Specify one or more RADIUS servers for IPS

Procedure

1. On the Device Configuration Authentication Preferences screen, select the RADIUS as Authentication Source option in the Remote Authentication section.
2. In the RADIUS Servers section, click Edit next to the Primary, Secondary, or Tertiary Server IP.
3. In the RADIUS Server Configuration dialog, configure the RADIUS server options described in the following table.

   Setting	Description
   IP Address	IP address of the RADIUS server.
   Port	Port on the RADIUS server that listens for authentication requests; the default is port 1812.
   Authentication Protocol	Authentication method used on the RADIUS server: PAP (default) MD5 PEAP/EAP-MSCHAPv2 To use the PEAP/EAP-MSCHAPv2 protocol, you must first import an X509 certificate for the RADIUS server. You can import a certificate now, or if you have already imported a certificate into the SMS certificate repository, simply choose the one you want. For more information about certificate management, see View certificates.
   Secret/Confirm Secret	String used to encrypt and sign packets between RADIUS clients and the RADIUS server, set in the RADIUS client configuration file.
   Timeout	Timeout, in seconds, for communication with the RADIUS server. Default is 3.
   Attempts	Number of times communication with the RADIUS server is attempted. The default is 1 (no retries after first unsuccessful attempt to contact RADIUS server).

   Note An IPS device that is managed by the SMS cannot have more than one RADIUS server configured with duplicate IP address, port, and authentication protocol settings.

4. Test the RADIUS configuration by entering a valid User Name and Password for the server (and confirming), and then clicking Test.
5. Click OK to save the server configuration as an authentication preference.

   Note To save the server configuration to the SMS and to the device, you must click OK on the Device Configuration wizard.

   An X509 certificate is required for validating PEAP/EAP-MSCHAPv2 authentication responses. The certificate is generated on the RADIUS server, and must be imported to the SMS. The SMS server accepts DER (binary) or PEM (Base64) encoded X509 certificates.

   Note Invalid certificates, including expired and revoked certificates, can still be used according to the administrator’s discretion.