 94 out of 256 possible ASCII characters.

    If the shared secret must be a sequence of keyboard characters, choose shared secrets that are at least 22 characters long and consisting of a random sequence of upper and lower case letters, numbers, and punctuation.

    • To ensure a random shared secret, use a computer program to generate a random sequence at least 22 characters long. Windows 2008 Server allows you to generate a shared secret when adding the RADIUS client.
    • The SMU will support a shared secret from 1 up to 128 characters.
    • Use a different shared secret for each RADIUS server-RADIUS client pair.
    Port Specify the RADIUS server authentication port. The default RADIUS server authentication port is 1812, but you should check with the RADIUS server administrator to make sure that 1812 is the correct port.
    Protocol The protocol for the RADIUS server.
    Timeout Specify the timeout, which is the number of seconds the SMU waits before retrying (retying is re-transmitting the authentication request to the same RADIUS server). The default is 3 seconds. If the timeout is reached and there is no response from the first RADIUS server in the list, the SMU attempts another retry.
    Retry Count Specify the retry count. The default is 3. When the retry limit is reached, the SMU sends the request to the next RADIUS server in the list. When the retry limit for the second server is reached, the SMU attempts to reach the next server in the list, until there are no more servers to try. If there are no more servers to try, the user cannot be authenticated, and the login fails.
    OK When you are done making changes, click OK to test connectivity and save the configuration for this RADIUS server and return to the RADIUS Servers page.
    cancel Exits without saving the configuration.

Displaying details of RADIUS server

  1. Navigate to Home SMU Administration RADIUS Server to display the RADIUS Server page.

  2. Select a RADIUS server, and click details to display the RADIUS Server Details page.

    RADIUS Server Details

    Field/Item Description
    RADIUS server IP address or DNS name The RADIUS server IP address or DNS name.
    Shared Secret The shared secret, displayed with asterisks.
    Port The RADIUS server authentication port.
    Protocol Protocol associated with the RADIUS server.
    Timeout The number of seconds the SMU waits before retrying (retrying is re-transmitting the authentication request to the same RADIUS server). If the timeout is reached and there is no response from the first RADIUS server in the list, the SMU attempts another retry.
    Retry Count When the retry limit is reached, the SMU sends the request to the next RADIUS server in the list. When the retry limit for the second server is reached, the SMU attempts to reach the next server in the list, until there are no more servers to try. If the timeout is reached, and there are no more servers to try, the user cannot be authenticated, and the login fails.
    Check connectivity Click to check the connectivity status of the RADIUS server.