Configure RADIUS

Asset Manager Systems Administrators

A RADIUS server can be configured and enabled to authenticate users to a system via two-factor authentication or some other method (e.g., LDAP, Active Directory). RADIUS-authenticated users must also have a user account in Asset Manager.

Ask your RADIUS administrator for the IP address and shared secret associated with your RADIUS server, which you'll need for these procedures. You will likely also need to provide the RADIUS administrator with the DNS name and IP address of your Asset Manager system.

About RADIUS-Enabled Asset Manager
While RADIUS is enabled . . .

If the RADIUS server is intended for use in providing two-factor authentication, check with your RADIUS administrator to find out what you may need to use either a PIN+pass code (if Fob-Style is set to profile stype) or you can generate a pass code by putting your PIN in an RSA SecurToken ID program.
You will authenticate to the Asset Manager CLI by entering your RADIUS pass code instead of your user password.
You will authenticate to the Asset Manager GUI by entering your RADIUS pass code instead of your user password in the Password field. The Asset Manager GUI will look the same.

Configure via CLI

Configure RADIUS via CLI
RADIUS is configured from the Asset Manager CLI as follows:

Log in to the Asset Manager CLI.
At the command prompt, enter system radius configure <secret> <radius_server_ip>

Enable RADIUS
When you are ready to enable the RADIUS server . . .

At the CLI command prompt, enter system radius enable.
Exit the CLI.

Check Status
To check the RADIUS configuration and state . . .

Log in to the Asset Manager CLI.
At the command prompt, enter system radius.
RADIUS enable/disabled state, secret, and RADIUS server IP display.
Exit the CLI.

Disable RADIUS
To disable the RADIUS server . . .

Log in to the Asset Manager CLI.

At the command prompt, enter system radius disable.

Exit the CLI.

CLI RADIUS Command Summary
`system radius`	Displays the server address, secret, RADIUS status (e.g., enabled or disabled)
`system radius configure <secret> <radius-server-ip>`	Set the RADIUS server address and shared secret
`system radius enable`	Starts the RADIUS server.
`system radius disable`	Stops the RADIUS server.

Configure using the GUI

RADIUS is configured from the Asset Manager GUI as follows:

Browse to Settings > Asset Manager Systems.

Select the local system.

Click Manage RADIUS Authentication.
The authentication page displays.

Input the Shared Secret provided by your RADIUS server administrator.

Input the IP address of your RADIUS server or its fully qualified domain name (FQDN).

Click Submit Configuration.

Toggle RADIUS Authentication Enabled to On.
RADIUS is enabled. Going forward, input your pass code in response to all Asset Manager prompts for your password. The Shared Secret and the Server Address fields will be populated with your credentials going forward.

Important: Use your RADIUS pass code when this service is enabled.

API + Radius

When RADIUS is enabled, use your Asset Manager password or your API-Only User Access Key as the authorize API password parameter. Do not use your RADIUS pass code in this case.

Failover

If Asset Manager cannot contact the RADIUS server, it will failover to allowing users to log in using the user's UID and password. For example, if an Asset Manager user was created with the password "abcd123" and the enabled RADIUS server cannot be reached, the user will be able to successfully authenticate to Asset Manager using password "abcd123". This is only true in a failover situation.

Root Access

When a superuser starts a bash shell (via the CLI's support bash command) and then runs the su command to become root, that superuser enters the root password for the Asset Manager system. The RADIUS server is not contacted.