Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


SecureAuth IdP featuresSecureAuth IdP versionConfiguration notes
Adaptive Authentication


Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.
  • End-user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.


Attribute Mapping


Configure and enable Identity Management API (v9.1+) on the realm to grant / deny end-user logon access.

Group based authentication – Optionally configure Membership Connection Settings to grant / deny logon access:

  • Specify the name of the user group to be granted / denied access, or
  • Designate a Property from Profile Fields to identify the user group to be granted / denied access.
UPN Logon


Multi-Factor Authentication methods


SecureAuth IdP versionSecureAuth IdP v9.x supported server and required components
Time-based One-Time Passcode (TOTP)v9.1+

NetMotion Wireless VPN:

  • PEAP protocol support requirements:
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ requirements:
    • Redistributable for Visual Studio 2012 Update 4 installed on the Windows server on which SecureAuth IdP RADIUS server is deployed

NOTE: Refer to the NetMotion Mobility RADIUS configuration guide.

SMSSMS (OTP only)v9.1+
Email (OTP only)v9.1+
Passcode OTP (Push Notification)v9.1+
Mobile Login Requestv9.1+
Supported platforms


  • Windows Server 2008 R2
  • Windows Server 2012 R2


  • PAP
  • PEAP (NetMotion only)

SecureAuth IdP Adaptive Authentication IP Checking feature:

PlatformRADIUS end user IP

Cisco Systems


Citrix NetScaler


Juniper Networks


Palo Alto Networks


Port settings  


  • Allow RADIUS Listener – Default is UDP port 1812.
  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.

RADIUS VPN and product support

Supported RADIUS clients:

  • Checkpoint
  • Cisco ASA with AnyConnect and Web Client
  • Cisco IPSec
  • Citrix NetScaler with Web Client
  • F5
  • Fortigate
  • Juniper VPN (IVE, MAG) Pulse Secure thick client
  • NetMotion Wireless VPN
  • Palo Alto Networks
  • SonicWall
  • VMware Horizon HTML Access
  • VMware Horizon View
  • WatchGuard

Other compatible RADIUS clients include:

  • Avocent
  • Barracuda
  • Microsoft Forefront

Contact SecureAuth Professional Services with inquiries.

To configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server:

  • See Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS) (v9.1+).
RADIUS client configuration  

Though not all RADIUS clients are configured in the same manner, basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP; these include:

  • RADIUS server IP address.
  • Shared secret to use between the RADIUS server and RADIUS client(s).
  • Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port.
  • Timeout value Retries value.
  • Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end-users can access once logged on the network.

NOTE: A valid certificate must be installed if using NetMotion Wireless VPN.

Sample RADIUS authentication server configuration:

Add Server dialogSecureAuth IdP RADIUS Server informationConfiguration notes
NameRADIUS Server description name (friendly name)

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth IdP and the RADIUS server.

NOTE: SecureAuth IdP RADIUS server v2.4 can be configured to pass an IP address to the VPN for static IP assignment to the VPN client (for example: PC or Mac).

See SecureAuth IdP RADIUS Server Static IP Address Configuration Guide for step-by-step instructions. 

RADIUS ServerIP Address or Name of the RADIUS Server
Authentication Port1812
Shared SecretSecureAuth RADIUS Shared Secret
Timeout60 Seconds (recommended)
Retries3 (recommended)

SecureAuth IdP RADIUS server v2.4 installation   


If SecureAuth RADIUS v1.0.x is currently installed, review the upgrade instructions in the Installation guide before installing the newer version of RADIUS.

If SecureAuth IdP RADIUS server v2.0.x - v2.2.x is currently installed, use the install instructions in this guide to upgrade while retaining the current configuration settings.

New installation

If installing SecureAuth IdP RADIUS server v2.3.9 / v2.3.12 for the first time on the designated appliance, follow the install instructions in the installation guide.

SecureAuth IdP RADIUS logs for troubleshooting

See SecureAuth IdP RADIUS server logs for information on using the RADIUS logs for troubleshooting.


IDNew features and enhancements
---IdP Realms and RADIUS Clients can now be disabled / enabled
RAD-13Standardized authentication workflow names for consistency with IdP naming conventions
RAD-44Additional logging is now available for Adaptive Authentication steps
RAD-58Text hints now appear on the IdP Realm page
RAD-91Toggle now available on RADIUS clients page to enter either a NAS-IP or client IP address
RAD-107Single page workflow added for Username, Second Factor, Password
RAD-110Wild cards now supported when defining RADIUS client IP values
RAD-143One or more backup IdP hosts can now be specified for failover functionality
RAD-147PIN + TOTP end-user workflow added
RAD-172New workflow added for entering OTP as first option, and Password as challenge
RAD-209MS-CHAPv2 support added for Microsoft Remote Desktop Gateway and Cisco ASA
RAD-211NetMotion integration supported
RAD-228TLS 1.2 support added for NetMotion VPN with Mobility clients on version 11.02+
RAD-234Custom API header now accommodates millisecond-precision dates
IDBug fixes
RAD-215Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2
IDKnown issues

Invalid characters in user IDs sent to the RADIUS server cause a RADIUS server failure.

Workaround: Ensure that user IDs contain the following valid characters only:

  • A - z
  • 0 - 9
  • . (dot), - (minus sign), @ (domain), and _ (underscore)