TMS zl Management and Configuration Guide ST.1.1.100430
4-68
Firewall
User Authentication
Whichever attributes you use, it is best practice to also specify that
Service-Type = NAS-Prompt-User. This allows you to distinguish a
policy that authenticates users logging in through the TMS zl Module
from a policy that authenticates remote L2TP users.
Table 4-9. RADIUS Attributes Sent in a User RADIUS Request
• The policy grants authenticated users access.
• The policy defines the RADIUS attributes shown in Table 4-10 for the
connection. It can also define other attributes.
Table 4-10. RADIUS Attributes Required for RADIUS Access-Accept Messages
Example RADIUS Configurations
This section includes some example configurations for two RADIUS servers
that work with the TMS zl Module:
■ “Microsoft IAS” on page 4-69
■ “Microsoft NPS” on page 4-78
Attribute Value
Username User’s username
Password User’s password
Calling-Station-ID User’s actual IP address
NAS-Identifier NAS Identifier configured for the module when you
specified the RADIUS server
NAS-IP-Address Module IP address on the TMS VLAN that connects
to the RADIUS server
Service-Type NAS-Prompt-User
Attribute Value Additional Guidelines
Service-Type Not defined or any value
except:
• Administrative-User
• NAS-Prompt
•Framed
Those three values are reserved for other types
of users.
Filter-ID Name of a user group on the TMS zl Module The value must match exactly a name that you
configured in “Create User Groups” on page
4-66. When a user authenticates with this policy,
the firewall access policies configured for this
group on the module will control the user’s
access.