Prerequisites for SecureAuth RADIUS Server

Before you set up SecureAuth RADIUS, review the following prerequisites.

For optimum performance in a large organization, consider installing or upgrading SecureAuth RADIUS separately from the Identity Platform server.

If you have any questions, contact SecureAuth Support.

  • Applicable to Identity Platform release 9.2 or later

  • Hybrid deployments: SecureAuth IdP 9.3 or Identity Platform 19.07 or later, with Authentication API configured and enabled on the realm

  • Cloud deployments: Identity Platform 19.07 or later, with Authentication Apps configured and enabled. And Authentication API configured and enabled on the realm.

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with SecureAuth RADIUS Server, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. SecureAuth RADIUS Server supports cookie-based persistence only.

    You don't need to enable session persistence if RADIUS Server is installed on the Identity Platform server or is targeted directly (not load-balanced).

Supported SecureAuth Identity Platform features

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Identity Platform features

SecureAuth Identity Platform features

SecureAuth Identity Platform release

Configuration notes

Adaptive Authentication

9.3 or later

Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.

  • End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.

To learn more, see Authentication API guide

Push-to-Accept

9.3 or later

To learn more, see Multi-factor app enrollment QR code configuration

Attribute Mapping

9.3 or later

Configure and enable Identity Management API on the realm to grant or deny end user login access.

Group based authentication – Optionally configure Membership Connection Settings to grant or deny login access:

  • Specify the name of the user group to be granted or denied access, or

  • Designate a Property from Profile Fields to identify the user group to be granted or denied access.

To learn more, see Data Tab Configuration.

Multi-Factor Authentication methods

Multi-Factor Authentication methods

SecureAuth Identity Platform release

Configuration notes

Time-based One-Time Passcode (TOTP)

9.3 or later

To learn more about Multi-Factor Authentication methods, see Multi-Factor Tabs configuration and its related topics.

HMAC-based One-Time Passcode (HOTP)

9.3 or later

SMS (OTP only)

9.3 or later

Phone

9.3 or later

Email (OTP only)

9.3 or later

Passcode OTP (Push Notification)

9.3 or later

Mobile Login Request

9.3 or later

PIN

9.3 or later

Yubico OTP TokenYubico OTP Token

9.3 or later

Symbol-to-Accept (Protect package and higher only)

9.3 or later

Fingerprint Recognition (Prevent package only)

19.07 or later, using 2019 theme

Face Recognition (Prevent package only)

19.07 or later, using 2019 theme

SecureAuth IdP 9.3 supported server

SecureAuth IdP 9.3 supported server and required components

NetMotion Wireless VPN:

  • PEAP protocol support requirements:

    • Public or private certificate

    • .PFX file

    • Private Key and Private Key Password

  • Microsoft Visual C++ requirements:

To learn more about configuring NetMotion Wireless VPN, see NetMotion Mobility RADIUS configuration guide.

Port settings

Port settings

Inbound:

  • Allow RADIUS Listener – The Default is UDP port 1812.

  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.

RADIUS VPN and Product Support

RADIUS VPN and Product Support

The following basic connectivity parameters must be configured on RADIUS clients to be used with the Identity Platform:

  • RADIUS server IP address

  • Shared secret to use between the RADIUS server and RADIUS clients

  • Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port

  • Timeout value Retries value

  • Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end users can access once logged on the network

  • A valid certificate must be installed if using NetMotion Wireless VPN.

Sample RADIUS configuration

The following is a sample RADIUS authentication server configuration:

Add Server Dialog

SecureAuth Identity Platform RADIUS Server Information

Notes

Name

RADIUS Server friendly description name

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth Identity Platform and the RADIUS server.

NOTE: SecureAuth IdP RADIUS server version 19.06 or later can be configured to pass an IP address to the VPN for static IP assignment to the VPN client. For example, PC or Mac. Contact SecureAuth Support to learn more.

RADIUS Server

IP Address or Name of the RADIUS Server

Authentication Port

1812

Shared Secret

SecureAuth RADIUS Shared Secret

Timeout

60 Seconds (recommended)

Retries

3 (recommended)