Configuring an AAA Server

Policy > Object > AAA Server

Configure an AAA server to provide the authentication, authorization, and accounting services.

In the AAA server page, you can perform the following actions:

Click New to create a new AAA server. You can create local servers, Radius server, Active Directory server, or LDAP server.
Click Edit to edit the selected server.
Click Delete to delete the selected servers.

Options in the Local Server Configuration dialog:

Option	Description
Server Name	Type the name for the new server into the textbox.
Change Password	If needed, select the Enable checkbox. With this function enabled, the system allows users to change their own passwords after the successful WebAuth or SCVPN authentication.
Backup Authentication Server	To configure a backup authentication server, select a server from the drop-down list. After configuring a backup authentication server for the local server, the backup authentication server will take over the authentication task when the primary server malfunctions or authentication fails on the primary server. The backup authentication server can be any existing local, Active-Directory, RADIUS or LDAP server defined in the system.

Options in the Radius Server Configuration dialog:

Option	Description
Basic Configuration
Server Name	Specifies a name for the Radius server.
Server Address	Specifies an IP address or domain name for the Radius server.
Port	Specifies a port number for the Radius server. The value range is 1024 to 65535. The default value is 1812.
Password	Specifies a password for the Radius server. You can specify at most 31 characters.
Confirm Password	Enter the password again to confirm.
Optional
Backup Server 1	Specifies an IP address or domain name for backup server 1.
Backup Server 2	Specifies an IP address or domain name for backup server 2.
Retries	Specifies a retry time for the authentication packets sent to the AAA server.
Timeout	Specifies a timeout for the server response.
Backup Authentication Server	Specifies a backup authentication server. After configuring a backup authentication server for the Radius server, the backup authentication server will take over the authentication task when the primary server malfunctions or authentication fails on the primary server. The backup authentication server can be any existing local, Active-Directory, RADIUS or LDAP server defined in the system.
Enable Account	If needed, select the Enable checkbox to enable accounting for the Radius server, and then configure the following actions: Server Address: Specifies an IP address or domain name for the accounting server. Port: Specifies a port number for the accounting server. The value range is 1024 to 65535. The default value is 1813. Password: Specifies a password for the accounting server. Confirm Password: Enter the password again to confirm. Backup Server 1: Specifies an IP address or domain name for backup server 1. Backup Server 2: Specifies an IP address or domain name for backup server 2.

Options in the Active Directory Server Configuration dialog:

Option	Description
Basic Configurations
Server Name	Specifies a name for the AD server.
Server Address	Specifies an IP address or domain name for the AD server.
Login-dn	Specifies authentication characteristics for Login-dn (typically a user account with query privilege pre-defined by the AD server).
Base-dn	Specifies a Base-dn for the AD server. Base-dn is the starting point at which your search will begin when the AD server receives an authentication request.
Port	Specifies a port number for the AD server. The value range is 1 to 65535. The default value is 389.
Password	Specifies a password for the AD server. This should correspond to the password for Admin DN.
Confirm Password	Enter the password again to confirm.
Optional
Backup Server 1	Specifies an IP address or domain name for backup server 1.
Backup Server 2	Specifies an IP address or domain name for backup server 2.
Authentication Mode	Specifies an authentication mode (either plain text or MD5). The default mode is MD5.
Security Agent	Select the Enable check box to enable Security Agent. With this function enabled, the system will be able to obtain the mappings between the usernames of the domain users and IP addresses from the AD server, so that the domain users can gain access to network resources. In this way Single Sign On is implemented. Besides, by making use of the obtained mappings, the system can also implement other user-based functions, like security statistics, logging, behavior auditing, etc. To enable Security Agent on the AD server, you need to install and run Security Agent first on the server. After that when a domain user is logging in or logging off, Security Agent will log the user's username, IP address, current time and other information, and add the mapping between the username and IP address to the system. In this way the system can obtain every online user's IP address. Agent Port: Specifies an agent port. The value range is 1025 to 65535. The default port is 6666. Login Info Timeout: Specifies a login info timeout. The value range is 0 to 1800 seconds. The default value is 300. The value of 0 indicates never timeout.
Backup Authentication Server	Specifies a backup authentication server. After configuring a backup authentication server for the Active Directory server, the backup authentication server will take over the authentication task when the primary server malfunctions or authentication fails on the primary server. The backup authentication server can be any existing local, Active-Directory, RADIUS or LDAP server defined in the system.

Options in the LDAP Server Configuration dialog:

Option	Description
Basic Configuration
Server Name	Specifies a name for the LDAP server.
Server Address	Specifies an IP address or domain name for the LDAP server.
Port	Specifies a port number for the LDAP server. The value range is 1 to 65535. The default value is 389.
Login-dn	Specifies authentication characteristics for Login-dn (typically a user account with query privilege pre-defined by the LDAP server).
Base-dn	Specifies details for Base-dn. Base-dn is the starting point at which your search will begin when the LDAP server receives an authentication request.
Password	Specifies a password for the LDAP server.
Confirm Password	Enter the password again to confirm.
Optional
Backup Server 1	Specifies an IP address or domain name for backup server 1.
Backup Server 2	Specifies an IP address or domain name for backup server 2.
Authentication Mode	Specifies an authentication mode (either plain text or MD5). The default mode is MD5.
Naming Attribute	Specifies a naming attribute for the LDAP server. The default naming attribute is uid.
Member Attribute	Specifies a member attribute for the LDAP server. The default member attribute is uniqueMember.
Group Class	Specifies a group class for the LDAP server. The default class is groupofuniquenames.
Backup Authentication Server	Specifies a backup authentication server. After configuring a backup authentication server for the LDAP server, the backup authentication server will take over the authentication task when the primary server malfunctions or authentication fails on the primary server. The backup authentication server can be any existing local, Active-Directory, RADIUS or LDAP server defined in the system.