TMS zl Management and Configuration Guide ST.1.1.100430
3-42
Initial Setup in Monitor Mode
Management Settings
they simply enter their username. They do not need to include a domain
name. When a user submits credentials without a domain name, the
module checks the username first against the local manager and operator
accounts, and then it checks the username against the RADIUS server in
the global domain. Similarly, when a user submits credentials with a
domain name that is not configured for one of the TMS zl Module’s
RADIUS servers, the module submits the request to the global domain
RADIUS server.
8. As mentioned, users may submit their username followed by
@<domain name>. However, sometimes the RADIUS server will not recog-
nize the domain name. In this case, select the Strip domain from user name
in RADIUS request check box.
9. Click OK. The RADIUS server is now displayed in the Network > Authenti-
cation > RADIUS window.
10. Click Save.
You should also verify that your external RADIUS server is ready to authenti-
cate administrators:
■ User accounts with the proper usernames and passwords are configured
in the RADIUS server’s database and assigned to the proper groups.
■ To authenticate manager users, the RADIUS server requires a policy that
meets these criteria:
• It selects RADIUS requests according to any of the attributes shown
in Table 3-8. For example, the policy can select requests from users
in the managers’ group; or it can select requests from specific IP
addresses.
• It sets the following AVP for the connection: Service-Type = Adminis-
trative.
■ To authenticate operator users, the RADIUS server requires a policy that
meets these criteria:
• It selects RADIUS requests according to any of the attributes shown
in Table 3-8; again, the group to which operators belong is a common
choice for the criteria.
Note Again, it is best practice to add Service-Type = NAS-Prompt-User to the
selection criteria for the management access policy.
• It sets the following AVP for the connection: Service-Type = NAS
Prompt.