Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- What is NetExtender?
- Benefits of NetExtender
- NetExtender Concepts
- NetExtender and IPv6
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Restful API - Phase 1 Support
- Restful API - Phase 2 Support
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication Support for NetExtender and Mobile Connect Clients
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- NetExtender Troubleshooting
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
Adding or Editing a Domain with RADIUS Authentication
To configure a domain with RADIUS authentication
- On the Portals > Domains page,
- Click Add Domain or the Configure icon for the domain to edit.
-
The Add Domain or Edit Domain page displays.
- If adding the domain, select RADIUS from the Authentication type menu. The RADIUS configuration fields are displayed.
- If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users selects to log in to the Secure Mobile Access portal.
- Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, MSCHAP, or MSCHAPV2.
- Under Primary Radius server, enter the IP address or domain name of the RADIUS server in the RADIUS server address field.
- Enter the RADIUS server port in the RADIUS server port field.
- If required by your RADIUS configuration, enter an authentication secret in the Secret password field.
- Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS server in the RADIUS server address field.
- Enter the backup RADIUS server port in the RADIUS server port field.
- If required by the backup RADIUS server, enter an authentication secret for the backup RADIUS server in the Secret password field.
- Enter the test user ID in the Test User ID field.
- Enter the test password in the Test Password field.
- Enter a number (in seconds) for RADIUS timeout in the RADIUS Timeout (Seconds) field.
- Enter the maximum number of retries in the Max Retries field.
- Optionally, if using RADIUS for group-based access, select Use Filter-ID for RADIUS Groups.
- Optionally, select User Client IP for RADIUS Server Logging to use the client IP instead of the SMA IP address for RADIUS logging.
- Click the name of the layout from the Portal name drop-down menu.
- If you selected the Authentication Protocol for your RADIUS server as MSCHAP or MSCHAPV2, you have the option to select Allow password changes. Note that if you enable password changes, you must also deploy the LAN Manager authentication.
-
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
- <![CDATA[ ]]>Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
- Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
- Username: %USERNAME%
- Domain name: %USERDOMAIN%
- Active Directory username: %ADUSERNAME%
- Wildcard: %WILDCARD%
- Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
- Select Only allow users listed locally to only allow users that are configured locally, but to still use RADIUS to authenticate.
- Select Auto-assign groups at login to assign users to a group when they log in. Users logging into RADIUS domains are automatically assigned in real time to Secure Mobile Access groups based on their external RADIUS filter-IDs. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.
-
Optionally select One-time passwords to enable the One-time password feature. A drop-down menu appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
- if configured – Only users who have a One Time Password email address configured uses the One Time Password feature.
- required for all users – All users must use the One Time Password feature. Users who do not have a One Time Password email address configured is not allowed to login.
- using domain name – Users in the domain use the One Time Password feature. One Time Password emails for all users in the domain is sent to
username@domain.com
.
- If you select using domain name, an E-mail domain field appears following the drop-down menu. Type in the domain name where one-time password emails are sent (for example,
abc.com
). -
Optionally select Always on VPN to allow uninterrupted VPN access. Three additional fields appear:
- Allow user to disconnect and enter a domain in the E-mail domain: window.
- Allow accessing network if VPN fail to connect.
- Don’t connect VPN in Trusted Network.
-
Select an option from the Require Device Register drop-down menu:
- Select Use Global Settings to apply global settings to domain.
- Select Enable to enable this feature, no matter what is selected for global setting.
- Select Disable to disable this feature, no matter what is selected for global setting.
- Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.
- Click Configure next to the RADIUS domain you added.
- Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password field.
- Click Test. The SMA appliance connects to your RADIUS server.
- If you receive the message Server not responding, check your user ID and password and click the General tab to verify your RADIUS settings. Try running the test again.
Was This Article Helpful?
Help us to improve our support portal