Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This document is organized into five four parts:

  1. Topics in this guide include:
    Table of Contents
  2. Installation – see Installation guide - v2.5 - SecureAuth IdP RADIUS server
  3. Configuration – see Configuration guide - v2.5 - SecureAuth IdP RADIUS server
  4. End-user experience – see End-user experience - v2.5 - SecureAuth IdP RADIUS server


SecureAuth IdP featuresSecureAuth IdP versionConfiguration notes
Adaptive Authentication


Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.
  • End-user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.


Attribute Mapping


Configure and enable Identity Management API (v9.1+) on the realm to grant / deny end-user logon access.

Group based authentication – Optionally configure Membership Connection Settings  to grant / deny logon access:

  • Specify the name of the user group to be granted / denied access, or
  • Designate a Property from Profile Fields to identify the user group to be granted / denied access.
UPN Logon


Multi-Factor Authentication methods


SecureAuth IdP versionSecureAuth IdP v9.x supported server and required components
Time-based One-Time Passcode (TOTP)v9.1+

NetMotion Wireless VPN:

  • PEAP protocol support requirements:
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ requirements:
    • Redistributable for Visual Studio 2012 Update 4 installed on the Windows server on which SecureAuth IdP RADIUS server is deployed

NOTE: Refer to the NetMotion Mobility RADIUS configuration guide.

HMAC-based One-Time Passcode (HOTP)v9.1+
SMSSMS (OTP only)v9.1+
Email (OTP only)v9.1+
Passcode OTP (Push Notification)v9.1+
Mobile Login Requestv9.1+
Supported platforms


  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Windows Server 2016


  • PAP
  • PEAP (NetMotion only)
  • MS-CHAPv2

SecureAuth IdP Adaptive Authentication IP Checking feature:

PlatformRADIUS end user IP

Cisco Systems


Citrix NetScaler


Juniper Networks


Palo Alto Networks

Port settings  


  • Allow RADIUS Listener – Default is UDP port 1812.
  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons.
RADIUS VPN and product support

Supported RADIUS clients:

  • Checkpoint
  • Cisco ASA with AnyConnect and Web Client
  • Cisco IPSec
  • Citrix NetScaler with Web Client
  • F5
  • Fortigate
  • Juniper VPN (IVE, MAG) Pulse Secure thick client
  • NetMotion Wireless VPN
  • Palo Alto Networks
  • SonicWall
  • VMware Horizon HTML Access
  • VMware Horizon View
  • WatchGuard

Other compatible RADIUS clients include:

  • Avocent
  • Barracuda
  • Microsoft Forefront

Contact SecureAuth Professional Services with inquiries.

To configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server:

  • See Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS) (v9.1+.
RADIUS client configuration  

Though not all RADIUS clients are configured in the same manner, the following basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP:

  • RADIUS server IP address.
  • Shared secret to use between the RADIUS server and RADIUS client(s).
  • Port 1812 to use for RADIUS authentication requests, and Port "0" for accounting when applicable or if used as the default port.
  • Timeout value Retries value.
  • Connection profile that will use the SecureAuth RADIUS authentication serverGroup policy of the connection profile to identify resources end-users can access once logged on the network.

NOTE: A valid certificate must be installed if using NetMotion Wireless VPN.

Sample RADIUS authentication server configuration:

Add Server dialogSecureAuth IdP RADIUS Server informationConfiguration notes
NameRADIUS Server description name (friendly name)

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth IdP and the RADIUS server.

NOTE: SecureAuth IdP RADIUS server v2.5 can be configured to pass an IP address to the VPN for static IP assignment to the VPN client (for example: PC or Mac).

See SecureAuth IdP RADIUS Server Static IP Address Configuration Guide  for step-by-step instructions. 

RADIUS ServerIP Address or Name of the RADIUS Server
Authentication Port1812
Shared SecretSecureAuth RADIUS Shared Secret
Timeout60 Seconds (recommended)
Retries3 (recommended)
SecureAuth IdP RADIUS server v2.5 installation   


If SecureAuth RADIUS v1.0.x is currently installed, review the upgrade instructions in the Installation guide before installing the newer version of RADIUS.

If SecureAuth IdP RADIUS server v2.0.x - v2.2.x is currently installed, use the install instructions in Install SecureAuth IdP RADIUS server v2.5  to upgrade while retaining the current configuration settings.

If SecureAuth IdP RADIUS server v2.3.9 / v2.3.12 is currently installed, use the  install  instructions in Install SecureAuth IdP RADIUS server v2.5   to upgrade while retaining the current configuration settings .

If SecureAuth IdP RADIUS server v2.4.x is currently installed, use the  install  instructions in Install SecureAuth IdP RADIUS server v2.5 to upgrade while retaining the current configuration settings.

New installation

If installing SecureAuth IdP RADIUS server v2.5.x for the first time on the designated appliance, follow the install instructions in the installation guide.

SecureAuth IdP RADIUS logs for troubleshooting

See SecureAuth IdP RADIUS server logs for information about using the RADIUS logs for troubleshooting.


SecureAuth IdP RADIUS server logs 

Enable logs

Set up logs for the SecureAuth IdP RADIUS server logs can assist in troubleshooting the SecureAuth IdP RADIUS server.

To set up logs for the SecureAuth IdP RADIUS server:

1. Go to by completing the following:

  1. Download the following log configuration file, and place it in a temporary folder on the SecureAuth RADIUS server.
    View file

  2. Rename C:\idpRADIUS\bin\conf\log4j2.xml so you can use it to disable logging when you finish debugging.

    The paths you use might be different, depending on your RADIUS server version or the destination folder selected when you installed the RADIUS server. The following are examples of default paths:
    • C:\idpRADIUS\bin\conf\log4j2.xml

2. Under "<Loggers>", find logger name="com.secureauth" and change the level value to "all". For example:

   <logger name="com.secureauth" level="all" additivity="false">

3. Save edits.

4. Find log files stored in C:\IdPRADIUS\bin\Logs\saRadiusServer

The table below shows log levels in order by verbosity: :








Captures all logging




Captures finer-grained informational events than DEBUG (contains all package attributes to and from the VPN)




Captures fine-grained informational events for debugging RADIUS




Captures diagnostic information at a coarse-grained level, and Adaptive Authentication password state results


  • PasswordState: Adaptive Auth results in status: Continue for user
  • PasswordState: Adaptive Auth results in status: TwoFactor for user




Designates potentially harmful situations




Captures critical or error conditions that still allow RADIUS to run




Captures emergency conditions for severe error events




Disables logging

    • C:\Program Files (x86)\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf\log4j2.xml
    • C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf\log4j2.xml
  1. Place the downloaded log4j2.xml file in the *\bin\conf folder, which is the same folder used in step 2.
  2. Run the services.msc application, then restart the SecureAuth RADIUS service.
  3. Replicate the issue you have encountered.
  4. Find log files stored in *\bin\Logs\saRadiusServer.log.
  5. Receive assistance with resolving the issue by forwarding log files to the SecureAuth Support team when you create a support ticket.
  6. Restore the original log4j2.xml after debugging is completed. 

    Trace level logging uses a substantial amount of disk space and can create disk space issues over time.

Sample logs for different RADIUS failover scenarios

Failover to a SecureAuth IdP RADIUS backup server is configured under Step B: IdP Realms configuration, Add IdP Realm in the Configuration guide - v2.5 - SecureAuth IdP RADIUS server.


RAD-179SonicWall NetExtender created a hotfix to resolve a RADIUS client problem with 2FA methods. All 2FA methods are available.


Editing and saving a disabled realm no longer enables the realm.
RAD-204The Static Value field is empty by default in the RADIUS Client tab, in the Static Value Mapping section.
RAD-206The Static Value field allows up to 247 characters in the RADIUS Client tab, in the Static Value Mapping section.
RAD-208Uppercase letters are allowed in the Static Value field, in the RADIUS Client tab, in the Static Value Mapping section.
RAD-212Clicking the context-sensitive help (small i) over a disabled client setting shows information for disabled clients in the RADIUS Client tab.
RAD-249Numerous minor bug fixes were completed.

When creating a RADIUS client and clicking the Add Attribute button, the client is no longer saved when the Add Client button is not selected.

RAD-253RADIUS client attribute values are restricted to the supported RADIUS protocol length of 253 bytes.

Known issues


When running the RADIUS client with the Pulse Secure client and 2FA options, Pulse Secure limits the maximum number of characters to 210. End-users can see all options in the Pulse Secure web client when the number of characters is less than 210.

A second Pulse Secure limitation causes options 5 - 8 to be cut off from end-users' view on the 2FA list. End-users can select options 5 - 8, even though they are off-screen and there is no scrollbar.

Optionally, modify text in the RADIUS configuration file to shorten messages from the multi-factors message. See "Modify text showing on client user interface during login" in Configuration guide - v2.5 - SecureAuth IdP RADIUS server.


Invalid characters in user IDs sent to the RADIUS server cause a RADIUS server failure.

Workaround: Ensure that user IDs contain the following valid characters only:

  • A - z
  • 0 - 9
  • . (dot), - (minus sign), @ (domain), and _ (underscore)

UI Expand
titleVersion 2.4 - Release Date: October, 2018

New features and enhancements

Version: 2.4
Compatibility: SecureAuth IdP versions 8.2 - 9.2

---IdP realms and RADIUS clients can be disabled and enabled.
RAD-13Authentication workflow names are standardized for consistency with IdP naming conventions.
RAD-44Additional logging is available for Adaptive Authentication steps.
RAD-58Text hints appear on the IdP Realm page.
RAD-91Toggling is available on RADIUS clients page to enter either a NAS-IP or client IP address.
RAD-107Single page workflow was added for Username, Second Factor, and Password.
RAD-110Wild cards are supported when defining RADIUS client IP values.
RAD-143One or more backup IdP hosts can be specified for failover functionality.
RAD-147PIN + TOTP end-user workflow was added.

Resolved issues

RAD-215Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2