Skip to main content

Prerequisites for RADIUS server, v20.06

If you are a new customer, for optimum performance, especially for large enterprises, install the SecureAuth RADIUS server separately from the IdP or Identity Platform server. If in doubt, contact SecureAuth Support.

  • SecureAuth IdP version 9.1 or later

  • Hybrid: Authentication API (v9.1+) configured and enabled on the realm

  • Cloud: Authentication Apps (19.07+) configured and enabled on Identity Platform, plus Authentication API (v9.2+) configured and enabled on the realm

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with SecureAuth RADIUS Server, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. SecureAuth RADIUS Server supports cookie-based persistence only.

    You don't need to enable session persistence if RADIUS Server is installed on the Identity Platform server or is targeted directly (not load-balanced).

Supported SecureAuth IdP features

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

SecureAuth IdP features

SecureAuth IdP version

Configuration notes

Adaptive Authentication


Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.

  • End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.



Attribute Mapping


Configure and enable Identity Management API (v9.1+) on the realm to grant / deny end user login access.

Group based authentication – Optionally configure Membership Connection Settings to grant / deny login access:

  • Specify the name of the user group to be granted / denied access, or

  • Designate a Property from Profile Fields to identify the user group to be granted / denied access.

UPN Logon


Multi-Factor Authentication methods

SecureAuth IdP version

SecureAuth IdP v9.x supported server and required components

Time-based One-Time Passcode (TOTP)


NetMotion Wireless VPN:

  • PEAP protocol support requirements:

    • Public or private certificate

    • .PFX file

    • Private Key and Private Key Password

  • Microsoft Visual C++ requirements:

    • x64 version of Redistributable for Visual Studio 2012 Update 4installed on the Windows server on which SecureAuth IdP RADIUS server is deployed

NOTE: SecureAuth employees, refer to NetMotion Mobility RADIUS configuration guide.

HMAC-based One-Time Passcode (HOTP)


SMS (OTP only)




Email (OTP only)


Passcode OTP (Push Notification)


Mobile Login Request




Yubico OTP Token


Symbol-to-Accept (Protect package and higher only)


Fingerprint Recognition (Prevent package only)

v19.07+, using 2019 theme

Face Recognition (Prevent package only)

v19.07+, using 2019 theme