Access Policy Manager supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, Access Policy Manager authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
Using AAA high availability with Access Policy Manager (APM), you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual.
APM supports the following AAA servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+. APM supports high availability by providing the option to create a pool of server connections when you configure the supported type of AAA server.
When you use RADIUS as the authentication method for AAA high availability, there are general guidelines that you must follow when you set up your server connections.
For RADIUS authentication, Access Policy Manager (APM) converts an attribute value to hex if it contains unprintable characters, or if it is the class attribute. APM converts the class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.
Handling of attributes with single value:1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
Handling of attributes with multiple values (mix of binary and non-binary values):243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
This task list includes all steps required to set up this configuration. If you add RADIUS authentication to an existing access policy, you already have an access profile configured and the access policy might already include a logon access policy item.
The following table lists the specific RADIUS attributes that Access Policy Manager sends with RADIUS requests.
|User-Name||Indicates the name of the authenticated user.|
|User-Password||Indicates the password of the authenticated user.|
|NAS-IP-Address||Indicates the identifying IP Address of the NAS.|
|NAS-IPv6-Address||Indicates the identifying IPv6 Address of the NAS.|
|NAS-Identifier||Indicates the identifying name of the NAS .|
|Service-Type||Indicates the type of service the user has requested.|
|NAS-Port||Indicates the physical port number of the NAS that is authenticating the user.|
When the RADIUS Auth access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the RADIUS authentication access policy item and for a logon access policy item.
|session.RADIUS.last.result||Provides the result of the RADIUS authentication. The available values are:
|session.RADIUS.last.attr.$attr_name||$attr_name is a value that represents the user’s attributes received during RADIUS authentication. Each attribute is converted to separate session variables.|
|session.RADIUS.last.errmsg||Displays the error message for the last login. If session.RADIUS.last.result is set to 0, then session.RADIUS.last.errmsg might be useful for troubleshooting purposes. Example: c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject|
|session.logon.last.username||Provides user credentials. The username string is stored after encrypting, using the system's client key.|
|session.logon.last.password||Provides user credentials. The password string is stored after encrypting, using the system's client key.|
You might run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you might encounter.
|Possible error messages||Possible explanations and actions|
|Authentication failed due to timeout||
|Authentication failed due to RADIUS access reject||
|Check to see if your access policy is attempting to perform authentication||
Note: Make sure that your log level is set to the appropriate level. The default log level is notice.
|Check the RADIUS Server configuration||
|Confirm network connectivity||
|Capture a TCP dump||
Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.