Prerequisites for RADIUS server

If you are a new customer, for optimum performance, especially for large enterprises, install the SecureAuth RADIUS server separately from the Identity Platform server. If in doubt, contact SecureAuth Support.

  • SecureAuth® Identity Platform version 9.3 or later

  • Hybrid: Authentication API (v9.3+) configured and enabled on the realm

  • Cloud: Authentication Apps (19.07+) configured and enabled on Identity Platform, plus Authentication API (v9.3+) configured and enabled on the realm

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with SecureAuth RADIUS Server, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. SecureAuth RADIUS Server supports cookie-based persistence only.

    You don't need to enable session persistence if RADIUS Server is installed on the Identity Platform server or is targeted directly (not load-balanced).

Supported SecureAuth Identity Platform features

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

SecureAuth Identity Platform features

SecureAuth Identity Platform version

Configuration notes

Adaptive Authentication

v9.3+

Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.

  • End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.

Push-to-Accept

v9.3+

Attribute Mapping

v9.3+

Configure and enable Identity Management API (v9.3+) on the realm to grant or deny end user login access.

Group based authentication – Optionally configure Membership Connection Settings to grant or deny login access:

  • Specify the name of the user group to be granted or denied access, or

  • Designate a Property from Profile Fields to identify the user group to be granted or denied access.

UPN Logon

v9.3+

Multi-Factor Authentication methods

SecureAuth Identity Platform version

SecureAuth Identity Platform v9.3 supported server and required components

Time-based One-Time Passcode (TOTP)

v9.3+*

NetMotion Wireless VPN:

  • PEAP protocol support requirements:

    • Public or private certificate

    • .PFX file

    • Private Key and Private Key Password

  • Microsoft Visual C++ requirements:

NOTE: SecureAuth employees, refer to NetMotion Mobility RADIUS configuration guide.

HMAC-based One-Time Passcode (HOTP)

v9.3+*

SMS (OTP only)

v9.3+*

Phone

v9.3+*

Email (OTP only)

v9.3+*

Passcode OTP (Push Notification)

v9.3+*

Mobile Login Request

v9.3+*

PIN

v9.3+*

Yubico OTP Token

v9.3+*

Symbol-to-Accept (Protect package and higher only)

v9.3+

Fingerprint Recognition (Prevent package only)

v19.07+, using 2019 theme

Face Recognition (Prevent package only)

v19.07+, using 2019 theme

Link-to-Accept (Protect package and higher only)

v19.07.01-25+ and v20.06-2+

* Links to 9.1/9.2 documentation, but information is valid for v9.3+

Port Settings

Inbound:

  • Allow RADIUS Listener – Default is UDP port 1812.

  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.

RADIUS VPN and Product Support

The following basic connectivity parameters must be configured on RADIUS clients to be used with the Identity Platform:

  • RADIUS server IP address

  • Shared secret to use between the RADIUS server and RADIUS clients

  • Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port

  • Timeout value Retries value

  • Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end users can access once logged on the network

A valid certificate must be installed if using NetMotion Wireless VPN.

The following is a sample RADIUS authentication server configuration:

Add Server Dialog

SecureAuth Identity Platform RADIUS Server Information

Notes

Name

RADIUS Server friendly description name

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth Identity Platform and the RADIUS server.

NOTE: SecureAuth IdP RADIUS server v19.06 or later can be configured to pass an IP address to the VPN for static IP assignment to the VPN client (for example: PC or Mac). See SecureAuth IdP RADIUS Server Static IP Address Configuration Guide for steps.

RADIUS Server

IP Address or Name of the RADIUS Server

Authentication Port

1812

Shared Secret

SecureAuth RADIUS Shared Secret

Timeout

60 Seconds (recommended)

Retries

3 (recommended)