Documentation

 

 

By default a single row appears populated with client information that can be modified on the Edit RADIUS Client page page:

  • Client Name – a friendly name for the client can be manually entered.
  • Client IP Address – asterisk ( * ) indicates the client IP will be mapped to all RADIUS client IPs configured. You can also use partial wildcards, for example, 1.1.*.*=1.1.0.0/16
  • Authentication Workflow – default workflow selection is Password | Second Factor. 
To view details about a client...

1. Click the "i" at the start of the row – a window appears showing details about the RADIUS client.

RADIUS Client section shows:

  • IP Address – the client's IP address, or an asterisk ( * ) which indicates the client IP will be mapped to all RADIUS client IPs configured.
  • Date Created – client creation date using the MM-DD-YYYY format.
  • Date Modified – most recent client modification date using the MM-DD-YYYY format.

IdP Settings section shows:

  • IdP Realm – URL / realm number selected.
  • Workflow – one of eight selections made for this client (the default is Password | Second Factor).
  • Adaptive Authentication – "Active" or "Inactive" status depending on whether or not this feature is enabled.

2. Click Edit  to go to the Edit RADIUS Client page, or click the "X" in the upper right corner to exit the window .


Add RADIUS Client

1. Click Add Client.

2. Enter a friendly Client Name. For example: "Cisco".

3. Enter the IP Address to filter the RADIUS client. In general, the NAS-IP address should be entered.

However, to filter the RADIUS client by the client IP address, and not NAS-IP address, then additionally enable Use Client Source IP Address.

TIP: You can use a wild card to only allow machines from a specified subnet to connect, as in this example: 10.1.2.*

SecureAuth IdP Settings

4. Select the SecureAuth IdP Realm from the dropdown.

Selections only include Authentication API realms added on the IdP Realms page.

5. Select the Authentication Workflow from the dropdown – this must match a workflow configured and enabled on the realm selected in step 4:

  • Password | Second Factor
  • Password & Mobile Login Request (Approve / Deny)
  • Password Only
  • One-Time Passcode (TOTP/HOTP) Only
  • One-Time Passcode / Password
  • Password | One-Time Passcode (TOTP/HOTP)
  • One-Time Passcode (TOTP/HOTP) | Password
  • Username | Second Factor
  • Username | Second Factor | Password
  • PIN + OTP
  • Password & One-Time Passcode  (TOTP/HOTP)
  • Yubico OTP Only 
  • Password | Yubico OTP
  • Username | Fingerprint
  • Username | Face Recognition

NOTE: Not all authentication workflows are supported by all RADIUS clients due to RADIUS client configuration limitations. See Multi-Factor Methods configuration for links to versions of documents that explain how to configure realms for the supported authentication workflows.

6. OPTIONAL: If using Adaptive Authentication, check Enable Adaptive Authentication.

6a. Calling-Station-Id appears by default in the RADIUS  End User IP field – this attribute is used to verify the end-user's IP address.

6b. Edit the value in this field if using Palo Alto Networks or Juniper Networks platforms:

    • For Palo Alto Networks, enter PaloAlto-Client-Source-IP
    • For Juniper Networks, enter Tunnel-Client-Endpoint

NOTE: IP verification is only supported on Cisco, NetScaler, and Palo Alto Networks platforms.

7. Data Attribute Mapping is used to map an attribute from the configured SecureAuth IdP Data Store to the RADIUS client – this feature is often used with a VPN for making policy decisions.

NOTE: Only string values are supported for data attribute mapping.

To add a row and map a data attribute...

7a. Click the "+" button preceding Add  Attribute.


7b. By default auxId1 appears under IdP Property. Modify this entry to map a field or a User Group to a supported SecureAuth IdP Property; this entry is case-sensitive.

7c. For RADIUS Attribute, enter the name of the RADIUS client attribute (for example, Class) that is mapped to the SecureAuth IdP Property specified in step 7b; this entry is case-sensitive.

7d. To map another attribute, click the "+" button at the end of the last row; this action adds a new row below.

NOTE: To remove a row from the Data Attribute Mapping table, click the "-" button at the end of the row to be removed.

8. Custom Attribute Mapping is used to map an attribute from the configured SecureAuth IdP Data Store to a vendor specific attribute – this usually occurs in a scenario in which the VPN appliance is unable to perform an LDAP lookup.

The Attribute field is mandatory and must be set in this step or in the Static Value Mapping in step 9.

To add a row and map a custom attribute...

8a. Click the "+" button preceding Add Attribute.

8b. By default auxId1 appears under IdP Property. Modify this entry to map a field or a User Group to a supported SecureAuth IdP Property; this entry is case-sensitive.

8c. Enter the numeric Vendor ID.

8d. Enter the numeric Vendor-Specific Attribute that is mapped to the SecureAuth IdP Property specified in step 8b.

8e. Select the RADIUS attribute type from the Field Type dropdown:

  • string – variable-length string field used for printable text strings.
  • date – UNIX timestamp in seconds, as of January 1, 1970 GMT.
  • octets – variable-length string field used for binary data.
  • short – two-byte integer.
  • integer – unsigned 32-bit integer.
  • ipaddr – IPv4 address.
  • ipv6addr – IPv6 address.


NOTE: The Field Type selection must be accurately defined in order to be accepted by the client.

8f. To map another attribute, click the "+" button at the end of the last row; this action adds a new row below.


NOTE: To remove a row from the Custom Attribute Mapping table, click the "-" button at the end of the row to be removed.

9. Static Value Mapping is used to map data to the RADIUS Vendor-Specific Attribute (VSA) configuration.

The Attribute field is mandatory and must be set in this step or in Custom Attribute Mapping in step 8.

To add a row and map a static value attribute...

9a. Click the "+" button preceding Add Attribute.

9b. Enter a Static Value to be mapped to the RADIUS Attribute.

9c. Enter the numeric Vendor ID.

9d. Enter the numeric Vendor-Specific Attribute that is mapped to the Static Value specified in step 9b.

9e. Select the RADIUS attribute type from the Field Type dropdown:

  • string – variable-length string field used for printable text strings.
  • date – UNIX timestamp in seconds, as of January 1, 1970 GMT.
  • octets – variable-length string field used for binary data.
  • short – two-byte integer.
  • integer – unsigned 32-bit integer.
  • ipaddr – IPv4 address.
  • ipv6addr – IPv6 address.

NOTE: The Field Type selection must be accurately defined in order to be accepted by the client.

9f. To map another attribute, click the "+" button at the end of the last row; this action adds a new row below.

NOTE: To remove a row from the Static Value Mapping table, click the "-" button at the end of the row to be removed.


10. Click Add Client after all client entries are made, or click Cancel to return to the RADIUS Clients page without adding a client.


To edit a client's information or remove a client from the list...

1. Find the RADIUS client to be edited and click its "edit" icon at the far right. 

Edit RADIUS Client 

2. Do one of the following:

a. Click Cancel if no changes will be made – the RADIUS Clients page appears;

b. Update any information that has changed for the client and click Save Changes; or

c. Click Disable Client if the client will no longer be used with the realm or RADIUS server. Any request to the disabled client will be rejected and end users will not be able to log in. (Logs will show the message: RadiusSession: Radius client can't be found for IP: x.x.x.x)

This action moves the client to the Disabled Clients list – an example of a disabled client appears in the sample screen above. 

3. If Disable Client was clicked, the Remove Clients option becomes available. Do one of the following:

a. Click Cancel if no changes will be made – the RADIUS clients list appears;

b. Click Remove Clients to remove the client from the Disabled Clients list and from the RADIUS server; or

c. Click Enable Client to enable the client for use with the realm and RADIUS server. This action removes the client from the Disabled Clients list and includes it in the Enabled Clients list.



  • No labels