Configuring for Authentication via RADIUS

Lumeta Systems Administrators

A RADIUS server can be configured and enabled to authenticate users to a system via two-factor authentication or some other method (e.g., LDAP, Active Directory). RADIUS-authenticated users must also have a user account in Lumeta.

Ask your RADIUS administrator for the IP address and shared secret associated with your RADIUS server, which you'll need for these procedures. You will likely also need to provide the RADIUS administrator with the DNS name and IP address of your Lumeta system.

About RADIUS-Enabled Lumeta
While RADIUS is enabled . . .

If the RADIUS server is intended for use in providing two-factor authentication, check with your RADIUS administrator to find out what you may need to use either a PIN+pass code (if Fob-Style is set to profile stype) or you can generate a pass code by putting your PIN in an RSA SecurToken ID program.
You will authenticate to the Lumeta CLI by entering your RADIUS pass code instead of your user password.
You will authenticate to the Lumeta GUI by entering your RADIUS pass code instead of your user password in the Password field. The Lumeta GUI will look the same.

Configuring via CLI

Configuring RADIUS via CLI
RADIUS is configured from the Lumeta CLI as follows:

Log in to the Lumeta CLI.
At the command prompt, enter system radius configure <secret> <radius_server_ip>.

Enabling RADIUS
When you are ready to enable the RADIUS server . . .

At the CLI command prompt, enter system radius enable.
Exit the CLI.

Checking Status
To check the RADIUS configuration and state . . .

Log in to the Lumeta CLI.
At the command prompt, enter system radius.
RADIUS enable/disabled state, secret, and RADIUS server IP display.
Exit the CLI.

Disabling RADIUS
To disable the RADIUS server . . .

Log in to the Lumeta CLI.
At the command prompt, enter system radius disable.
Exit the CLI.

CLI RADIUS Command Summary
`system radius`	Displays the server address, secret, RADIUS status (e.g., enabled or disabled)
`system radius configure <secret> <radius-server-ip>`	Set the RADIUS server address and shared secret
`system radius enable`	Starts the RADIUS server.
`system radius disable`	Stops the RADIUS server.

Configuring via GUI

Configuring RADIUS via GUI
RADIUS is configured from the Lumeta GUI as follows:

Browse to Settings > Lumeta Systems.
Select the local system.
Click Manage RADIUS Authentication.
The authentication page displays.
Input the Shared Secret provided by your RADIUS server administrator.
Input the IP address of your RADIUS server or its fully qualified domain name (FQDN).
Click Submit Configuration.
Toggle RADIUS Authentication Enabled to On.
RADIUS is enabled. Going forward, input your pass code in response to all Lumeta prompts for your password. The Shared Secret and the Server Address fields will be populated with your credentials going forward.
Important

Use your RADIUS pass code when this service is enabled.

API + Radius

When RADIUS is enabled, use your Lumeta password or your API-Only User Access Key (for post-3.2.1 systems only) as the authorize API password parameter. Do not use your RADIUS pass code in this case.

Fallback

If Lumeta cannot contact the RADIUS server, it will failover to allowing users to log in using the user's UID and password. For example, if an Lumeta user was created with the password abcd123 and the enabled RADIUS server cannot be reached, the user will be able to successfully authenticate to Lumeta using password abcd123. This is only true in a failover situation.

Root Access

When a superuser starts a bash shell (via the CLI's support bash command) and then runs the su command to become root, that superuser enters the root password for the Lumeta system. The RADIUS server is not contacted.

Page tree