Prerequisites

Before you set up SecureAuth RADIUS, review the following prerequisites.

For optimum performance in a large organization, consider installing or upgrading SecureAuth RADIUS separately from the Identity Platform server.

If you have any questions, contact SecureAuth Support.

The latest version of SecureAuth RADIUS is backwards compatible with previous Identity Platform releases
Hybrid deployments: SecureAuth IdP 9.3 or Identity Platform 19.07 or later, with Authentication API configured and enabled on the realm
Cloud deployments: Identity Platform 19.07 or later, with Authentication Apps configured and enabled. And Authentication API configured and enabled on the realm.
If you use a load balancer:
When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with SecureAuth RADIUS Server, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. SecureAuth RADIUS Server supports cookie-based persistence only.
You don't need to enable session persistence if RADIUS Server is installed on the Identity Platform server or is targeted directly (not load-balanced).

Supported SecureAuth Identity Platform features

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Identity Platform features

SecureAuth Identity Platform features	SecureAuth Identity Platform release	Configuration notes
Adaptive Authentication	9.3 or later	Configure threat checking for: User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled. End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only. To learn more, see Authentication API guide
Push-to-Accept	9.3 or later	To learn more, see Multi-factor app enrollment QR code configuration
Attribute Mapping	9.3 or later	Configure and enable Identity Management API on the realm to grant or deny end user login access. Group based authentication – Optionally configure Membership Connection Settings to grant or deny login access: Specify the name of the user group to be granted or denied access, or Designate a Property from Profile Fields to identify the user group to be granted or denied access. To learn more, see Data Tab Configuration.

Multi-Factor Authentication methods

Multi-Factor Authentication methods	SecureAuth Identity Platform release	Configuration notes
Time-based One-Time Passcode (TOTP)	9.3 or later	To learn more about Multi-Factor Authentication methods, see Multi-Factor Tabs configuration and its related topics.
HMAC-based One-Time Passcode (HOTP)	9.3 or later
SMS (OTP only)	9.3 or later
Phone	9.3 or later
Email (OTP only)	9.3 or later
Passcode OTP (Push Notification)	9.3 or later
Mobile Login Request	9.3 or later
PIN	9.3 or later
Yubico OTP TokenYubico OTP Token	9.3 or later
Symbol-to-Accept (Protect package and higher only)	9.3 or later
Fingerprint Recognition (Prevent package only)	19.07 or later, using 2019 theme
Face Recognition (Prevent package only)	19.07 or later, using 2019 theme

SecureAuth IdP 9.3 supported server and required components

VPN requirements:

Support for PEAP protocol:
- Public or private certificate
- .PFX file
- Private Key and Private Key Password
Microsoft Visual C++:
- x64 version of Redistributable for Visual Studio 2012 Update 4 installed on the Windows server on which SecureAuth Identity Platform RADIUS server is deployed

To learn more about configuring a VPN, see NetMotion Mobility RADIUS configuration guide as a general reference.

Port settings

Inbound:

Allow RADIUS Listener – The Default is UDP port 1812.
Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.

RADIUS VPN and Product Support

The following basic connectivity parameters must be configured on RADIUS clients to be used with the Identity Platform:

RADIUS server IP address
Shared secret to use between the RADIUS server and RADIUS clients
Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port
Timeout value Retries value
Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end users can access once logged on the network
A valid certificate must be installed if using a VPN.

Sample RADIUS configuration

The following is a sample RADIUS authentication server configuration:

Add Server Dialog	SecureAuth Identity Platform RADIUS Server Information	Notes
Name	RADIUS Server friendly description name	This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth Identity Platform and the RADIUS server. NOTE: SecureAuth IdP RADIUS server version 19.06 or later can be configured to pass an IP address to the VPN for static IP assignment to the VPN client. For example, PC or Mac. Contact SecureAuth Support to learn more.
RADIUS Server	IP Address or Name of the RADIUS Server
Authentication Port	1812
Shared Secret	SecureAuth RADIUS Shared Secret
Timeout	60 Seconds (recommended)
Retries	3 (recommended)

In this section: