Creating RADIUS authentication profiles

You can configure a SafeLinx Server can to connect to a third-party RADIUS server to authenticate users. To enable the use of RADIUS authentication, you create a RADIUS authentication profile.

About this task

You can assign the RADIUS authentication profile that you create to HTTP access services or to the connection profiles that control access for SafeLinx Clients. Users who connect through the services that use the profile are required to authenticate to the RADIUS server.

Procedure

  1. From the SafeLinx Administrator, click the Resources tab, right-click the OU in which you want to create the authentication profile, and then click Add Resource > Authentication profile > RADIUS Authentication..
    The Add a New Authentication profile wizard opens to guide you through creating a RADIUS authentication profile.
  2. For mobile network connections (MNCs) that are used by SafeLinx Clients, select Challenge user for user ID and password if you want users to receive separate authentication challenges from SafeLinx and from the RADIUS server. If this field is not selected, the credentials that the SafeLinx Client submits to log in to the SafeLinx Server are passed to the RADIUS server.
    Note: You must select this field if the RADIUS user ID and password are different from the SafeLinx Client credentials.
  3. In the field Challenge string (displayed on client), type the text that you want SafeLinx Client users to see on the title bar of the window that prompts them to log in.
  4. In the field IP addresses of RADIUS servers, specify a comma-delimited list of the IP addresses of the RADIUS servers to be used by this profile. All of the RADIUS servers in the list must be configured to use the same port number and RADIUS shared secret.
  5. To enable lightweight third-party authentication (LTPA), select Enable LTPA, and then complete the following fields:
    LTPA token type
    Specifies whether the authentication profile uses LTPA version 1 (LtpaToken) or LTPA version 2 (LtpaToken2) tokens.
    LTPA token realm/domain
    Specifies the DNS realm or domain to encode in the token.
    LTPA token user identification field
    Specifies the user attribute to encode in the token. All servers in the SSO domain must use a common attribute.
    LTPA token lifetime
    Specifies the number of minutes that an LTPA token remains valid. After the token expires, a user must reauthenticate.
  6. If you want to use single sign-on (SSO) with this profile, select Enable SSO and then in the field SSO Cookie domain, type the DNS domain in which to apply SSO.
  7. Select Enable SSO over SSL connections only to require that servers that participate in SSO share a secure connection.
  8. After you complete the wizard, click Finish to save the profile.
  9. Edit the properties of the SafeLinx Server. Review the port number of the SafeLinx Server that listens for connections from SafeLinx Clients. The default port is 9610.
  10. To assign the authentication profile to a resource, edit the properties of the HTTP access service or connection profile.
    • To assign the profile to an HTTP access service, click the Mode tab and in the Authentication Profile field, select the RADIUS profile that you created.
    • To assign the profile to a connection profile, click the Security tab and in the Authentication Profile field, select the RADIUS profile that you created.