In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.

On the Authentication and Authorization Servers dialog box, click Add.

In the Server type list, click RADIUS.

On the Add Authentication Server dialog box, configure the following server settings:

• Server name—Name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG. It is also displayed to end users when they are prompted to select a server during authentication.
  
  
• IP address/host—IP address or host name of the RADIUS server.
  
  
• Port—Port number of the RADIUS server.
  
  
• Alternate IP/host—IP address or host name of the alternate RADIUS server.
  
  
• Alternate Port—Port number of the alternate RADIUS server.
  
  
• Secret key—The secret key that will be used to encrypt and decrypt the user password. This key must be identical to the secret key assigned for the Forefront UAG client in the RADIUS authentication server.
  
  
• Support challenge-response modes—To support the RADIUS challenge-response modes, select the Support challenge-response modes check box. Some example challenge-responses are: allowing the user to create a new Private Identification Number (PIN), requiring the user to create a new PIN, and requiring the user to enter the token that is displayed on the authenticator.
  
  
• Use a different server for portal authorization—Applicable in portal trunks only. Select this check box to use a different server, where users and user groups are defined for application authorization. In this case, selecting the RADIUS server for application authorization brings users and user groups from the associated server rather than from the RADIUS server.
  
  
• Select server—Click the server to use for application authorization. You can use one of the following:
  
  
  • Any of the configured authentication servers on which users and user groups are defined, such as NT Domain or Notes Directory.
    
    
  • Built-In Users/Groups—Use the computer’s Windows Local Users and Groups console. To access the console, click Launch Local Users and Groups console.
    
    

  Note:
  Selecting this option does not enable you to define the local computer’s Windows Local Users and Groups console as an authentication server. To define the local computer as the authentication server, select the NT Domain server-type, and enter the name of the local computer in the NT Domain field.

• Extract user group memberships from RADIUS—Select this check box to extract user group memberships from a RADIUS attribute received in the RADIUS Access-Accept packet.
  
  

  Note:
  Make sure the RADIUS server is configured to return each user’s group membership in the attribute you configure here.

  • Attribute Type—Enter the attribute type, using a numerical value. For example, attribute type "Class" is denoted by "25". For a list of the numerical values of the attributes, see RFC 2865 http://www.ietf.org/rfc/rfc2865.txt.
    
    
  • Attribute Format—Enter the format in which the RADIUS server sends the attribute. Attribute format must include the notation <group> to denote the group name position in the value of the RADIUS Access-Accept packet. For example, if the RADIUS group is testing, the format OU=<group>; defines that the string OU=testing; is returned by the server.
    
    

  Note:

  If you select the Use a different server for portal authorization check box, and define a repository of type "Active Directory", make sure that the group names that the RADIUS server returns are in the format of a full DN, because this is the format that Active Directory uses. For example: CN=QA Users,DC=qadomain,DC=comIn this example, the attribute format OU=<group>; defines that the string OU=CN=QA Users,DC=qadomain,DC=com is returned by the server.

On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.