Updated February 21, 2020
Use the SecureAuth IdP RADIUS server to configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component is typically installed on a SecureAuth IdP appliance or on a stand-alone server.
See the SecureAuth Compatibility Guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.
New features and enhancements
Release date: September 24, 2019
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth® Identity Platform v19.07
Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only. Additionally, biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.
|RAD-220||SecureAuth RADIUS supports the help desk OTP multi-factor authentication method.|
|RAD-290||In the RADIUS Server Settings screen, selecting Import Settings or Import PEAP Certificate displays the same interface.|
|RAD-305||SecureAuth RADIUS supports the mobile biometric multi-factor authentication method, including face and fingerprint recognition.|
|RAD-315||SecureAuth RADIUS supports the mobile symbol-to-accept multi-factor authentication method.|
|RAD-327||SecureAuth RADIUS supports Windows Server 2019.|
|RAD-340||In the RADIUS Server Settings screen, use the "eye" icon to show characters as you type a shared secret instead of seeing dots.|
|RAD-364||SecureAuth RADIUS automatically checks the validity of the value added to IdP Realm in the RADIUS Clients screen, SecureAuth IdP Settings section. If invalid, the error message now provides guidance to correct the value.|
SecureAuth RADIUS PIN option is displayed when using the Password | Second Factor workflow.
|RAD-229||SecureAuth RADIUS passes |
|RAD-285||SecureAuth RADIUS end users receiving a OTP through SMS or text in the Authentication app will see the device name; that is, the device name will not be masked.|
|RAD-289||Administrators receive an improved error message with guidance when uploading a corrupt or invalid configuration file.|
|RAD-291||When entering a Shared Secret in the RADIUS Server Settings, the secret is now masked.|
|RAD-294||When Syslog logging is enabled and invalid characters or values are used, the Syslog port returns error messages that are consistent with other parts of the RADIUS server.|
|RAD-311, RAD-293||When the admin configures SecureAuth RADIUS, only valid numbers (1-65535) are allowed or the Authentication Port setting will not be saved. (The Authentication Port cannot be empty.)|
|RAD-325||Sites that have integrated NetMotion Wireless Mobility server with SecureAuth RADIUS will not see an error during Username | Second Factor login if the NetMotion Auto-Response Mode is disabled. See NetMotion Mobility RADIUS configuration guide for details.|
|RAD-328||When end users log in by using the SecureAuth RADIUS PIN | OTP workflow through any VPN client, access is denied if end user logs in with username and password. End users must enter a PIN and OTP.|
|RAD-329||When end users log in by using the SecureAuth RADIUS Password | OTP workflow through any VPN client, access is denied if end user logs in with username and PIN. End users must enter a password and OTP.|
|RAD-332||Admins are required to log in as administrator to install SecureAuth RADIUS. If already logged in as administrator, no further action is necessary.|
A guidance message now informs admins to check that "User Management" is enabled in the API realm in "API Permissions." The setting enables the IdP API to retrieve user profiles.
|RAD-356||Admins no longer need to add the OTPFieldMapping key to the IdP Web Config file if running SecureAuth Identity Platform 19.07 or later hybrid or cloud.|
|TW-774||In the Classic IdP Experience, in the API Permissions section, under "Authentication," leave the OTP Validation Property dropdown blank to ensure the API works correctly with the SecureAuth RADIUS server on the cloud and hybrid model of SecureAuth® Identity Platform version 19.07 or later.|
NetMotion does not have the capability to send the customer IP in a RADIUS attribute; therefore, NetMotion will not work with any SecureAuth Adaptive Authentication options that use an IP. See RADIUS Authentication Overview for a list of attributes that NetMotion supports.
Invalid characters in user IDs sent to the RADIUS server cause a RADIUS server failure.
Workaround: Ensure that user IDs contain the following valid characters only:
When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth Identity Platform v19.07
|RAD-241||SecureAuth RADIUS supports MS-CHAPv2, as documented in MS-CHAPv2 and RADIUS (SP-initiated) for Cisco and Netscaler configuration guide.|
SecureAuth RADIUS masks all phone numbers consistently with asterisks, regardless of the format in which they are saved in Active Directory.
|RAD-259||SecureAuth RADIUS supports Yubico OTP token as a second-factor passcode, in the "Username | Second Factor" and "Username | Second Factor | Password" workflows.|
|RAD-271||SecureAuth RADIUS supports the "Yubico OTP only" workflow, where end users can use the YubiKey code as the password.|
|RAD-272||SecureAuth RADIUS supports Yubico OTP token as the password or passcode, in the "Password | Yubico One-Time Passcode" workflow.|
|RAD-273||SecureAuth RADIUS now uses the AdoptOpenJDK 8 Java Runtime Environment (JRE), and no longer uses the Oracle JRE.|
|RAD-301||SecureAuth RADIUS supports PAM RADIUS version pam_radius-1.4.0-2.el7.x86_64 and earlier.|
|RAD-195||Toast (pop-up) messages in Realms and Clients tabs are implemented and work correctly.|
|RAD-257||Clicking the Add Attribute text in the Static Value Mapping section of the RADIUS Client tab no longer adds a custom attribute to the page.|
|RAD-261||The Import Settings and Export Settings buttons were moved into the RADIUS Server Settings section on the Settings tab.|
|RAD-262||If end users receive a login screen after they have logged in with a 2FA passcode method of SMS/Text, Voice, Email, or Send passcode to mobile app, a guidance message in the log file explains the following workaround for administrators: |
In order to avoid errors with 2FA passcode methods, ensure that the following key is removed from the SecureAuth Identity Platform Web Config file in the appSettings section:
|RAD-265||Connections to disabled realms fail as expected because the realm is inactive.|
|The first created IdP realm is automatically assigned to the default RADIUS client.|
|RAD-270||End users receive better error messages with guidance when using NetMotion to import the PEAP certificate for a machine.|
|RAD-282||Administrators can create a valid personal exchange format (PFX) certificate without a password and import it into a RADIUS Protected Extensible Authentication Protocol (PEAP) page.|
|RAD-295||End user cannot connect to VPN using a deleted shared secret value.|
|RAD-300||The "Password | One-Time Passcode (TOTP/HOTP) or Second Factor" workflow was renamed to "Password | Second Factor".|
|RAD-302||On Firefox Quantum versions 67.0.2 and 67.0.4, if end users set an attribute with invalid characters, they can remove the attribute row without saving or leaving the page.|
|RAD-304||Administrators cannot select the installation path in an upgrade process. The directory can be selected only in a new installation. (Documentation was corrected.)|
|RAD-306||After converting SecureAuth RADIUS from SAM to UPN by adding a domainUPNSuffixes.properties file, end users can now log into a RADIUS Client, with PEAP as its authentication schema, by using a UPN-format username.|
New features and enhancements
Compatibility: SecureAuth IdP versions 9.0 - 9.3
A warning is displayed when an installation of an older version of RADIUS is attempted while a newer version is installed.
|RAD-150||End users' phone numbers and email addresses displayed in authentication applications are hidden consistently with asterisks.|
|RAD-218||TOTP and HOTP with YubiKey as second factor is supported in RADIUS version 2.5.1.|
|RAD-237||RADIUS client user interface and documentation were refreshed with the latest brand logo and color.|
|RAD-238||SecureAuth RADIUS supports Windows Server 2016.|
|RAD-179||SonicWall NetExtender created a hotfix to resolve a RADIUS client problem with 2FA methods. All 2FA methods are available.|
|Editing and saving a disabled realm no longer enables the realm.|
|RAD-204||The Static Value field is empty by default in the RADIUS Client tab, in the Static Value Mapping section.|
|RAD-206||The Static Value field allows up to 247 characters in the RADIUS Client tab, in the Static Value Mapping section.|
|RAD-208||Uppercase letters are allowed in the Static Value field, in the RADIUS Client tab, in the Static Value Mapping section.|
|RAD-212||Clicking the context-sensitive help (small i) over a disabled client setting shows information for disabled clients in the RADIUS Client tab.|
|RAD-249||Numerous minor bug fixes were completed.|
When creating a RADIUS client and clicking the Add Attribute button, the client is no longer saved when the Add Client button is not selected.
|RAD-253||RADIUS client attribute values are restricted to the supported RADIUS protocol length of 253 bytes.|
|TW-698||The FileSync Service version installed on SecureAuth IdP is now documented in the RADIUS Installation Guide.|
When running the RADIUS client with the Pulse Secure client and 2FA options, Pulse Secure limits the maximum number of characters to 210. End users can see all options in the Pulse Secure web client when the number of characters is less than 210.
A second Pulse Secure limitation causes options 5 - 8 to be cut off from end users' view on the 2FA list. End users can select options 5 - 8, even though they are off-screen and there is no scrollbar.
Optionally, modify text in the RADIUS uiTextsBundle.properties configuration file to shorten messages from the multi-factors message. See "Modify text showing on client user interface during login" in Configuration guide - v2.5 - SecureAuth IdP RADIUS server.
New features and enhancements
Compatibility: SecureAuth IdP versions 8.2 - 9.2
|---||IdP realms and RADIUS clients can be disabled and enabled.|
|RAD-13||Authentication workflow names are standardized for consistency with IdP naming conventions.|
|RAD-44||Additional logging is available for Adaptive Authentication steps.|
|RAD-58||Text hints appear on the IdP Realm page.|
|RAD-91||Toggling is available on RADIUS clients page to enter either a NAS-IP or client IP address.|
|RAD-107||Single page workflow was added for Username, Second Factor, and Password.|
|RAD-110||Wild cards are supported when defining RADIUS client IP values.|
|RAD-143||One or more backup IdP hosts can be specified for failover functionality.|
|RAD-147||PIN + TOTP end user workflow was added.|
|RAD-215||Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2|