You can use a RADIUS server for authentication on your storage system.
To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=radius auth.server.name=server-name auth.group.mapping=value auth.radius.server-name.attribute=value auth.group.domain-name.attribute=value
A full example is shown below:
auth.server.type=radius auth.server.name=PrimaryServer auth.group.mapping=true auth.radius.PrimaryServer.protocol=PAP auth.radius.PrimaryServer.host=example.com auth.radius.PrimaryServer.port=1812 auth.radius.PrimaryServer.timeout=3 auth.radius.PrimaryServer.secret=secretword auth.radius.PrimaryServer.retry.times=3 auth.radius.PrimaryServer.domain.name=radius.example.com auth.group.radius.example.com.protocol=ldaps auth.group.radius.example.com.host=xxx.xxx.xxx.xxx auth.group.radius.example.com.port=636 auth.group.radius.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.radius.example.com.searchpw=password auth.group.radius.example.com.basedn=CN=Users,DC=domain,DC=local
The attributes are defined in the following tables.
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.server.type | Type of authentication server Specify radius. |
Required | None |
auth.server.name | Name of the server (referred to as <server_name>) When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜ |
Required | None |
auth.group.mapping | Information about whether to work together with an authorization server
|
Optional | False |
auth.radius.server-name.protocol | RADIUS protocol to use
|
Required | None |
auth.radius.server-name.host | Host name, IPv4 address, or IPv6 address of the RADIUS server An IPv6 address must be enclosed in square brackets. You cannot specify the following IP addresses as an IPv6 address:
|
Required1 | None |
auth.radius.server-name.port | Port number of the RADIUS server Must be between 1 and 65,535. |
Optional2 | 1,812 |
auth.radius.server-name.timeout |
Number of seconds before the connection to the RADIUS server times out Must be between 1 and 30. |
Optional2 | 10 |
auth.radius.server-name.secret | RADIUS secret key used for PAP or CHAP authentication | Required | None |
auth.radius.server-name.retry.times |
Retry times when the connection to the RADIUS server fails Must be between 0 and 3. 0 means no retry. |
Optional2 | 3 |
auth.radius.server-name.attr.NASIdentifier | Identifier for the RADIUS server to find SVP Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted. |
Optional | None |
auth.radius.server-name.attr.NAS-IPv4-Address | IPv4 address of the SVP Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted. |
Optional | None |
auth.radius.server-name.attr.NAS-IPv6-Address | IPv6 address of the SVP Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. |
Optional | None |
Notes:
|
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.radius.server-name.domain.name | Domain name that the LDAP server manages (referred to as domain-name) | Required | None |
auth.radius.server-name.dns_lookup |
Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server Specify false (searches with the host name and port number). Do not specify true (searches with the information registered in the SRV records in the DNS server). |
Optional | false |
auth.group.domain-name.protocol |
LDAP protocol to use Specify ldaps (uses LDAP over SSL/TLS). Do not specify starttls (uses StartTLS). |
Required | None |
auth.group.domain-name.host |
Host name, IPv4 address, or IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]). You cannot specify the following IP addresses as an IPv6 address:
|
Optional1 | None |
auth.group.domain-name.port |
Port number of the LDAP server Must be between 1 and 65535. |
Optional2 | 389 |
auth.group.domain-name.searchdn |
DN of the user for searching | Required3 | None |
auth.group.domain-name.searchpw | User password for searching Specify the same password that is registered in the LDAP server. |
Required | None |
auth.group.domain-name.basedn | Base DN for searching for users to authenticate Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN. |
Optional3 | abbr |
auth.group.domain-name.timeout | Number of seconds before the connection to the LDAP server times out Must be between 1 and 30. |
Optional2 | 10 |
auth.group.domain-name.retry.interval | Retry interval in seconds when the connection to the LDAP server fails Must be between 1 and 5. |
Optional | 1 |
auth.group.domain-name.retry.times | Retry times when the connection to the LDAP server fails Must be between 0 and 3. 0 means no retry. |
Optional2 | 3 |
Notes:
|