Using RADIUS Servers for Authentication and Authorization72 Firebox SSL VPN GatewayTo specify RADIUS server authentication1 Click the Authentication tab.2 In Realm Name, type a name for the authentication realm that you will create, select One Source,and then click Add.If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you willspecify settings. Realm names are case-sensitive and can contain spaces.NoteIf you want the Default realm to use RADIUS authentication, remove the Default realm as described in“Changing the Authentication Type of the Default Realm” on page 65.3 In Select Authentication Type, choose RADIUS Authentication and click OK.The dialog box for the authentication realm opens.4 In Server IP Address, type the IP address of the RADIUS server.5 In Server Port, type the port number. The default port number is 1812.6 In Server Secret, type the RADIUS server secret.The server secret is configured manually on the RADIUS server and on the Firebox SSL VPN Gateway.7 If you use a secondary RADIUS server, enter its IP address, port, and server secret.NoteMake sure you use a strong shared secret. A strong shared secret is one that is at least eight charactersand includes a combination of letters, number, and symbols.To configure RADIUS authorization1 Click the Authorization tab and in Authorization Type, select RADIUS Authorization.You can use the following authorization types with RADIUS authentication:• RADIUS authorization• Local authorization• LDAP authorization• No authorization2 Complete the settings using the attributes defined in IAS.For more information about the values for these fields, see “To configure Microsoft Internet Authentication Servicefor Windows 2000 Server” on page 70.3 Click Submit.Choosing RADIUS Authentication ProtocolsThe Firebox SSL VPN Gateway supports implementations of RADIUS that are configured to use the Pass-word Authentication Protocol (PAP) for user authentication. Other authentication protocols such as theChallenge-Handshake Authentication Protocol (CHAP) are not supported.If your deployment of Firebox SSL VPN Gateway is configured to use RADIUS authentication and yourRADIUS server is configured to use PAP, you can strengthen user authentication by assigning a strongshared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences ofuppercase and lowercase letters, numbers, and punctuation and are at least 22 keyboard characterslong. If possible, use a random character generation program to determine RADIUS shared secrets.To further protect RADIUS traffic, assign a different shared secret to each Firebox SSL VPN Gatewayappliance. When you define clients on the RADIUS server, you can also assign a separate shared secret toeach client. If you do this, you must configure separately each Firebox SSL VPN Gateway realm that uses