Documentation

 

 

Introduction

Use this guide to enable end-user desktop, web, and mobile Multi-Factor Authentication login access to a VPN and remote resources via RADIUS.

As an optional component of the SecureAuth IdP product, SecureAuth IdP RADIUS server is typically installed on a stand-alone server or on a SecureAuth IdP appliance. The RADIUS feature enables an enterprise to provide strong, adaptive authentication for RADIUS clients such as VPNs and other applications that leverage RADIUS for Multi-Factor Authentication used in conjunction with SecureAuth IdP.

Download the latest version of SecureAuth IdP RADIUS Server here

NOTE: Click here for the latest version of the SecureAuth IdP RADIUS Server Integration Guide

NOTE: Refer to SecureAuth IdP RADIUS Server v2.0.2 Integration Guide for the version of RADIUS Server supported by SecureAuth IdP version 8.1

Prerequisites

Requirements

SecureAuth IdP VersionSupported FeaturesMinimum Required ConfigurationSupported Tools and Required Components
8.2+

Adaptive Authentication – configure threat checking for

Push-to-Accept

Authentication API configured and enabled on the realm
9.0+

Attribute Mappingconfigure and enable Identity Management API on the realm to grant / deny end-user logon access

  • Group based authentication (OPTIONAL) – configure Membership Connection Settings to grant / deny logon access
    • specify the name of the user group to be granted / denied access, or
    • designate a Property from Profile Fields to identify the user group to be granted / denied access

UPN Logon – configure Active Directory Data Store to enable the UPN logon format

Authentication API configured and enabled on the realm

NetMotion Wireless VPN

  • For PEAP protocol support
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ (Redistributable for Visual Studio 2012 Update 4)



Supported Multi-Factor Authentication Methods

  • Time-based One-Time Passcode (TOTP)
  • SMS
  • Phone
  • Email
  • Passcode OTP (Push Notification)
  • Mobile Login Request (Push-to-Accept Notification requires SecureAuth IdP version 8.2+)

 Supported Platforms

Server

Adaptive Authentication IP CheckingProtocols
  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Cisco platforms
  • NetScaler platforms
  • Palo Alto Networks platforms
  • PAP
  • PEAP (NetMotion only)

NOTE: Geo-velocity is not supported for IP Checking on Cisco, NetScaler, and Palo Alto Networks platforms

Port Settings

Inbound
  • Allow RADIUS Listener – Default is UDP port 1812 
  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons

RADIUS VPN and Product Support (RADIUS Client)

Checkpoint
Cisco ASA with AnyConnect and Web Client
Cisco IPSec
Citrix NetScaler with Web Client
F5
Fortigate
Juniper VPN (IVE, MAG) Pulse Secure thick client
NetMotion Wireless VPN
Palo Alto Networks
SonicWall
VMware Horizon HTML Access
VMware Horizon View
WatchGuard 

Other compatible RADIUS clients include: Avocent, Barracuda, and Microsoft Forefront (contact SecureAuth Professional Services with inquiries)

NOTE: Refer to Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS) to configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server

RADIUS Client Configuration

Though not all RADIUS clients are configured in the same manner, basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP

  • RADIUS server IP address
  • Shared secret to use between the RADIUS server and RADIUS client(s)
  • Port 1812 to use for RADIUS authentication requests, and Port '0' for accounting when applicable or if used as the default port
  • Timeout value
  • Retries value
  • Connection profile that will use the SecureAuth RADIUS authentication server
  • Group policy of the connection profile to identify resources end-users can access once logged on the network

NOTE: A valid certificate must be installed if using NetMotion Wireless VPN

 Example of RADIUS authentication server configuration...
Add Server dialogSecureAuth IdP RADIUS Information
NameRADIUS Server description name (friendly name)
RADIUS ServerIP Address or Name of the RADIUS Server
Authentication Port1812
Shared SecretSecureAuth RADIUS Shared Secret
Accounting Port1813
Timeout60 Seconds (recommended)
Retries3 (recommended)

RADIUS 2.1.0 Installation

Upgrades

New Installation

If installing RADIUS v2.1.0 for the first time on the designated appliance, follow the install instructions in the SecureAuth IdP RADIUS Server v2.1.0 Installation Guide

SecureAuth RADIUS Admin Console Configuration Steps

After the RADIUS Windows service is installed and configured, use the RADIUS Admin Console to configure the server and client, and optionally any SecureAuth IdP realm to be used with RADIUS

1. Access the RADIUS Admin Console at http://localhost:8088/configuration – the user interface is restricted to local machine access by default

2. Configure the RADIUS Server Settings tab

3. Click the IdP Realms tab to add / edit Authentication API realms to be used with the RADIUS server

4. Click the RADIUS Clients tab to add and configure settings for the RADIUS client(s)

To simplify the task of creating additional SecureAuth IdP RADIUS Servers, the configuration can be exported to a .cfg file and imported on the target SecureAuth IdP RADIUS Server

TIP: The .cfg file can also be used to back up the configuration

WARNING: If the .cfg file is imported via the RADIUS Admin Console server, all configurations made on the RADIUS Server Settings tab, IdP Realms tab, and RADIUS Clients tab will be overwritten by the configurations in this file

NOTE: See Export / Import RADIUS Configuration

RADIUS Server Settings Configuration Steps


1. In the RADIUS Server Settings section, input the Shared Secret that was entered in the management console of the RADIUS client

The Authentication Port number 1812 appears by default

2. (OPTIONAL) In the Syslog Settings section, specify whether to Enable Syslog Logging

The standard Syslog Protocol RFC5424 is supported

3. If the Syslog Logging option is enabled, enter the Syslog Server IP address

The Syslog Port number 514 appears by default

4. (OPTIONAL) Enter the Private Enterprise Number (PEN)

5. If using NetMotion VPN, in the PEAP Settings section

a. Click Choose File to browse and select the Private Key PFX File

b. Enter the Private Key Password configured for the .PFX file

Radius Server Key Certificate information appears which identifies the SecureAuth IdP RADIUS server .PEM certificate

See Export SecureAuth IdP RADIUS Server Certificate for information about using the Export Server Certificate link

6. Click Save after all server entries are made

NOTE: The Shared Secret field displays [Encrypted Value] once the input values are saved

Export SecureAuth IdP RADIUS Server Certificate

If the SecureAuth IdP RADIUS server certificate has been uploaded to this server, the Export Server Certificate link is active

1. Click Export Server Certificate to download the .PEM certificate

This self-signed certificate must be imported to the Trust Store on the NetMotion client installed on the end-user mobile device

SecureAuth IdP server certificates are not exported via this utility

IdP Realms Configuration Steps


1. On the IdP Realms page, click Add IdP Realm

Add IdP Realm


2. On the Add IdP Realm page, localhost appears in the IdP Host field by default

If the realm is hosted on a different SecureAuth IdP than the one hosting this RADIUS server, enter the IdP Host name or the IP address of the SecureAuth IdP realm to be used with this RADIUS server

e.g. hostname.secureauth.com or XXX.XXX.XXX.XXX (in which 'X' represents a number in the IP address)

3. Enter the IdP Realm name and number

e.g. SecureAuth53

4. From the SecureAuth IdP server, copy the Application ID generated for the realm and paste that content in the API Application ID field

NOTE: Refer to Authentication API Guide for steps on generating the Application ID in the API Key section of the API tab

5. From the SecureAuth IdP server, copy the Application Key generated for the realm and paste that content in the API Application Key field

NOTE: Refer to Authentication API Guide for steps on generating the Application Key in the API Key section of the API tab

6. Click Cancel to return to the IdP Realms page without adding the realm, or click Add IdP to add the realm for use with the RADIUS server

 To edit a realm's information or remove a realm from the list...


1. Find the IdP Realm URL to be edited and click its 'edit' icon at the far right

Edit IdP Realm


2. On the Edit IdP Realm page, do one of the following

  • Click Cancel if no changes will be made – the IdP Realm URL page appears
  • Update any information that has changed on the realm and click Save Changes – note [Encrypted Value] appears for the saved API Application ID and API Application Key
  • Click Remove Realm if the realm will no longer be used with the RADIUS server

RADIUS Clients Configuration Steps

 To view details about the client...

1. Click the 'i' at the start of the row – a window appears showing details about the RADIUS client

  • RADIUS Client section shows
    • IP Address – the client's IP address, or an asterisk ( * ) which indicates the client IP will be mapped to all RADIUS client IPs configured
    • Date Created – client creation date using the MM-DD-YYYY format
    • Date Modified – most recent client modification date using the MM-DD-YYYY format
  • IdP Settings section shows
    • IdP Realm – URL / realm number selected
    • Workflow – one of eight selections made for this client (the default is Password + Time-based Passcode or 2-Factor Challenge Options)
    • Adaptive Authentication – "Active" or "Inactive" status depending on whether or not this feature is enabled
  • Data Attribute Mapping section shows
    • SecureAuth Field – Property on SecureAuth IdP Data Store mapped to an attribute on the RADIUS client
    • RADIUS Attribute – attribute on the RADIUS server mapped to an attribute on the RADIUS client

2. Click the 'X' in the upper right corner of the window to exit, or click Edit to go to the Edit RADIUS Client page


On the RADIUS Clients page, by default a single row appears populated with client information that can be modified on the Edit RADIUS Client page

  • Client Name – a friendly name for the client can be manually entered
  • Client IP Address – asterisk ( * ) indicates the client IP will be mapped to all RADIUS client IPs configured
  • Authentication Workflow – default workflow selection is Password + Time-based Passcode or 2-Factor Challenge Options

1. Click Add Client

Add RADIUS Client


2. On the Add RADIUS Clients page, enter a friendly Client Name and Client IP Address

e.g. "Cisco" and XXX.XX.XX.XX (in which 'X' represents a number in the IP address)

3. In the SecureAuth IdP Settings section, select the SecureAuth IdP Realm from the dropdown

Selections only include Authentication API realms added on the IdP Realms page

4. Select the Authentication Workflow from the dropdown – this must match a workflow configured and enabled on the realm selected in step 3

  • Password + Time-based Passcode or 2-Factor Challenge Options
  • Password & Mobile Login Request (Accept / Deny)
  • Password
  • Time-based Passcode
  • Time-based Passcode / Password
  • Password + Time-based Passcode
  • Username + 2FA Options
  • Username + 2FA Options + Password

Not all authentication workflows are supported by all RADIUS clients due to RADIUS client configuration limitations

5. (OPTIONAL) If using Adaptive Authentication, check Enable Adaptive Authentication

6. If Adaptive Authentication is enabled, in the RADIUS End User IP field, Calling-Station-Id appears by default – this attribute is used to verify the end-user's IP address

NOTE: For Palo Alto Networks, enter PaloAlto-Client-Source-IP in the RADIUS End User IP field

IP verification is only supported on Cisco, NetScaler, and Palo Alto Networks platforms

7. Data Attribute Mapping is used to map an attribute from the configured SecureAuth IdP Data Store to the RADIUS client – this feature is often used with a VPN for making policy decisions

a. SecureAuth IdP Field Name corresponds to the field configured on the SecureAuth IdP Data Store which contains the attribut to be passed to the RADIUS client

By default auxId1 appears – modify this entry to map a Property or a User Group to a supported field on SecureAuth IdP

b. For RADIUS Attribute Name, enter the name of the RADIUS client attribute (e.g. Class) that is mapped to the SecureAuth IdP field specified in step 'a'

Only string values are supported for data attribute mapping

8. Click Cancel to return to the RADIUS Clients page without adding a client, or click Add Client after all client entries are made

 To edit a client's information or remove a client from the list...


1. Find the RADIUS Client to be edited and click its 'edit' icon at the far right

Edit RADIUS Client


2. On the Edit RADIUS Client page, do one of the following

  • Click Cancel if no changes will be made – the RADIUS Clients page appears
  • Update any information that has changed for the client and click Save Changes
  • Click Remove Clients if the client will no longer be used with the realm or RADIUS server

Export / Import RADIUS Configuration

The saved RADIUS Admin Console configuration can be downloaded as a .cfg file via the Export Settings function

Use the Import Settings function of the RADIUS Admin Console

  • to restore the RADIUS backup configuration to the same SecureAuth IdP
  • to expedite configuring RADIUS server on another SecureAuth IdP


Export RADIUS Configuration


1. In the Syslog Settings section, click Export Settings

If there is no configuration to download, this button is enabled but will return an error if clicked

2. Download the .cfg file that contains settings configured on the RADIUS Admin Console

NOTE: The .cfg file can be imported into a new or existing RADIUS Admin Console to overwrite the current configuration

Import RADIUS Configuration


1. In the Syslog Settings section, click Import Settings


2. In the Import Settings window, click Choose File

3. Browse to find and select the .cfg file configured on the RADIUS Admin Console containing settings to be uploaded to this RADIUS server

NOTE: Clicking Apply Settings immediately overwrites the configuration on server Settings, IdP Realms, and RADIUS Clients tabs of the RADIUS Admin Console

4. Click Cancel to close the window, or click Apply Settings to import the configuration from the .cfg file

End-user Experience

The authentication workflow requires the entry of the username followed by at least one other code entry, such as a password or passcode, before the login button is enabled

The images in this section provide examples of some user interfaces from the end-user login experience; the appearances of user interfaces will differ depending on the model of RADIUS client or the VPN client application

Single screen login workflows


Password

1. Enter the username

2. Enter the password

Time-based Passcode

1. Enter the username

2. In the password field, enter the TOTP

Time-based Passcode / Password

1. Enter the username

2. In the password field, enter the TOTP, then a "/" (forward slash), followed by the password

e.g. 563719/Password!

Multi-screen login workflows
Password + Time-based Passcode


1. On the VPN login screen, enter the username

2. Enter the password

3. Get the time-based passcode from the SecureAuth Authenticate or other SecureAuth TOTP application

4. Enter the passcode





Password & Mobile Login Request (Accept / Deny)

1. On the VPN login screen, enter the username

2. Enter the password

The VPN waits for RADIUS to respond

3. On the mobile app Login Request screen, tap Accept or Deny – a response entry field is not presented





Password + Time-based Passcode or 2-Factor Challenge Options

1. On the VPN login screen, enter the username

2. Enter the password


3. The response screen prompts for one of two options

a. Entry of a time-based passcode (TOTP)

b. Entry of the number corresponding to an available Multi-Factor Authentication method

SMS / Text Message
Phone
Email
Send Passcode to Phone (Push Notification)
Send Login Request to Phone (Push-to-Accept)

The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Make the appropriate entry on the response screen, based on the selected workflow (option 'a' or 'b' in step 3)


 If selecting option 'a' (Time-based Passcode)...
5a. Get the time-based passcode from the SecureAuth Authenticate or other SecureAuth TOTP application

6a. Enter the passcode


 If selecting option 'b' (Multi-Factor Authentication)...

5b. Enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)

6b. Proceed with the 2nd Authentication Factor workflow

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented





Username + 2-Factor Authentication Options

1. On the VPN login screen, enter the username

2. Entry of the password is not required



3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)

The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Proceed with the 2nd Authentication Factor workflow

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented




Username + 2-Factor Authentication Options + Password

1. On the VPN login screen, enter the username

2. Entry of the password is not required at this step


3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)

The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Proceed with the 2nd Authentication Factor workflow

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented


5. On the response screen, enter the password 

Multiple Devices Registered for Multi-Factor Authentication

This scenario is presented for end-users with more than one registered mobile device, each with more than one phone number or email address registered

1. The end-user selects the 2nd Authentication Factor

The end-user has more than one of that item registered for 2nd Factor Authentication – i.e. more than one phone number or email address for each registered mobile device

2. A prompt appears for the end-user to select which mobile device, phone number, or email address to use in the Multi-Factor Authentication workflow session



Optional Feature: Adaptive Authentication

If Adaptive Authentication is used with the user group check feature enabled, RADIUS responds accordingly in these login failure scenarios based on the authentication workflow.

Note that the following workflows do not correlate exactly to the workflows in SecureAuth IdP. Some of the following workflows are not included in SecureAuth IdP "Login Screen Options" and vice versa.

Workflow 1 = Password + Time-based Passcode or 2-Factor Challenge Options
Workflow 2 = Password & Mobile Login Request (Accept / Deny)
Workflow 3 = Password
Workflow 4 = Time-based Passcode
Workflow 5 = Time-based Passcode / Password
Workflow 6 = Password + Time-based Passcode
Workflow 7 = Username + 2FA Options
Workflow 8 = Username + 2FA Options + Password
 

Login failure scenarioEnd-user experience from RADIUS
-- Workflows 1, 2, 6, 7, 8
End-user experience from RADIUS
-- Workflows 3, 4, 5
Hard stopLogin Failed message receivedLogin Failed message received
Step up authenticationPrompt received for 2nd Authentication FactorLogin request fulfilled
Step down authentication2nd Authentication Factor skipped; login request fulfilledLogin request fulfilled
Resume authenticationPrompt received for 2nd Authentication FactorLogin request fulfilled
Post authentication2nd Authentication Factor skipped; login request fulfilledLogin request fulfilled
RedirectionLogin Failed message deliveredLogin Failed message received
No failurePrompt received for 2nd Authentication FactorLogin request fulfilled
Release Notes
DateAugust 17, 2016
Version2.1.0
New Features
  • NetMotion (PEAP) support for wireless connectivity
  • UPN logon support in Active Directory
  • Data Store attributes can be mapped to the RADIUS Client for policy enforcement
  • Client IPs can be mapped to the attribute used for Adaptive Authentication analysis (e.g. IP risk) on Cisco, Citrix NetScaler, Palo Alto Networks platforms
  • RADIUS Server configuration settings can be exported / imported to simplify setup of additional SecureAuth IdP RADIUS Servers
  • Multiple realms are supported to provide additional SecureAuth IdP authentication workflow options
  • Two new username 2-Factor Authentication workflow options have been added – these are supported on NetMotion and VMware platforms
  • Prompt now appears for end-user if the selected 2-Factor Authentication method includes more than one registered item of the same type in the user account
  • End-user proceeds with 2-Factor Authentication workflow as usual if only one registered item for the selected authentication option is present in the user account

Admin Console
changes

Settings tab

  • Replaces RADIUS Server tab
  • Reorganized content now includes
    • RADIUS Server Settings section
    • Syslog Settings section
    • Import Settings link for cloning, and Export Settings link for backup
    • New PEAP Settings section for NetMotion certificate management
  • SecureAuth IdP Settings section has been removed

IdP Realms tab

  • New tab includes SecureAuth IdP realm fields previously found on RADIUS Server tab
  • Manage multiple SecureAuth IdP realms and multiple 2-Factor Authentication workflows to be used for RADIUS
  • Main page shows a list of SecureAuth IdP realms used with this RADIUS server, and tools to add a new realm, or modify / remove an existing realm

RADIUS Clients tab

  • Includes tools to view details, or add / modify a client in the list
  • New Add / Edit Client pages include sections named
    • Add / Edit RADIUS Client
    • SecureAuth IdP Settings
      • Select the SecureAuth IdP Realm to pair with this client
      • Select the 2-Factor Authentication workflow
        • Two new Username workflow options – supported on NetScaler and VMware platforms
      • Enable Adaptive Authentication for IP checking on Cisco, NetScaler or Palo Alto Networks platforms, or for group checking
    • Data Attribute Mapping – for VPN policy decisions
      • Map a field from SecureAuth IdP to an attribute on the RADIUS client
  • No labels