Updated February 21, 2020

Use the SecureAuth IdP RADIUS server to configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component is typically installed on a SecureAuth IdP appliance or on a stand-alone server.

See the SecureAuth Compatibility Guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Release notes

Learn about new features and enhancements, resolved issues, and known issues in the following sections.

New features and enhancements

Version: 19.09
Release date: September 24, 2019
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth® Identity Platform v19.07

Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only. Additionally, biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.

RAD-220SecureAuth RADIUS supports the help desk OTP multi-factor authentication method.
RAD-290In the RADIUS Server Settings screen, selecting Import Settings or Import PEAP Certificate displays the same interface.
RAD-305SecureAuth RADIUS supports the mobile biometric multi-factor authentication method, including face and fingerprint recognition.
RAD-315SecureAuth RADIUS supports the mobile symbol-to-accept multi-factor authentication method.
RAD-327SecureAuth RADIUS supports Windows Server 2019.
RAD-340In the RADIUS Server Settings screen, use the "eye" icon to show characters as you type a shared secret instead of seeing dots.
RAD-364SecureAuth RADIUS automatically checks the validity of the value added to IdP Realm in the RADIUS Clients screen, SecureAuth IdP Settings section. If invalid, the error message now provides guidance to correct the value.

Resolved issues


SecureAuth RADIUS PIN option is displayed when using the Password | Second Factor workflow.

RAD-229SecureAuth RADIUS passes framed-IP-Address, stored in the Active Directory msRADIUSFramedIPAddress user attribute, to dictate which IP address the AnyConnect user will be assigned to.
RAD-285SecureAuth RADIUS end users receiving a OTP through SMS or text in the Authentication app will see the device name; that is, the device name will not be masked.
RAD-289Administrators receive an improved error message with guidance when uploading a corrupt or invalid configuration file.
RAD-291When entering a Shared Secret in the RADIUS Server Settings, the secret is now masked.
RAD-294When Syslog logging is enabled and invalid characters or values are used, the Syslog port returns error messages that are consistent with other parts of the RADIUS server.
RAD-311, RAD-293When the admin configures SecureAuth RADIUS, only valid numbers (1-65535) are allowed or the Authentication Port setting will not be saved. (The Authentication Port cannot be empty.)
RAD-325Sites that have integrated NetMotion Wireless Mobility server with SecureAuth RADIUS will not see an error during Username | Second Factor login if the NetMotion Auto-Response Mode is disabled. See NetMotion Mobility RADIUS configuration guide for details.
RAD-328When end users log in by using the SecureAuth RADIUS PIN | OTP workflow through any VPN client, access is denied if end user logs in with username and password. End users must enter a PIN and OTP.
RAD-329When end users log in by using the SecureAuth RADIUS Password | OTP workflow through any VPN client, access is denied if end user logs in with username and PIN. End users must enter a password and OTP.
RAD-332Admins are required to log in as administrator to install SecureAuth RADIUS. If already logged in as administrator, no further action is necessary.

A guidance message now informs admins to check that "User Management" is enabled in the API realm in "API Permissions." The setting enables the IdP API to retrieve user profiles.

RAD-356Admins no longer need to add the OTPFieldMapping key to the IdP Web Config file if running SecureAuth Identity Platform 19.07 or later hybrid or cloud.  
TW-774In the Classic IdP Experience, in the API Permissions section, under "Authentication," leave the OTP Validation Property dropdown blank to ensure the API works correctly with the SecureAuth RADIUS server on the cloud and hybrid model of SecureAuth® Identity Platform version 19.07 or later.

Known issues


NetMotion does not have the capability to send the customer IP in a RADIUS attribute; therefore, NetMotion will not work with any SecureAuth Adaptive Authentication options that use an IP. See RADIUS Authentication Overview for a list of attributes that NetMotion supports.


Invalid characters in user IDs sent to the RADIUS server cause a RADIUS server failure.

Workaround: Ensure that user IDs contain the following valid characters only:

  • A - z
  • 0 - 9
  • . (dot), - (minus sign), @ (domain), and _ (underscore)

When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

Workaround: None

Version 19.06 - Release Date: July 11, 2019

Version: 19.06
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth Identity Platform v19.07

RAD-241SecureAuth RADIUS supports MS-CHAPv2, as documented in MS-CHAPv2 and RADIUS (SP-initiated) for Cisco and Netscaler configuration guide.

SecureAuth RADIUS masks all phone numbers consistently with asterisks, regardless of the format in which they are saved in Active Directory.

RAD-259SecureAuth RADIUS supports Yubico OTP token as a second-factor passcode, in the "Username | Second Factor" and "Username | Second Factor | Password" workflows.
RAD-271SecureAuth RADIUS supports the "Yubico OTP only" workflow, where end users can use the YubiKey code as the password.
RAD-272SecureAuth RADIUS supports Yubico OTP token as the password or passcode, in the "Password | Yubico One-Time Passcode" workflow.
RAD-273SecureAuth RADIUS now uses the AdoptOpenJDK 8 Java Runtime Environment (JRE), and no longer uses the Oracle JRE.
RAD-301SecureAuth RADIUS supports PAM RADIUS version pam_radius-1.4.0-2.el7.x86_64 and earlier.

Resolved issues

RAD-195Toast (pop-up) messages in Realms and Clients tabs are implemented and work correctly.
RAD-257Clicking the Add Attribute text in the Static Value Mapping section of the RADIUS Client tab no longer adds a custom attribute to the page.
RAD-261The Import Settings and Export Settings buttons were moved into the RADIUS Server Settings section on the Settings tab.
RAD-262If end users receive a login screen after they have logged in with a 2FA passcode method of SMS/Text, Voice, Email, or Send passcode to mobile app, a guidance message in the log file explains the following workaround for administrators: 

In order to avoid errors with 2FA passcode methods, ensure that the following key is removed from the SecureAuth Identity Platform Web Config file in the appSettings section:

<add key="OTPFieldMapping" value="<SecureAuth IdP Profile Property>" />
RAD-265Connections to disabled realms fail as expected because the realm is inactive.


The first created IdP realm is automatically assigned to the default RADIUS client.
RAD-270End users receive better error messages with guidance when using NetMotion to import the PEAP certificate for a machine.
RAD-282Administrators can create a valid personal exchange format (PFX) certificate without a password and import it into a RADIUS Protected Extensible Authentication Protocol (PEAP) page.
RAD-295End user cannot connect to VPN using a deleted shared secret value.
RAD-300The "Password | One-Time Passcode (TOTP/HOTP) or Second Factor" workflow was renamed to "Password | Second Factor".
RAD-302On Firefox Quantum versions 67.0.2 and 67.0.4, if end users set an attribute with invalid characters, they can remove the attribute row without saving or leaving the page.
RAD-304Administrators cannot select the installation path in an upgrade process. The directory can be selected only in a new installation. (Documentation was corrected.)
RAD-306After converting SecureAuth RADIUS from SAM to UPN by adding a file, end users can now log into a RADIUS Client, with PEAP as its authentication schema, by using a UPN-format username. 
Version 2.5 - Release Date: April 16, 2019

New features and enhancements

Version: 2.5
Compatibility: SecureAuth IdP versions 9.0 - 9.3


A warning is displayed when an installation of an older version of RADIUS is attempted while a newer version is installed.

RAD-150End users' phone numbers and email addresses displayed in authentication applications are hidden consistently with asterisks.
RAD-218TOTP and HOTP with YubiKey as second factor is supported in RADIUS version 2.5.1.
RAD-237RADIUS client user interface and documentation were refreshed with the latest brand logo and color.
RAD-238SecureAuth RADIUS supports Windows Server 2016.

Resolved issues

RAD-179SonicWall NetExtender created a hotfix to resolve a RADIUS client problem with 2FA methods. All 2FA methods are available.


Editing and saving a disabled realm no longer enables the realm.
RAD-204The Static Value field is empty by default in the RADIUS Client tab, in the Static Value Mapping section.
RAD-206The Static Value field allows up to 247 characters in the RADIUS Client tab, in the Static Value Mapping section.
RAD-208Uppercase letters are allowed in the Static Value field, in the RADIUS Client tab, in the Static Value Mapping section.
RAD-212Clicking the context-sensitive help (small i) over a disabled client setting shows information for disabled clients in the RADIUS Client tab.
RAD-249Numerous minor bug fixes were completed.

When creating a RADIUS client and clicking the Add Attribute button, the client is no longer saved when the Add Client button is not selected.

RAD-253RADIUS client attribute values are restricted to the supported RADIUS protocol length of 253 bytes.
TW-698The FileSync Service version installed on SecureAuth IdP is now documented in the RADIUS Installation Guide.

Known issues


When running the RADIUS client with the Pulse Secure client and 2FA options, Pulse Secure limits the maximum number of characters to 210. End users can see all options in the Pulse Secure web client when the number of characters is less than 210.

A second Pulse Secure limitation causes options 5 - 8 to be cut off from end users' view on the 2FA list. End users can select options 5 - 8, even though they are off-screen and there is no scrollbar.

Optionally, modify text in the RADIUS configuration file to shorten messages from the multi-factors message. See "Modify text showing on client user interface during login" in Configuration guide - v2.5 - SecureAuth IdP RADIUS server.

Version 2.4 - Release Date: October, 2018

New features and enhancements

Version: 2.4
Compatibility: SecureAuth IdP versions 8.2 - 9.2

---IdP realms and RADIUS clients can be disabled and enabled.
RAD-13Authentication workflow names are standardized for consistency with IdP naming conventions.
RAD-44Additional logging is available for Adaptive Authentication steps.
RAD-58Text hints appear on the IdP Realm page.
RAD-91Toggling is available on RADIUS clients page to enter either a NAS-IP or client IP address.
RAD-107Single page workflow was added for Username, Second Factor, and Password.
RAD-110Wild cards are supported when defining RADIUS client IP values.
RAD-143One or more backup IdP hosts can be specified for failover functionality.
RAD-147PIN + TOTP end user workflow was added.

Resolved issues

RAD-215Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2
  • No labels