Appendix G Using RADIUS Authentication
G.2 Notes when Using RADIUS Authentication for GUI
ETERNUS Web GUI User’s Guide
Copyright 2013 FUJITSU LIMITED P2X0-1090-10ENZ0
1014
G.2 Notes when Using RADIUS Authentication for GUI
• A primary server and secondary server can be set for GUI authentication. If the primary RADIUS server
times out, the secondary server is tried.
• If RADIUS Authentication fails and "Do not use Internal Authentication" has been selected for
"Authentication Error Recovery", it will not be possible to login to GUI or CLI.
• When "Use Internal Authentication (Network Error Case)" has been selected for "Authentication Error
Recovery", Internal Authentication is only performed if RADIUS Authentication fails on both primary and
secondary RADIUS servers, and at least one of these failures is due to network error.
• So long as there is no RADIUS Authentication response the ETERNUS DX Disk storage system will keep
retrying to authenticate the user for the entire "Timeout" period set on the "Set RADIUS Authentication
(Initial)" menu. Authentication not succeeding before the timeout occurs is considered a RADIUS
Authentication failure.
• When using RADIUS Authentication, if the role that is received from the server is unknown (not set) for the
storage system, RADIUS Authentication fails.
G.3 Setting Up the RADIUS Server
Windows Server 2008 R2 Example
The RADIUS setup procedure described below uses a Windows Server 2008 R2 as an example. It must be noted
that this setup procedure is not necessarily guaranteed to work for all network environments. Make sure to
obtain your system administrator's help in setting up the system.
The procedure for setting up the RADIUS service on Windows Server 2008 R2 is as follows.
(1)Install the Network Policy and Access Services
For details on installing "Network Policy and Access Services", refer to the Microsoft web-site.
(2)Enable the Challenge Handshake Authentication Protocol (CHAP)
If CHAP Authentication is required, set Windows to store passwords using reversible encryption, rather than
relying on the default setting.
(3)Configure the users
Network Policy Server (NPS) is the Microsoft implementation of a RADIUS server and proxy. When using
NPS to check the User login certificate, a list of user groups is displayed instead of a list of specific users.
Each user group must be associated with a role that logs into a specific ETERNUS DX Disk storage system.
For example, after setting the "root", "Admin", and "user" user groups, those users that are to be allowed to
login must be added to the proper group.
If the current password is already stored by using irreversible encryption, the current password setting is
not changed even when enabling the password to be stored by using reversible encryption. To use
reversible encryption to store the current password, set the user password again or specify that the
password for each user is changed for the next login.