Skip to main content

SecureAuth® RADIUS Server v20.06 documentation

Updated October 8, 2020

Use the SecureAuth® Identity Platform RADIUS Server to configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component is typically installed on a SecureAuth Identity Platform appliance or on a stand-alone server.

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Release notes

The following sections describe the release highlights and enhancements, including resolved and known issues, for the SecureAuth RADIUS server version 20.06.

Release highlights

Read on to learn more about the new features in the SecureAuth RADIUS server version 20.06.

Added security for communication between SecureAuth RADIUS Server and the Identity Platform

You can import a certificate to the RADIUS trust store to ensure secure communication between SecureAuth RADIUS and SecureAuth Identity Platform. Enabling self-signed certificates is optional.

Support for high concurrency

SecureAuth RADIUS server supports high concurrency when used with the PEAP protocol. SecureAuth has tested up to 100 parallel connections to the SecureAuth RADIUS server without any connections dropping from the server.

Dashboard metrics for SecureAuth RADIUS Server

Dashboard metrics are available for SecureAuth RADIUS server transactions. These metrics include login information for VPNs and remote server access. View metrics by selecting Home on the left side of the Identity Platform page.

Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.

Enhancements

Version: 20.06

Release Date: October 8, 2020

Compatibility: Note the following compatibility requirements:

  • SecureAuth IdP v9.2.x or later, and the SecureAuth Identity Platform v19.07 or later

  • Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only.

  • Biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.

  • Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.

RAD-503

Administrators can configure the SecureAuth Identity Platform time-out value to maximize successful login requests. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 11.

RAD-510

A guidance message is displayed if a shared secret and realms are not defined for the SecureAuth RADIUS server.

RAD-519

Administrators can enable Syslog logging on the SecureAuth RADIUS Server Settings page without configuration errors.

RAD-532

Administrators can configure the number of Universal Datagram Protocol (UDP) threads that SecureAuth RADIUS can use to receive access-request packets. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 10.

RAD-533

If SecureAuth RADIUS receives multiple simultaneous requests to create a session for the same user, duplicate requests are rejected and the following error message is logged in the log4j2.xml file: "Multiple requests to create a session for the same user arrived simultaneously. Duplicate requests were rejected; check for network issues."

The cause might be network issues that force a load balancer or a VPN server to send requests that arrive at SecureAuth RADIUS at the same time.

RAD-535

In SecureAuth RADIUS, when using the Password | Second Factor workflow with Push-to-Accept as the second factor, a push notification is sent to an end user device when they restart the authentication workflow after ignoring the first push notification.

RAD-556

If your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the certificate authority (CA) that you have to sign your certificate is not installed in SecureAuth Radius trust store, you must import the certificate to the trust store. See Import certificate in RADIUS trust store.

RAD-569

In SecureAuth RADIUS, when using the Username | Second Factor | Password workflow with Symbol-to-Accept as the second factor, RADIUS server authenticates end users only after they input the correct symbol and password.

RAD-597

Import now works on all servers when SecureAuth RADIUS already contains data and when it is empty.

Known issues

RAD-482

If the SecureAuth RADIUS server stops sending responses or is down, the administrator might need to increase memory.

Workaround: See the Increase memory for RADIUS server troubleshooting topic for guidance.

RAD-607

When setting shared secrets in the RADIUS Client tab, then export the config file, the exported config files are corrupted.

Workaround 1: If you have imported the corrupted config file to a new RADIUS server, set the shared secret for each RADIUS client again.

Workaround 2: Upgrade to SecureAuth RADIUS Server version 20.12 before exporting the config file.