SecureAuth® RADIUS Server v20.06 documentation

RAD-318

A message is displayed if a client is not defined in the Client list when the client attempts to make an authentication request to the RADIUS endpoint.

RAD-324

Validation checks ensure that the following hosts and addresses are correctly defined so that the RADIUS client can connect to SecureAuth IdP: Client IdP Host (RADIUS Clients page) and Primary IdP Host and Backup IdP Host (IdP Realms page).

RAD-333

When RADIUS sends a push-to-accept notification to SecureAuth IdP, sometimes the delivery is not completed to the end user; a new guidance message is displayed in the VPN client to help guide end users to a successful authentication.

RAD-351

RAD-483

The log file was enhanced to show better messaging with guidance if the reply message packet exceeds the maximum length of 4096 bytes. Also, the log file shows more readable output when there is a SocketTimeoutException.

RAD-387

A fresh installation is added by default in the C:\Program Files directory (not C:\Program Files (x86)) because SecureAuth RADIUS Server runs on the 64-bit version of the JDK.

An upgrade to an installation directory of C:\Program Files (x86) will not change the directory path to C:\Program Files.

RAD-406

Add an optional radius.oath.strategy property to the "appliance.radius.properties" file if end users in your organization have multiple devices and you want to let them select which device to authenticate with. SecureAuth RADIUS server supports both HOTP and TOTP in seed and token modes.

RAD-417

In the RADIUS Clients page, administrators can add and remove standard RADIUS identifiers and their values, which is useful for restricting access and enabling additional control over the client configuration.

RAD-418

Each SecureAuth RADIUS client has its own optional, local, shared secret for authenticating with SecureAuth IdP. If a local shared secret is not specified, the SecureAuth RADIUS client uses the global shared secret, which is defined on the "RADIUS Server Settings" page.

RAD-439

Organizations that use MS-CHAPv2 can have a network policy server (NPS) for each RADIUS client by configuring the IP Address and Port fields in the new NPS Proxy Configuration section on the RADIUS Clients page. You no longer must restart the RADIUS server after setting the NPS proxy values.

RAD-471

Customers running AIX servers can now use SecureAuth RADIUS server to provide MFA capabilities. See the AIX tab in the PAM RADIUS installation and configuration guide, which gives general setup guidance; please refer to your PAM RADIUS documentation for specific setup instructions.

RAD-392

For PAM RADIUS customers, the Linux setup hides the end user password and OTP on the login screen.

RAD-415

When using the TOTP or HOTP method, on first login, RADIUS server sends a deny access request for a fake user. (This is useful in focused use cases; this change has no impact on the majority of organizations.)

RAD-493

A RADIUS client is created correctly, without a 400 error.

RAD-485

Invalid characters in user IDs sent to the RADIUS server are handled appropriately; SecureAuth RADIUS sends an Access-Reject message to the log if an invalid user ID is used. See Enable RADIUS server logs.

RAD-486

Sites using MFA throttling are no longer locked out of their accounts after successful logins with push notifications.

RAD-482

If the SecureAuth RADIUS server stops sending responses or is down, the administrator might need to increase memory.

Workaround: See the Increase memory for RADIUS server troubleshooting topic for guidance.

RAD-489

The VPN closes the connection between SecureAuth RADIUS and the VPN server because of a timeout issue. When this occurs, end users log into the VPN, but they are not sent an MFA screen.

Workaround: Ensure that the VPN server timeout is set higher than 30 seconds, for example, 45 or 60 seconds, depending on the location of the VPN server.

RAD-607

When setting shared secrets in the RADIUS Client tab, then export the config file, the exported config files are corrupted.

Workaround 1: If you have imported the corrupted config file to a new RADIUS server, set the shared secret for each RADIUS client again.

Workaround 2: Upgrade to SecureAuth RADIUS Server version 20.12 before exporting the config file.

TW-926

When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

Workaround: None

RAD-220

SecureAuth RADIUS supports the help desk OTP multi-factor authentication method.

RAD-290

In the RADIUS Server Settings screen, selecting Import Settings or Import PEAP Certificate displays the same interface.

RAD-305

SecureAuth RADIUS supports the mobile biometric multi-factor authentication method, including face and fingerprint recognition.

RAD-315

SecureAuth RADIUS supports the mobile symbol-to-accept multi-factor authentication method.

RAD-327

SecureAuth RADIUS supports Windows Server 2019.

RAD-340

In the RADIUS Server Settings screen, use the "eye" icon to show characters as you type a shared secret instead of seeing dots.

RAD-364

SecureAuth RADIUS automatically checks the validity of the value added to IdP Realm in the RADIUS Clients screen, SecureAuth IdP Settings section. If invalid, the error message now provides guidance to correct the value.

RAD-49

SecureAuth RADIUS PIN option is displayed when using the Password | Second Factor workflow.

RAD-229

SecureAuth RADIUS passes framed-IP-Address, stored in the Active Directory msRADIUSFramedIPAddress user attribute, to dictate which IP address the AnyConnect user will be assigned to.

RAD-285

SecureAuth RADIUS end users receiving a OTP through SMS or text in the Authentication app will see the device name; that is, the device name will not be masked.

RAD-289

Administrators receive an improved error message with guidance when uploading a corrupt or invalid configuration file.

RAD-291

When entering a Shared Secret in the RADIUS Server Settings, the secret is now masked.

RAD-294

When Syslog logging is enabled and invalid characters or values are used, the Syslog port returns error messages that are consistent with other parts of the RADIUS server.

RAD-311, RAD-293

When the admin configures SecureAuth RADIUS, only valid numbers (1-65535) are allowed or the Authentication Port setting will not be saved. (The Authentication Port cannot be empty.)

RAD-325

Sites that have integrated NetMotion Wireless Mobility server with SecureAuth RADIUS will not see an error during Username | Second Factor login if the NetMotion Auto-Response Mode is disabled. See NetMotion Mobility RADIUS configuration guide for details.

RAD-328

When end users log in by using the SecureAuth RADIUS PIN | OTP workflow through any VPN client, access is denied if end user logs in with username and password. End users must enter a PIN and OTP.

RAD-329

When end users log in by using the SecureAuth RADIUS Password | OTP workflow through any VPN client, access is denied if end user logs in with username and PIN. End users must enter a password and OTP.

RAD-332

Admins are required to log in as administrator to install SecureAuth RADIUS. If already logged in as administrator, no further action is necessary.

RAD-355

A guidance message now informs admins to check that "User Management" is enabled in the API realm in "API Permissions." The setting enables the IdP API to retrieve user profiles.

RAD-356

Admins no longer need to add the OTPFieldMapping key to the IdP Web Config file if running SecureAuth Identity Platform 19.07 or later hybrid or cloud.

TW-774

In the Classic Experience, in the API Permissions section, under "Authentication," leave the OTP Validation Property dropdown blank to ensure the API works correctly with the SecureAuth RADIUS server on the cloud and hybrid model of SecureAuth® Identity Platform version 19.07 or later.

TW-926

When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

Workaround: None

RAD-241

SecureAuth RADIUS supports MS-CHAPv2, as documented in MS-CHAPv2 and RADIUS (SP-initiated) for Cisco and Netscaler configuration guide.

RAD-258

SecureAuth RADIUS masks all phone numbers consistently with asterisks, regardless of the format in which they are saved in Active Directory.

RAD-259

SecureAuth RADIUS supports Yubico OTP token as a second-factor passcode, in the "Username | Second Factor" and "Username | Second Factor | Password" workflows.

RAD-271

SecureAuth RADIUS supports the "Yubico OTP only" workflow, where end users can use the YubiKey code as the password.

RAD-272

SecureAuth RADIUS supports Yubico OTPtoken as the password or passcode, in the "Password | Yubico One-Time Passcode" workflow.

RAD-273

SecureAuth RADIUS now uses the AdoptOpenJDK 8 Java Runtime Environment (JRE), and no longer uses the Oracle JRE.

RAD-301

SecureAuth RADIUS supports PAM RADIUS version pam_radius-1.4.0-2.el7.x86_64 and earlier.

RAD-195

Toast (pop-up) messages in Realms and Clients tabs are implemented and work correctly.

RAD-257

Clicking the Add Attribute text in the Static Value Mapping section of the RADIUS Client tab no longer adds a custom attribute to the page.

RAD-261

The Import Settings and Export Settings buttons were moved into the RADIUS Server Settings section on the Settings tab.

RAD-262

If end users receive a login screen after they have logged in with a 2FA passcode method of SMS/Text, Voice, Email, or Send passcode to mobile app, a guidance message in the log file explains the following workaround for administrators:

In order to avoid errors with 2FA passcode methods, ensure that the following key is removed from the SecureAuth Identity Platform Web Config file in the appSettings section:

<add key="OTPFieldMapping" value="<SecureAuth IdP Profile Property>" />

RAD-265

Connections to disabled realms fail as expected because the realm is inactive.

RAD-268

The first created IdP realm is automatically assigned to the default RADIUS client.

RAD-270

End users receive better error messages with guidance when using NetMotion to import the PEAP certificate for a machine.

RAD-282

Administrators can create a valid personal exchange format (PFX) certificate without a password and import it into a RADIUS Protected Extensible Authentication Protocol (PEAP) page.

RAD-295

End user cannot connect to VPN using a deleted shared secret value.

RAD-300

The "Password | One-Time Passcode (TOTP/HOTP) or Second Factor" workflow was renamed to "Password | Second Factor".

RAD-302

On Firefox Quantum versions 67.0.2 and 67.0.4, if end users set an attribute with invalid characters, they can remove the attribute row without saving or leaving the page.

RAD-304

Administrators cannot select the installation path in an upgrade process. The directory can be selected only in a new installation. (Documentation was corrected.)

RAD-306

After converting SecureAuth RADIUS from SAM to UPN by adding a domainUPNSuffixes.properties file, end users can now log into a RADIUS Client, with PEAP as its authentication schema, by using a UPN-format username.

RAD-83

A warning is displayed when an installation of an older version of RADIUS is attempted while a newer version is installed.

RAD-150

End users' phone numbers and email addresses displayed in authentication applications are hidden consistently with asterisks.

RAD-218

TOTP and HOTP with YubiKey as second factor is supported in RADIUS version 2.5.1.

RAD-237

RADIUS client user interface and documentation were refreshed with the latest brand logo and color.

RAD-238

SecureAuth RADIUS supports Windows Server 2016.

RAD-179

SonicWall NetExtender created a hotfix to resolve a RADIUS client problem with 2FA methods. All 2FA methods are available.

RAD-202

Editing and saving a disabled realm no longer enables the realm.

RAD-204

The Static Value field is empty by default in the RADIUS Client tab, in the Static Value Mapping section.

RAD-206

The Static Value field allows up to 247 characters in the RADIUS Client tab, in the Static Value Mapping section.

RAD-208

Uppercase letters are allowed in the Static Value field, in the RADIUS Client tab, in the Static Value Mapping section.

RAD-212

Clicking the context-sensitive help (small i) over a disabled client setting shows information for disabled clients in the RADIUS Client tab.

RAD-249

Numerous minor bug fixes were completed.

RAD-252

When creating a RADIUS client and clicking the Add Attribute button, the client is no longer saved when the Add Client button is not selected.

RAD-253

RADIUS client attribute values are restricted to the supported RADIUS protocol length of 253 bytes.

TW-698

The FileSync Service version installed on SecureAuth IdP is now documented in the RADIUS Installation Guide.

RAD-210

When running the RADIUS client with the Pulse Secure client and 2FA options, Pulse Secure limits the maximum number of characters to 210. End users can see all options in the Pulse Secure web client when the number of characters is less than 210.

A second Pulse Secure limitation causes options 5 - 8 to be cut off from end users' view on the 2FA list. End users can select options 5 - 8, even though they are off-screen and there is no scrollbar.

Optionally, modify text in the RADIUS uiTextsBundle.properties configuration file to shorten messages from the multi-factors message. See "Modify text showing on client user interface during login"Configuration guide - v2.5 - SecureAuth IdP RADIUS server.

---

IdP realms and RADIUS clients can be disabled and enabled.

RAD-13

Authentication workflow names are standardized for consistency with IdP naming conventions.

RAD-44

Additional logging is available for Adaptive Authentication steps.

RAD-58

Text hints appear on the IdP Realm page.

RAD-91

Toggling is available on RADIUS clients page to enter either a NAS-IP or client IP address.

RAD-107

Single page workflow was added for Username, Second Factor, and Password.

RAD-110

Wild cards are supported when defining RADIUS client IP values.

RAD-143

One or more backup IdP hosts can be specified for failover functionality.

RAD-147

PIN + TOTP end user workflow was added.

RAD-215

Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2