After the authentication process has been configured to use multiple factors on the RADIUS server, you need to configure the SSL VPN appliance to connect to the RADIUS server.
- Login to the administration interface for the SSL VPN appliance.
- Navigate to Authentication|Auth. Servers.
- Select RADIUS Server from the New drop menu.
- Click New Server.
- The New RADIUS Server screen opens.
- Leave the default settings, except for the following:
- Name – enter a name to identify the MFA server.
- NAS-Identifier – enter the FQDN of the MFA server.
- Primary Server – complete the following to configure access between the SSL VPN and MFA servers.
|Note: Fields noted with a plus symbol (+) below will require the same information configured for the MFA settings (Azure|Multi-Factor Authentication Server|RADIUS Authentication|Clients).|
Custom RADIUS Rules
- Radius Server – enter the server name or IP address.
- Authentication Port (+) – enter the same port number configured for authentication communication on the MFA server. (Default 1812)
- Shared Secret (+) – enter the security passphrase created to encrypt communication.
- Accounting Port (+) – enter the same port number configured for accounting communication on the MFA server. (Default 1813)
- Timeout – it is important to set a sufficient length of time for users to login using MFA. 30 seconds is a common duration, but may need to be adjusted. For example, large organizations may need more time to accommodate a higher volume of requests.
– required for both one-way text message and OATH token features; complete the following to configure RADIUS to prompt users for challenge/response verification codes on the login page.
a. Click New RADIUS Rule
b. The Edit Custom RADIUS Rule screen opens.
c. Leave default settings except for the following:
- Name – enter a descriptive name for the rule.
- Response Packet Type – select Access Challenge.
- Attribute criteria – configure the challenge that will prompt for verification codes:
- Radius Attribute – select Reply Message (18).
- Operand – select matches the expression.
- Then take action – select show Generic Login page
Click Save Changes
to complete configuration.