RADIUS Server Options

Navigation Path

Objects > Object Management > AAA Server > RADIUS Server Group. Choose and edit a listed RADIUS Server Group object or add a new one. Then, in the RADIUS Server Group dialog, choose and edit a listed RADIUS Server or add a new one.

Fields

  • IP Address/Hostname—The network object that identifies the hostname or IP address of the RADIUS server to which authentication requests will be sent. You may only select one, to add additional servers, add additional RADIUS Server to the RADIUS Server Group list.

    Note

    Firepower Threat Defense now supports IPv6 IP addresses for RADIUS authentication.

  • Authentication Port—The port on which RADIUS authentication and authorization are performed. The default is 1812.

  • Key and Confirm Key— The shared secret that is used to encrypt data between the managed device (client) and the RADIUS server.

    The key is a case-sensitive, alphanumeric string of up to 127 characters. Special characters are permitted.

    The key you define in this field must match the key on the RADIUS server. Enter the key again in the Confirm field.

  • Accounting Port—The port on which RADIUS accounting is performed. The default is 1813.

  • Timeout— Session timeout for authentication.

    Note

    The timeout value must be 60 seconds or more for RADIUS two factor authentication. The default timeout value is 10 seconds.

  • Connect Using —Establishes connectivity from Firepower Threat Defense to a RADIUS server using a route lookup or using a specific interface. Select Routing to use the data routing table. Or select Specific Interface and choose a security zone/interface group or the Management interface (the default). If you want to use Management, you must choose it specifically; it is not available when using a route lookup. You cannot specify any other management-only interface as the RADIUS source.

  • Redirect ACL—Select the redirect ACL from the list or add a new one.

    Note

    This is the name of the ACL defined in Firepower Threat Defense to decide the traffic to be redirected. The Redirect ACL name here must be the same as the redirect-acl name in ISE server. When you configure the ACL object, ensure that you select Block action for ISE and DNS servers, and Allow action for the rest of the servers.