--- title: "Method: RADIUS authentication and authorization" slug: "method-radius-authentication-and-authorization" updated: 2025-06-27T20:46:17Z published: 2025-06-27T20:46:17Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.zpesystems.com/llms.txt > Use this file to discover all available pages before exploring further. # Method: RADIUS authentication and authorization RADIUS (Remote Access Dial In User Service ) provides central authentication for users. It is a client-server protocol that runs on the application layer. It can use either TCP or UDP as transport. Normally, all users have access to all devices without restriction. ## **Configuration** ### **Step 1 - On the Nodegrid side:** 1. Log in in as admin into Nodegrid and go to **Security**. 2. Select **Authentication**and click **Add**. 3. Select **Radius**as the method and enter the IP address of the remote server. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/auth3(2).png) 4. Select the **Fallback if denied access**option. This option enables you to log into the Nodegrid with local accounts in case you cannot authenticate with the Radius users. 5. Enter the IP address of the Radius accounting server. > [!NOTE] > **NOTE:** > > The accounting server is optional, and in case no accounting server is available this setting can be left blank. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/pap(1).png) 6. Enter the secret key and confirm it. 7. Select the authentication method as one of the following: 1. PAP(default): PAP (Password Authentication Protocol) is a method that sends password hashed using MD5. 2. MSCHAPV2: MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is a password-based authentication protocol. Users provide their username and password, and MSCHAPv2 uses these credentials to verify their identity. The authentication server sends a random challenge to the client, which responds with a hashed value generated using the challenge and the user’s password. The server verifies this response to authenticate the user. 3. EAP MSCHAPV2: EAP-MSCHAPv2 (Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2) integrates MSCHAPv2 into the EAP framework for secure authentication. When a user or device attempts to authenticate on a network using EAP-MSCHAPv2, the authentication process follows the MSCHAPv2 protocol. Users provide their username and password, which the authentication server verifies. EAP-MSCHAPv2 enhances security by encapsulating MSCHAPv2 within the EAP framework. This enables secure transport of authentication data and supports mutual authentication, where both the client and the server verify each other’s identities. 8. Select the checkbox **Require Message Authenticator.** When this option is enabled, the RADIUS authentication server includes a Message-Authenticator attribute in all authentication packets. *CLI method to configure authentication method:* ```plaintext [admin@nodegrid /]# cd settings/authentication/servers/ [admin@nodegrid servers]# add [admin@nodegrid {servers}]# set method=radius [admin@nodegrid {servers}]# set radius_authentication_method= eapmschapv2  mschapv2     pap [admin@nodegrid {servers}]# set radius_authentication_method=eapmschapv2 [admin@nodegrid {servers}]# set radius_require_message_authenticator=yes ``` 9. Click **Save**. 10. Go back to **Security**and select **Services**. 11. Look in to Manage devices portion and select **Device access enforced via user group authentication** option. 12. Click **Save**. Log in as a user and one can see that user does not have access to any devices. To give access to a user: 1. Log in as admin and go to **Security**. 2. Select **Authorization**and select the group needed and click **Add**. 3. Enter the user one wants to add. If more users needs to be added then separate each username with a comma. 4. Click **Save**. Log in back as user and one can see that user will have access to devices allowed by the group. To match the Radius group, Go to *Security :: Authorization*, select or create a new group. In Profile, assign the permissions of that group. In Remote Groups, enter the name of group as per declared on the Radius server. ### **Step 2 - On the RADIUS server side** In this example, the free radius server (opensource) is used. It is assumed that the free radius server is installed. 1. Go to the location /etc/freeradius/3.0/clients.conf. 2. Declare the Nodegrid, following the format: ```plaintext client your_nodegrid_device {    ipaddr = 10.10.10.6    secret = your_secret_password    require_message_authenticator = no    nastype = other } ``` > **NOTE:** The secret must match the secret entered, during the first step, on the Nodegrid side. 3. Create a new file *usr/share/freeradius/dictionary.zpe* with the following content: VENDOR ZPE 42518 BEGIN-VENDOR ZPE ATTRIBUTE ZPE-User-Groups 1 string END-VENDOR ZPE 4. Edit the existing file "usr/share/freeradius/dictionary" and add the following line to include the newly created “dictionary.zpe”: $INCLUDE dictionary.zpe 5. Then, in /etc/freeradius/users, assign user groups. 6. Define the "Framed-Filter-ID" attribute (as before) or define a new attribute "ZPE-User-Groups". user_radius Cleartext-Password := "password_user_radius" ZPE-User-Groups = "radius_network_admin" 7. Restart the radius server: systemctl restart freeradius > **NOTE:** If both attributes are defined, "ZPE-User-Groups" takes precedence. ### **Troubleshooting** 1. Make a local test, on the Radius server, with the command: ```plaintext radtest user_radius password_user_radius localhost 0 your_secret_password ``` 2. Log in to the Nodegrid, using the Radius user of the Radius group: The permissions of that user shall match the ones of the local and associated group.