I'm trying to set up radius authentication for users logging on to a Sidewinder (S2008), with a Cisco ACS 5.3 Tacacs/Radius server. I've created a radius authenticator profile and added an Admin Console rule using the radius profile as the authencator type and I can see in both the Cisco ACS logs and the Sidewinder View Audit screen that authentication is successful. However I can't log on to the box, I get the login failed message and I'm prompted for my password again. In the view audit screen i can see the 'user successfully authenticated with radius' message, but then I get a message about the users password not being in the password file.
I found this post https://community.mcafee.com/thread/46522 where another member has stated that the user needs to be added as a local admin with the same username as on the radius server. I tried this and found that I also had to set the same local password as the radius server in order to log in. Am I missing something fundamental to get radius to work, or is it really the case that a local user has to be added? I can kind of understand the local user needing to be added so that the home directory and other unix profile options are created on the Sidewinder, but this seems to make the radius part of authentication totally pointless, I may as well just create the local user accounts and scrap radius authentication.
Thanks in advance
You must add the user as a firewall administrator in order for that username to login to the firewall. If you did not have to do this then anyone who has an account on the RADIUS server could login to your firewall and change your policy. The RADIUS server admin could make himself an account on the RADIUS server and login to your firewall without you creating an account for him on the firewall if that was the case. The password on the firewall itself does not have to match the password on the RADIUS server; that username simply has to exist as an Administrator on the firewall.