Documentation

 

 

Administrators with teams using SecureAuth Identity Platform will continue to set up SecureAuth RADIUS on SecureAuth IdP realms until feature parity is achieved.

1. On the IdP Realms page, click Add IdP Realm.

Add IdP Realm

Ensure that the SecureAuth IdP API can connect to User properties. In the API realm in "API Permissions," ensure the following:

  • If using Identity Platform v19.07 or later, check that the "OTP Validation Property" field is empty. If populated, use the dropdown to reset it to empty.
  • Check that "User Management" is enabled. If disabled, check the box. Enable the option if using SecureAuth IdP or Identity Platform.

2. In the Primary IdP Host field, localhost appears by default.

If the realm is hosted on a different SecureAuth IdP than the one hosting this RADIUS server, enter the IdP host name or the IP address of the SecureAuth IdP realm to be used with this RADIUS server.

Examples: hostname.secureauth.com or XXX.XXX.XXX.XXX (where "X" represents a number in the IP address).

3. OPTIONAL: In the Backup IdP Host field, enter the host name or IP address of each SecureAuth IdP appliance to use for failover functionality, with each entry separated by a comma ( , ). 

Failover to a backup server can occur in these scenarios:

    • Communications are faulty with the target SecureAuth IdP.
    • RADIUS server receives no response.
    • RADIUS server receives errors from SecureAuth IdP.

During failover, end-users can log on the VPN without disruption.

NOTE: Refer to the Sample logs for different RADIUS failover scenarios for more information.

4. Enter the IdP Realm name and number. Examples: secureauth53 or SecureAuth84

5. From the SecureAuth IdP server, copy the Application ID generated for the realm and paste that content in the API Application ID field.

NOTE: Refer to Authentication API Guide (v9.1+) for steps on generating the Application ID in the API Key section of the API tab.

6. From the SecureAuth IdP server, copy the Application Key generated for the realm and paste that content in the API Application Key field.

NOTE: Refer to Authentication API Guide (v9.1+) for steps on generating the Application Key in the API Key section of the API tab.

7. Click Add IdP to enable the realm for use with the RADIUS server, or click Cancel to return to the IdP Realms page without adding the realm.

To edit a realm's information or remove a realm from the list...

1. Find the IdP Realm to be edited and click its "edit" icon at the far right.

Edit IdP Realm

2. Do one of the following:

a. Click Cancel if no changes will be made, and the IdP Realm URL list is displayed.

b. Update any information that has changed on the realm and click Save Changes. Note that encrypted values appear for the saved API Application ID and API Application Key; or

c. Click Disable Realm if the realm will no longer be used with the RADIUS server. This action moves the realm to the Disabled IdP Realms list. See an example of a disabled IdP realm in the sample screen above.

3. If Disable Realm was clicked, the Remove Realm option becomes available. Do one of the following:

a. Click Cancel if no changes will be made and the IdP Realm URL list is displayed.

b. Click Remove Realm to remove the realm from the Disabled IdP Realms list and from the RADIUS server; or

c. Click Enable Realm to enable the realm for use with the RADIUS server. This action removes the realm from the Disabled IdP Realms list and includes it in the IdP Realm URL list.

Edit the IdP Web Config file

A default setting in the SecureAuth IdP v9.3 or earlier Web Config file causes RADIUS client end-user logins to fail for certain 2FA methods. To ensure end-users can log in using any 2FA method, remove the Property in the SecureAuth IdP Web Admin configuration by completing the following steps.

1. In the SecureAuth IdP realm you added in Step B, step 1 above, click the System Info tab.

2. On the System Info tab, in the Links section, select Click to edit Web Config file.

3. In the Web Config Editor section, under <appSettings>, remove the following line because SA RADIUS does not use  /api/v1/otp/validate  to validate OTP codes:

    <add key="OTPFieldMapping"value="<SecureAuth IdP Profile Property>"/>

4. Click Save.

  • No labels