Defining RBM with RADIUS authentication

How to define RBM with radius authentication.

Procedure

  1. In the search field, enter rbm.
  2. From the search results, click RBM settings.
  3. Optional: In the Comments field, enter a brief, descriptive summary for the configuration.

Define the user authentication method.

  1. Click Authentication.
  2. From the Authentication method list, select RADIUS.
  3. From the Local accounts for fallback list, select whether to use local user accounts as fallback users.
    With fallback users, local users can log on to the DataPower® Gateway if authentication fails or during a network outage that affects the primary authentication.

    Local users must be members of local user groups. Each local user must also be defined in the remote authentication server. The password for each local user must match the credentials for a user of the exact same name on the remote server.

  4. When specific users are fallback users, add the local users.
    1. From the Fallback user list, select a local user.
    2. Click Add
    3. Optional: Repeat this step to add another locally defined, fallback user.
  5. Optional: Change the authorization cache behavior.
    1. From the Authentication cache mode list, select the caching mode.
    2. In the Authentication cache lifetime field, enter an explicit TTL to retain cached results.

Define the credentials-mapping method.

  1. Click Credentials-mapping.
  2. From the Credentials-mapping method list, select the method to evaluate access profiles.
    Although available, local user group is not a valid selection.
    • If custom, specify the URL of the custom stylesheet in the Custom URL field.
    • If XML file, specify the URL of the RBM file in the XML file URL field.
  3. When the mapping method is XML file, set Search LDAP for group name to control whether to search LDAP to retrieve all user groups that match the query.
    • When enabled, the authenticated DN of the user and the LDAP search parameters are used as part of the LDAP search to retrieve all user groups that match the query. When a user belongs to multiple groups, the resultant access policy for this user is additive not most restrictive.
    • When disabled, the authenticated identity of the user is used directly as the input credential.
  4. When LDAP search is enabled, define the LDAP connection.
    1. In the Server host field, enter the IP address or hostname of the server.
    2. In the Server port field, enter the port number of the server.
    3. From the TLS client profile list, select the TLS client profile to secure connections to targets.
    4. From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings.
      This setting overrides the settings for the server host and port.
    5. In the LDAP bind DN field, enter the distinguished name (DN) for the bind operation.
    6. From the LDAP bind password alias list, select the password alias.
    7. From the LDAP search parameters list, select an LDAP search parameter.
      The LDAP search operation uses these parameters to retrieve all group names (DN or attribute value) based on the DN of the authenticated user.
    8. In the LDAP read timeout field, enter the time to wait for a response from the server before the DataPower Gateway closes the connection.
  5. Define the account policy.
  6. If you defined fallback users, define the password policy.
  7. Click Apply to save changes to the running configuration.
  8. Click Save to save changes to the persisted configuration.