RADIUS for UTM Webadmin?

Question

Currently using RADIUS to authenticate users for VPN (L2TP). Works fine. 
 I have been instructed to add 2FA to the UTM for both VPN and for WebAdmin. We use Duo for 2FA. 
 I set up a Duo proxy server as described in multiple documents and tied it to the UTM using RADIUS. The problem: how do I specify which users can get to WebAdmin or not? As it stands right now, the UTM sees all RADIUS users the same, so anyone with RADIUS access would be able to get to WebAdmin. Clearly I don't want every single user to have access to WebAdmin.

DouglasFoster · Accepted Answer

You have a bit of a problem, but it can be overcome with difficulty. UTM does not know how to retrieve group membership from RADIUS. 
 1) Create a new local group. 
 Definitions & Users... Users & Groups... Groups (tab)... New Group 
 I will assume the group name is "IT Network Admins". 
 Group Type is "Static Members". 
 2) Navigate to Management... WebAdmin Settings... General (tab)... 
 Add "IT Network Admins" group to the list of Allowed Administrators. 
 3) Assuming RADIUS logins do not create a local UTM user, you have to create them manually. 
 Definitions & Users... Users & Groups... Users (tab)... [New User]... 
 Ensure that the UTM username exactly matches the RADIUS username. 
 Specify Authentication Remote. 
 Repeat for each person who will be using 2FA for WebAdmin. 
 3) Configure membership of the "IT Network Admins". 
 Return to the group definition and populate it with you admin users. 
 4) Have the users configure their DUO 2FA settings.

Argo · Answer

Hi LeeSentell, 
 for users who need access to webadmin, the users have to be entities on the UTM, this way the user have an account on the UTm already, rather than authenticating with an external source (which effectively what RADIUS is).