Setting Up the RADIUS Server
Windows Server 2008 R2 Example
Although the procedure to configure RADIUS on Windows Server 2008 R2 is described in this manual, note that this configuration is not guaranteed to work with all network environments. Make sure to obtain your system administrator's help in setting up the system.
The procedure for setting up the RADIUS service on Windows Server 2008 R2 is as follows.
Install the Network Policy and Access Services
For details on installing "Network Policy and Access Services", refer to the Microsoft web-site.
Enable CHAP
If CHAP Authentication is required, set Windows to store passwords using reversible encryption, rather than relying on the default setting.
CautionIf the current password is already stored by using irreversible encryption, the current password setting is not changed even when enabling the password to be stored by using reversible encryption. To use reversible encryption to store the current password, set the user password again or specify that the password for each user is changed for the next login.
Configure the users
Network Policy Server (NPS) is the Microsoft implementation of a RADIUS server and proxy. When using NPS to check the User login certificate, a list of user groups is displayed instead of a list of specific users. Each user group must be associated with a role that logs into a specific storage system. For example, after setting the "root", "Admin", and "user" user groups, those users that are to be allowed to login must be added to the proper group.
Create users and user groups
Select [Start] - [Administrative Tools] - [Computer Management].
Select [System Tools] - [Local Users and Groups] - [Users].
Right-click [Users] and select [New User]. Create a storage system login user as the [New User].
Select [System Tools] - [Local Users and Groups] - [Groups]. Right-click [Groups] and select [New Group]. Create a group for the ETERNUS AF/DX as the [New Group] and add the user created in b.
Set the Network Policy and Access Services
The following three steps must be performed:
Register the ETERNUS AF/DX as a RADIUS client
Select [Start] - [Administrative Tools] - [Server Manager].
Select [Roles] - [Network Policy and Access Services] - [NPS] - [RADIUS Clients and Servers] - [RADIUS Clients]. Right-click [RADIUS Clients] and select [New RADIUS Client], and set the various items.
For the "Address (IP or DNS)", set the IP address of the client ETERNUS AF/DX.
For the "Vendor name", set "RADIUS Standard".
For the "Shared secret", set the shared key that is registered on the client ETERNUS AF/DX.
Set the accessible user group and the authentication method
Select [Start] - [Administrative Tools] - [Server Manager].
Select [Roles] - [Network Policy and Access Services] - [NPS] - [Policies] - [Network Policies]. Right-click [Network Policies], select [New], and set the various items.
Click "Add" in the "Conditions" tab and add "Windows Groups". For "Windows Groups", add the group that was created for the ETERNUS AF/DX.
For the "secure authentication methods", check "Encryption authentication (CHAP(C))" or "Unencrypted authentication (PAP,SPAP)(S)". Select the same setting as is set on the ETERNUS AF/DX.
Set the role with Vendor Specific Attribute (VSA)
Select [Start] - [Administrative Tools] - [Server Manager].
Select [Roles] - [Network Policy and Access Services] - [NPS] - [Policies] - [Network Policies]. Select and double-click the newly added policy.
Set the following items using the [Add] button under [Vendor Specific] on the [Settings] tab.
For the "Attributes", add "Vendor-Specific/RADIUS Standard".
For the "Enter Vendor Code", enter "211".
For the "RADIUS RFC", click "Yes, it conforms".
For the "Vendor-assigned attribute number", enter "1".
For the "Attribute format", select "String".
For the "Attribute Value", enter the role name for the user who belongs to the added "Groups". The role name must be registered in the ETERNUS AF/DX in advance. The server-side role names are case sensitive and must be input correctly.
[Example] RoleName0