Raidus access to Dimension
Hi, I have an internal Radius server setup and working for VPN access alongside the NPS extension for Azure. This work s fine for all VPN access, users get MFA'd via Azure.
I wanted to incorporate Radius authentication on the Dimension device so we can use specific AD accounts to log into the device and view the reports.
I have configured a new NPS policy and configured the Radius settings in Dimension. I can use the diagnostic tab and authenticate successfully.
If I attempt to log into the dimension with an AD account, I get MFA'd OK. But the dimension doesn't allow me in and returns the error "User does not have a role policy configured. Please contact your administrator."
I've tried adding a Local Group with "Dimension Administrator & Report Administrator" roles, a Radius Group with "Dimension Administrator & Report Administrator" roles.
I have assigned the relevant AD group (same one specified in the NPS policy) to the Local Group. But none of these changes allow me to actually log in.
Feels like I'm close to getting this working but need some help to get over the last hurdle. Any ideas are welcomed.
Thanks.
Comments
Hi @RobClarke
-Is your NPS server providing the group name via RADIUS attribute 11 (FilterID)? The group name must match what your RADIUS server is providing when the user logs in. This is case sensitive and much match exactly.
-If you've added a user name, has it been added to Dimension exactly how the username is being entered when you try to log in? For example, James, james, and JAMES are all different users.
-James Carson
WatchGuard Customer Support
Hi @james.carson thanks for the reply.
On the Dimension RADIUS settings - group attribute is set to 11. On the NPS server the Network Policy is set with Conditions 'The dimension IP address & the AD group the user resides in.' The Settings tab has RADIUS attributes - set to 11 and the name of the AD group.
I've had some success this afternoon but the only way I can login is if I create a user on the dimension specifying that it is a RAIDUS user and enter the email address of the specific AD user account. Entering a group name does not seem to work, no matter which type (RADIUS group or AD group). Or whether I use domain\group name or CN of group.
It's a bit clunky, but I only need to grant 5 people access to the reports at the moment, so I'll go with this for now.
Hi @RobClarke
If that works for you, great. If you'd like to look into the issue more, I'd suggest creating a support case so that one of our reps can look at the issue with you.
-James Carson
WatchGuard Customer Support