How to setup a Digi DAL device and Microsoft NPS server to perform Radius authentication

How to setup a Digi DAL device and Microsoft NPS server to perform Radius authentication

 

1. Digi DAL device configuration.

Please add a new authentication Method and select a RADIUS name in the Method drop-down menu.

Rearrange the position of authentication methods.

Authentication methods are reordered by changing the method type in the Method drop-down for each authentication method to match the appropriate order.

For example, the following configuration has RADIUS as the first method, and Local users as the second.

 

 

2. Then add a RADIUS server in the RADIUS section of configuration.

Enable Authoritative to prevent other authentication methods from being attempted if RADIUS login fails.

 

 

3. Microsoft NPS Server configuration.

Add Network Policy and Access Services role on your WINDOWS Server.

Then create a RADIUS client entry on the WINDOWS Server.

 

4. Create a new Network Policy for your Digi device.

 

 

 

If you use Microsoft Active Directory for end-user authentication, you must select an AD group at this stage.

 

 

To be logged into Digi Web UI or SSH CLI , your RADIUS server must pass over a  reply packet with the VSA attribute , which must match the local group name with administrative privilege.

 

 

Vendor code value must be 4

Vendor assigned attribute number 14

VSA attribute value

admin

5. Test Authentication request

Digi device must contain the succeed authentication events in the system log

RADIUS Access-Accept Packet must contain Vendor Specific VSA attribute