The setting can be enabled via admin interface:
The address 'radius://ldap.example.com:1812/secret' consists of 3 parts: host, port and secret. Change it according to your RADIUS server settings. Now, when a user try to login, Watcher redirects to the server via RADIUS protocol. Watcher sends User-Name and User-Password in the Access-Request query. The RADIUS server responds by giving the group list for this user. An attribute Filter-Id(11) is used here. Each group is stored in a separate attribute.
- Watcher redirects to RADIUS on every user log in.
- If the RADIUS answers Access-Accept, Watcher logs user in and saves the HEX password and group belongings to the database.
- If the RADIUS answers Access-Reject, the user becomes locked in the database.
- If the RADIUS did not answer, Watcher searches a user in the database.
It is necessary to bear in mind that RADIUS should know about all users, including administrators. The administrator user attribute can not be transferred to the RADIUS response and it can be assigned through Watcher only.