Authentication using RADIUS (802.1x)
====================================

.. note:: This feature required Enterprise Edition

Genian NAC includes a built-in RADIUS server to support 802.1x port-based
access control. In general, 802.1x is widely used to provide improved user
authentication for devices that access wireless networks. In a wired network, a
user authentication function can be provided for a device connected to the
network through a switch supporting 802.1x.

First, you need to enable the RADIUS server. See,
:doc:`/controlling/radius-intro`

For RADIUS authentication against external databases, authentication
integrations must be configured. See: :doc:`../integrate-external`

The RADIUS accounting must be activated on the client or in Genian NAC in order
for the node information to be updated.
See :doc:`sso`

Enable AD Account for RADIUS
----------------------------

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left Preferences panel
#. Find **RADIUS Server: AD Account** section and select **On** in drop-down
#. Enter the following:

   - **Domain Name** (*e.g. genians.com*)
   - **Username** (*Default is Administrator. Account needs to have Admin
     Privileges*)
   - **Password** and retype

#. Click **Update**

Enable URL Account for RADIUS
-----------------------------

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left Preferences panel
#. Find **RADIUS Server: URL Account** section and select **On** in drop-down
#. Enter the following:

   - **URL** (*e.g. http://.com*)
   - **Methods** (*GET, POST*)
   - **Regex for Authentication** (*This regular expression will check for
     successful login*)

#. Click **Update**

Enable Email Authentication for RADIUS
--------------------------------------

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left Preferences panel
#. Find **RADIUS Server: Email Authentication** section and select **On** in
#. Click **Update**

MAC Authentication Bypass
--------------------------

For endpoints not supporting 802.1x such as printers or IP phones, it may be
necessary to authenticate using MAC address.

The MAC authentication feature is a mechanism by which incoming traffic
originating from a specific MAC address is forwarded only if the source MAC
address is successfully authenticated by a RADIUS server. The MAC address
itself is used as the username and password for RADIUS authentication. The user
does not need to provide a specific username and password to gain access to the
network.

- If RADIUS authentication for the MAC address is successful, traffic from the
  MAC address is forwarded in hardware. - If the RADIUS server cannot validate
  the user’s MAC address, then it is considered an authentication failure,
  and a specified authentication-failure action can be taken.

Enabling MAC Authentication
'''''''''''''''''''''''''''

See: :doc:`/controlling/radius/enable-mab`