Documentation

 

 

If you are a new customer, for optimum performance, especially for large enterprises, install the SecureAuth RADIUS server separately from the IdP or Identity Platform server. If in doubt, contact SecureAuth Support.

  • SecureAuth IdP version 9.1 or later
  • Hybrid: Authentication API (v9.1+) configured and enabled on the realm
  • Cloud: Authentication Apps (19.07+) configured and enabled on Identity Platform, plus Authentication API (v9.2+) configured and enabled on the realm

Supported SecureAuth IdP components and integrated components

SecureAuth IdP featuresSecureAuth IdP versionConfiguration notes
Adaptive Authentication

v9.1+

Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.
  • End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.
Push-to-Accept

v9.1+


Attribute Mapping

v9.1+

Configure and enable Identity Management API (v9.1+) on the realm to grant / deny end user login access.

Group based authentication – Optionally configure Membership Connection Settings  to grant / deny login access:

  • Specify the name of the user group to be granted / denied access, or
  • Designate a Property from Profile Fields to identify the user group to be granted / denied access.
UPN Logon

v9.1+


Multi-Factor Authentication methods

SecureAuth IdP versionSecureAuth IdP v9.x supported server and required components
Time-based One-Time Passcode (TOTP)v9.1+

NetMotion Wireless VPN:

  • PEAP protocol support requirements:
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ requirements:

NOTE: SecureAuth employees, refer to NetMotion Mobility RADIUS configuration guide.

HMAC-based One-Time Passcode (HOTP)v9.1+
SMSv9.1+
Phonev9.1+
Emailv9.1+
Passcode OTP (Push Notification)v9.1+
Mobile Login Requestv9.1+
PINv9.1+
Yubico OTP Tokenv9.2+
Symbol-to-Accept (Protect package and higher only)v9.3+
Fingerprint Recognition (Prevent package only)v19.07+, using 2019 theme
Face Recognition (Prevent package only)v19.07+, using 2019 theme
Supported platforms

Server:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019 

Protocols:

  • PAP
  • PEAP (NetMotion only)
  • MS-CHAPv2 for Cisco and Netscaler

SecureAuth IdP Adaptive Authentication IP Checking feature:

PlatformRADIUS end user IP

Cisco Systems

Calling-Station-Id

Citrix NetScaler

Calling-Station-Id

Juniper Networks

Tunnel-Client-Endpoint

Palo Alto Networks

Palo Alto-Client-Source-IP
Port settings  

Inbound:

  • Allow RADIUS Listener – Default is UDP port 1812.
  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.
RADIUS VPN and product support

Supported RADIUS clients:

  • Checkpoint
  • Cisco ASA with AnyConnect and Web Client
  • Cisco IPSec
  • Citrix NetScaler with Web Client
  • F5
  • Fortigate
  • Juniper VPN (IVE, MAG) Pulse Secure thick client
  • NetMotion Wireless VPN
  • Palo Alto Networks
  • SonicWall
  • VMware Horizon HTML Access
  • VMware Horizon View
  • WatchGuard

Other compatible RADIUS clients include:

  • Avocent
  • Barracuda
  • Microsoft Forefront

Contact SecureAuth Professional Services with inquiries.



To configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server:

  • See Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS) (v9.1+).
RADIUS client configuration  

Though not all RADIUS clients are configured in the same manner, the following basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP:

  • RADIUS server IP address.
  • Shared secret to use between the RADIUS server and RADIUS client(s).
  • Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port.
  • Timeout value Retries value.
  • Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end users can access once logged on the network.

NOTE: A valid certificate must be installed if using NetMotion Wireless VPN.

Sample RADIUS authentication server configuration:

Add Server dialogSecureAuth IdP RADIUS Server informationConfiguration notes
NameRADIUS Server description name (friendly name)

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth IdP and the RADIUS server.

NOTE: SecureAuth IdP RADIUS server v19.06 can be configured to pass an IP address to the VPN for static IP assignment to the VPN client (for example: PC or Mac).

See SecureAuth IdP RADIUS Server Static IP Address Configuration Guide for step-by-step instructions. 



RADIUS ServerIP Address or Name of the RADIUS Server
Authentication Port1812
Shared SecretSecureAuth RADIUS Shared Secret
Timeout60 Seconds (recommended)
Retries3 (recommended)
SecureAuth IdP RADIUS server v20.03 installation   

Upgrade

If SecureAuth RADIUS v1.0.x is currently installed, review the upgrade instructions in the SecureAuth RADIUS server v20.03 upgrade before installing the newer version of RADIUS.

If SecureAuth IdP RADIUS server v2.0.x - v19.09.xx is currently installed, use the install instructions in SecureAuth RADIUS server v20.03 installation to upgrade while retaining the current configuration settings.

New installation

If installing SecureAuth IdP RADIUS server v20.03 for the first time on the designated appliance, follow the install instructions in the installation guide.

SecureAuth IdP RADIUS logs for troubleshooting

See SecureAuth IdP RADIUS server logs for information about using the RADIUS logs for troubleshooting.

  • No labels