Skip to main content

OpenConnect RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

OpenConnect is an open-source software application for connecting to virtual private networks (VPN), which implement secure point-to-point connections.

Arculix offers a simple solution for adding MFA to OpenConnect VPN via its RADIUS solution. This step-by-step integration instruction illustrates how to configure the OpenConnect VPN server and Arculix RADIUS MFA authentication solution.


  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges on an OpenConnect server.

Arculix RADIUS Agent configuration

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:


    The values should be separated by semicolons (;).

    ARA_CLIENTS=<An optional name for your OpenCo>;<Internal IP address of your OpenConnect>;<a shared secret>

    For example, set:

    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

OpenConnect server configuration

In this section, you will configure OpenConnect as a service provider (SP).

  1. Log in to OCSERV server with an administrative privilege.

  2. Open ocserv.conf with a text editor.

    sudo nano /etc/ocserv/ocserv.conf
  3. Comment all lines starting with "auth =". It should look like this:

    #auth = "pam"
    #auth = "pam[gid-min=1000]"
    #auth = "plain[passwd=./ocserv.passwd]"
    #auth = "certificate"
    #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
  4. Add the following line:

    auth = "radius [config=/usr/local/etc/radcli/radiusclient.conf,groupconfig=true]"
  5. If you need RADIUS accounting, in the Accounting methods available section, add the following line:

     acct = "radius [config=/usr/local/etc/radcli/radiusclient.conf,groupconfig=true]"
  6. Save and exit.

  7. Run the following command for the changes to take effect.

    sudo systemctl restart ocserv
  8. Move to radcli etc folder and open radiusclient.conf with a text editor.

    nano radiusclient.conf
  9. Configure RADIUS settings according to your environment.

    nas-identifier “Enter name of your OCSERV” authserver “Enter Arculix RADIUS Agent server IP”
    servers /etc/radcli/servers
    dictionary /etc/radcli/dictionary
    radius_timeout “60”
  10. Save and exit.

  11. Open servers file with text editor.

    nano servers
  12. Enter the Arculix RADIUS Agent and secret like the following: testing 123
  13. Save and exit.


    If you installed Arculix RADIUS Agent and OCSERV on the same server, in the servers file you must enter the docker IP address of Arculix RADIUS Agent.

    You can find the IP address using the command like in this screenshot example.


Test your application integration

  1. On the OpenConnect client, enter the OCSERV server address and enter your username and password.

  2. The Arculix Mobile app receives a push notification for your approval to log in to the VPN.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.