Documentation

 

 

Introduction

Use this guide to enable end-user desktop, web, and mobile Multi-Factor Authentication login access to a VPN and remote resources via RADIUS.

As an optional component of the SecureAuth IdP product, SecureAuth IdP RADIUS server is typically installed on a stand-alone server or on a SecureAuth IdP appliance. The RADIUS feature enables an enterprise to provide strong, adaptive authentication for RADIUS clients such as VPNs and other applications that leverage RADIUS for Multi-Factor Authentication used in conjunction with SecureAuth IdP.

This guide applies to the following versions of SecureAuth IdP and SecureAuth IdP RADIUS Server:

SecureAuth IdP version(s)SecureAuth IdP RADIUS ServerNotes
8.2 - 9.1v2.3.9If running SecureAuth IdP version 8.2 up to 9.1, then download SecureAuth IdP RADIUS Server v2.3.9
9.2v2.3.14If running SecureAuth IdP version 9.2, then download SecureAuth IdP RADIUS Server v2.3.14

Refer to SecureAuth IdP RADIUS Server v2.0.2 Integration Guide for the version of RADIUS Server supported by SecureAuth IdP version 8.1

Prerequisites
Requirements
SecureAuth IdP VersionSupported FeaturesMinimum Required ConfigurationSupported Tools and Required Components
8.2+

Adaptive Authentication – configure threat checking for

Push-to-Accept

Authentication API configured and enabled on the realm 
9.0+

Attribute Mapping – configure and enable Identity Management API on the realm to grant / deny end-user logon access

  • Group based authentication (OPTIONAL) – configure Membership Connection Settings to grant / deny logon access
    • specify the name of the user group to be granted / denied access, or
    • designate a Property from Profile Fields to identify the user group to be granted / denied access

UPN Logon – configure Active Directory Data Store to enable the UPN logon format

Authentication API configured and enabled on the realm

NetMotion Wireless VPN

  • For PEAP protocol support
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ (Redistributable for Visual Studio 2012 Update 4)

SecureAuth employees, refer to: NetMotion Mobility RADIUS Configuration Guide

 

Supported Multi-Factor Authentication Methods
  • Time-based One-Time Passcode (TOTP)
  • SMS
  • Phone
  • Email
  • Passcode OTP (Push Notification)
  • Mobile Login Request (Push-to-Accept Notification requires SecureAuth IdP version 8.2+)
  • PIN
Supported Platforms

Server

ProtocolsAdaptive Authentication IP Checking
  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • PAP
  • PEAP (NetMotion only)
PlatformRADIUS End User IP
  • Cisco Systems
Calling-Station-Id
  • Citrix NetScaler
Calling-Station-Id
  • Juniper Networks
Tunnel-Client-Endpoint
  • Palo Alto Networks
PaloAlto-Client-Source-IP
Port Settings

Inbound

  • Allow RADIUS Listener – Default is UDP port 1812 
  • Block TCP port 8088 – This port is used for the administrative web interface and should be blocked for security reasons
RADIUS VPN and Product Support (RADIUS Client)
  • Checkpoint
  • Cisco ASA with AnyConnect and Web Client
  • Cisco IPSec
  • Citrix NetScaler with Web Client
  • F5
  • Fortigate
  • Juniper VPN (IVE, MAG) Pulse Secure thick client
  • NetMotion Wireless VPN
  • Palo Alto Networks
  • SonicWall
  • VMware Horizon HTML Access
  • VMware Horizon View
  • WatchGuard

Other compatible RADIUS clients include: Avocent, Barracuda, and Microsoft Forefront (contact SecureAuth Professional Services with inquiries)

NOTE: Refer to Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS) to configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server 

RADIUS Client Configuration

Though not all RADIUS clients are configured in the same manner, basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP

  • RADIUS server IP address
  • Shared secret to use between the RADIUS server and RADIUS client(s)
  • Port 1812 to use for RADIUS authentication requests, and Port '0' for accounting when applicable or if used as the default port
  • Timeout value
  • Retries value
  • Connection profile that will use the SecureAuth RADIUS authentication server
  • Group policy of the connection profile to identify resources end-users can access once logged on the network

NOTE: A valid certificate must be installed if using NetMotion Wireless VPN

 Example of RADIUS authentication server configuration...
Add Server dialogSecureAuth IdP RADIUS Information
NameRADIUS Server description name (friendly name)
RADIUS ServerIP Address or Name of the RADIUS Server
Authentication Port1812
Shared SecretSecureAuth RADIUS Shared Secret
Accounting Port1813
Timeout60 Seconds (recommended)
Retries3 (recommended)

NOTE: SecureAuth IdP RADIUS Server version 2.2.19+ can be configured to pass an IP address to the VPN for static IP assignment to the VPN client (e.g. PC or Mac)

This configuration enables the administrator to control static IP assignment of the VPN client via SecureAuth IdP and the RADIUS server

Refer to the SecureAuth IdP RADIUS Server Static IP Address Configuration Guide for step-by-step details

RADIUS 2.3.9+ Installation

Upgrades

If SecureAuth RADIUS v1.0.x is currently installed, review the upgrade instructions in the SecureAuth IdP RADIUS Server v2.3.9+ Installation Guide before installing the newer version of RADIUS

If RADIUS v2.0.x - v2.2.x is currently installed, use the install instructions in the SecureAuth IdP RADIUS Server v2.3.9+ Installation Guide to upgrade while retaining the current configuration settings

New Installation

If installing RADIUS v2.3.9 / v2.3.12 for the first time on the designated appliance, follow the install instructions in the SecureAuth IdP RADIUS Server v2.3.9+ Installation Guide

See RADIUS Logs for information about using the RADIUS logs for troubleshooting 

SecureAuth RADIUS Admin Console Configuration Steps

After the RADIUS Windows service is installed and configured, use the RADIUS Admin Console to configure the server and client, and optionally any SecureAuth IdP realm to be used with RADIUS

1. Access the RADIUS Admin Console at http://localhost:8088/configuration – the user interface is restricted to local machine access by default

2. Configure the RADIUS Server Settings tab

3. Click the IdP Realms tab to add / edit Authentication API realms to be used with the RADIUS server

4. Click the RADIUS Clients tab to add and configure settings for the RADIUS client(s)

To simplify the task of creating additional SecureAuth IdP RADIUS Servers, the configuration can be exported to a .cfg file and imported on the target SecureAuth IdP RADIUS Server

TIP: The .cfg file can also be used to back up the configuration

WARNING: If the .cfg file is imported via the RADIUS Admin Console server, all configurations made on the RADIUS Server Settings tab, IdP Realms tab, and RADIUS Clients tab will be overwritten by the configurations in this file

NOTE: See Export / Import RADIUS Configuration

RADIUS Server Settings Configuration Steps

 

1. In the RADIUS Server Settings section, input the Shared Secret that was entered in the management console of the RADIUS client

The Authentication Port number 1812 appears by default

2. (OPTIONAL) In the Syslog Settings section, specify whether to Enable Syslog Logging

NOTE: The standard Syslog Protocol RFC5424 is supported

3. If the Syslog Logging option is enabled, enter the Syslog Server IP address

The Syslog Port number 514 appears by default

4. (OPTIONAL) Enter the Private Enterprise Number (PEN)

5. If using NetMotion VPN, in the PEAP Settings section

5a. Click Choose File to browse and select the Private Key PFX File

5b. Enter the Private Key Password configured for the .PFX file

Radius Server Key Certificate information appears which identifies the SecureAuth IdP RADIUS server .PEM certificate

See Export SecureAuth IdP RADIUS Server Certificate for information about using the Export Server Certificate link

6. Click Save after all server entries are made

NOTE: The Shared Secret field displays [Encrypted Value] once the input values are saved

Export SecureAuth IdP RADIUS Server Certificate

If the SecureAuth IdP RADIUS server certificate has been uploaded to this server, the Export Server Certificate link is active

1. Click Export Server Certificate to download the .PEM certificate

This self-signed certificate must be imported to the Trust Store on the NetMotion client installed on the end-user mobile device

NOTE: SecureAuth IdP server certificates are not exported via this utility

IdP Realms Configuration Steps

 

1. On the IdP Realms page, click Add IdP Realm

Add IdP Realm

 

2. On the Add IdP Realm page, localhost appears in the IdP Host field by default

If the realm is hosted on a different SecureAuth IdP than the one hosting this RADIUS server, enter the IdP Host name or the IP address of the SecureAuth IdP realm to be used with this RADIUS server

e.g. hostname.secureauth.com or XXX.XXX.XXX.XXX (in which 'X' represents a number in the IP address)

3. Enter the IdP Realm name and number

e.g. SecureAuth53

4. From the SecureAuth IdP server, copy the Application ID generated for the realm and paste that content in the API Application ID field

NOTE: Refer to Authentication API Guide for steps on generating the Application ID in the API Key section of the API tab

5. From the SecureAuth IdP server, copy the Application Key generated for the realm and paste that content in the API Application Key field

NOTE: Refer to Authentication API Guide for steps on generating the Application Key in the API Key section of the API tab

6. Click Cancel to return to the IdP Realms page without adding the realm, or click Add IdP to add the realm for use with the RADIUS server

To edit a realm's information or remove a realm from the list...

 

1. Find the IdP Realm URL to be edited and click its 'edit' icon at the far right

Edit IdP Realm

 

2. On the Edit IdP Realm page, do one of the following

  • Click Cancel if no changes will be made – the IdP Realm URL page appears
  • Update any information that has changed on the realm and click Save Changes – note [Encrypted Value] appears for the saved API Application ID and API Application Key
  • Click Remove Realm if the realm will no longer be used with the RADIUS server

RADIUS Clients Configuration Steps

Refer to the SecureAuth IdP RADIUS Server Static IP Address Configuration Guide for step-by-step details on configuring SecureAuth IdP RADIUS Server version 2.3.9+ to pass an IP address to the VPN for static IP assignment to the VPN client (e.g. PC or Mac)

To view details about the client...

1. Click the 'i' at the start of the row – a window appears showing details about the RADIUS client

RADIUS Client section shows

  • IP Address – the client's IP address, or an asterisk ( * ) which indicates the client IP will be mapped to all RADIUS client IPs configured
  • Date Created – client creation date using the MM-DD-YYYY format
  • Date Modified – most recent client modification date using the MM-DD-YYYY format

IdP Settings section shows

  • IdP Realm – URL / realm number selected
  • Workflow – one of eight selections made for this client (the default is Password + Time-based Passcode or 2-Factor Challenge Options)
  • Adaptive Authentication – "Active" or "Inactive" status depending on whether or not this feature is enabled

2. Click the 'X' in the upper right corner of the window to exit, or click Edit to go to the Edit RADIUS Client page

 

On the RADIUS Clients page, by default a single row appears populated with client information that can be modified on the Edit RADIUS Client page

  • Client Name – a friendly name for the client can be manually entered
  • Client IP Address – asterisk ( * ) indicates the client IP will be mapped to all RADIUS client IPs configured
  • Authentication Workflow – default workflow selection is Password + Time-based Passcode or 2-Factor Challenge Options

1. Click Add Client

Add RADIUS Client

 

2. On the Add RADIUS Clients page, enter a friendly Client Name – e.g. "Cisco"

3. Enter the Client IP Address – this is either the NAS-IP address or the IP address

 See information about NAS-IP and Client IP entries...

In some environments, the RADIUS client must be filtered by the client IP address and not the NAS-IP address – the latter which is specified in the RFC documentation, and is the default configuration for the client to connect to the RADIUS server

If using the client IP address to filter the RADIUS client, the NAS-IP address can be overridden in the appliance.radius.properties file by specifying use of the client IP address

To configure client IP address usage

1. Go to C:\idpRADIUS\bin\conf\appliance.radius.properties

2. Add this line at the end of the configuration file

shouldUseSrcIp=true

3. Save edits

4. In the SecureAuth IdP Settings section, select the SecureAuth IdP Realm from the dropdown

Selections only include Authentication API realms added on the IdP Realms page

5. Select the Authentication Workflow from the dropdown – this must match a workflow configured and enabled on the realm selected in step 4

  • Password + Time-based Passcode or 2-Factor Challenge Options
  • Password & Mobile Login Request (Accept / Deny)
  • Password
  • Time-based Passcode
  • Time-based Passcode / Password
  • Password + Time-based Passcode
  • Username + 2FA Options
  • Username + 2FA Options + Password

NOTE: Not all authentication workflows are supported by all RADIUS clients due to RADIUS client configuration limitations

6. (OPTIONAL) If using Adaptive Authentication, check Enable Adaptive Authentication

7. If Adaptive Authentication is enabled, in the RADIUS End User IP field, Calling-Station-Id appears by default – this attribute is used to verify the end-user's IP address

The value in this field should be edited if using Palo Alto Networks or Juniper Networks platforms

 For Palo Alto Networks...
Enter PaloAlto-Client-Source-IP in the RADIUS End User IP field
 
 For Juniper Networks...
Enter Tunnel-Client-Endpoint in the RADIUS End User IP field
 

NOTE: IP verification is only supported on Cisco, NetScaler, and Palo Alto Networks platforms

8. Data Attribute Mapping is used to map an attribute from the configured SecureAuth IdP Data Store to the RADIUS client – this feature is often used with a VPN for making policy decisions

NOTE: Only string values are supported for data attribute mapping

 To add a row and map a data attribute...

8a. Click the "+" button preceding Add Attribute

8b. By default auxId1 appears in the IdP field – modify this entry to map a Property or a User Group to a supported field on SecureAuth IdP

This entry is case-sensitive

8c. For RADIUS Attribute, enter the name of the RADIUS client attribute (e.g. Class) that is mapped to the SecureAuth IdP field specified in step '8b'

This entry is case-sensitive

8d. To map another attribute, click the "+" button at the end of the last row

This action adds a new row below

To remove a row from the Data Attribute Mapping table...

Click the "-" button at the end of the row to be removed

9. Custom Attribute Mapping is used to map an attribute from the configured SecureAuth IdP Data Store to a vendor specific attribute – this usually occurs in a scenario in which the VPN appliance is unable to perform an LDAP lookup

 To add a row and map a custom attribute...

9a. Click the "+" button preceding Add Attribute

9b. By default auxId1 appears in the IdP field – modify this entry to map a Property or a User Group to a supported field on SecureAuth IdP

This entry is case-sensitive

9c. Enter the numeric Vendor ID

9d. Enter the numeric Vendor-Specific Attribute that is mapped to the SecureAuth IdP field specified in step '9b'

9e. Select the RADIUS attribute type from the Field Type dropdown

  • string – Variable-length string field used for printable text strings
  • date – UNIX timestamp in seconds, as of January 1, 1970 GMT
  • octets – Variable-length string field used for binary data
  • short – Two-byte integer
  • integer – Unsigned 32-bit integer
  • ipaddr – IPv4 address
  • ipv6addr – IPv6 address

NOTE: The Field Type selection must be accurately defined in order to be accepted by the client

9f. To map another attribute, click the "+" button at the end of the last row

This action adds a new row below

To remove a row from the Custom Attribute Mapping table...

Click the "-" button at the end of the row to be removed

 

10. Click Cancel to return to the RADIUS Clients page without adding a client, or click Add Client after all client entries are made

To edit a client's information or remove a client from the list...

 

1. Find the RADIUS Client to be edited and click its 'edit' icon at the far right

Edit RADIUS Client

 

2. On the Edit RADIUS Client page, do one of the following

  • Click Cancel if no changes will be made – the RADIUS Clients page appears
  • Update any information that has changed for the client and click Save Changes
  • Click Remove Clients if the client will no longer be used with the realm or RADIUS server

Export / Import RADIUS Configuration

The saved RADIUS Admin Console configuration can be downloaded as a .cfg file via the Export Settings function

Use the Import Settings function of the RADIUS Admin Console

  • to restore the RADIUS backup configuration to the same SecureAuth IdP
  • to expedite configuring RADIUS server on another SecureAuth IdP
     
Export RADIUS Configuration

 

1. In the Syslog Settings section, click Export Settings

NOTE: If there is no configuration to download, this button is enabled but will return an error if clicked

2. Download the .cfg file that contains settings configured on the RADIUS Admin Console

NOTE: The .cfg file can be imported into a new or existing RADIUS Admin Console to overwrite the current configuration

Import RADIUS Configuration

 

1. In the Syslog Settings section, click Import Settings

 

2. In the Import Settings window, click Choose File

3. Browse to find and select the .cfg file configured on the RADIUS Admin Console containing settings to be uploaded to this RADIUS server

NOTE: Clicking Apply Settings immediately overwrites the configuration on server Settings, IdP Realms, and RADIUS Clients tabs of the RADIUS Admin Console

4. Click Cancel to close the window, or click Apply Settings to import the configuration from the .cfg file

Client User Interface Configuration Options
Configure Conversion of Domain \ SAM-account-name Logon Format to UPN

If using the Domain\SAM-account-name logon format in the environment, the Security Account Manager (SAM) format must be converted to the User Principal Name (UPN) format in order for the RADIUS server to accept end-user logins – e.g. convert acme\jsmith to jsmith@acme.com

To convert the login format from SAM to UPN

1. Go to C:\idpRADIUS\bin\conf\domainUPNSuffixes.properties

NOTE: If domainUPNSuffixes.properties does not exist, the file must be created and placed in this path

2. Add an entry to convert the domain – e.g.

acme=acme.local

or

Acme1=acme1.com

3. Save the entry

When the end-user makes a Domain name\username entry in the user ID field, the RADIUS server will automatically convert the entry to the UPN format

Modify Text Showing on Client User Interface During Login

Text that shows on the client user interface during the login process – e.g. "Enter a time-based passcode", "SEND LOGIN REQUEST TO PHONE", etc. – can be modified in the uiTextsBundle properties file

To edit the properties file

1. Go to C:\idpRADIUS\bin\conf\uiTextsBundle.properties

2. Edit only the text that follows the "=" sign

3. Save edits

End-user Experience

The authentication workflow requires the entry of the username followed by at least one other code entry, such as a password or passcode, before the login button is enabled

NOTE: The images in this section provide examples of some user interfaces from the end-user login experience; the appearances of user interfaces will differ depending on the model of RADIUS client or the VPN client application

Single Screen Login Workflows

 

Password

1. Enter the username

2. Enter the password

Time-based Passcode

1. Enter the username

2. In the password field, enter the TOTP

Time-based Passcode / Password

1. Enter the username

2. In the password field, enter the TOTP, then a "/" (forward slash), followed by the password

e.g. 563719/Password!

Multi-Screen Login Workflows

Password + Time-based Passcode

1. On the VPN login screen, enter the username

2. Enter the password

3. Get the time-based passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application

4. Enter the passcode

 


 

Password & Mobile Login Request (Accept / Deny)

1. On the VPN login screen, enter the username

2. Enter the password

The VPN waits for RADIUS to respond

3. On the mobile app Login Request screen, tap Accept or Deny – a response entry field is not presented

 


 

Password + Time-based Passcode or 2-Factor Challenge Options

1. On the VPN login screen, enter the username

2. Enter the password

 

3. The response screen prompts for one of two options

a. Entry of a time-based passcode (TOTP)

b. Entry of the number corresponding to an available Multi-Factor Authentication method

SMS / Text Message
Phone
Email
Send Passcode to Phone (Push Notification)
Send Login Request to Phone (Push-to-Accept)
PIN 

NOTE: The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Make the appropriate entry on the response screen, based on the selected workflow (option 'a' or 'b' in step 3)

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Multi-Factor Authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Multi-Factor Authentication methods so another option can be selected

If selecting option 'a' (Time-based Passcode)...
5a. Get the time-based passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application

6a. Enter the passcode

 

If selecting option 'b' (Multi-Factor Authentication)...

5b. Enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)
6 = PIN  

6b. Proceed with the 2nd Authentication Factor workflow

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Multi-Factor Authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Multi-Factor Authentication methods so another option can be selected

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented

 

 


 

Username + 2-Factor Authentication Options

1. On the VPN login screen, enter the username

2. Entry of the password is not required

 

3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)
6 = PIN  

NOTE: The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Proceed with the 2nd Authentication Factor workflow

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Multi-Factor Authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Multi-Factor Authentication methods so another option can be selected

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented

 


 

Username + 2-Factor Authentication Options + Password

1. On the VPN login screen, enter the username

2. Entry of the password is not required at this step

 

3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)
6 = PIN 

NOTE: The list of available Multi-Factor Authentication methods is dynamic, since it is based on configured 2nd Factor Authentication options

4. Proceed with the 2nd Authentication Factor workflow

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Multi-Factor Authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Multi-Factor Authentication methods so another option can be selected

 If the Phone option is selected...
If more than one phone number is set up in the end-user account, select the number corresponding to the phone number to use in the Multi-Factor Authentication workflow session

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond

When the Login Request screen appears on the mobile app, tap Accept or Deny on the screen – a response entry field is not presented

5. On the response screen, enter the password 

Multiple Devices Registered for Multi-Factor Authentication

This scenario is presented for end-users with more than one registered mobile device, each with more than one phone number or email address registered

1. The end-user selects the 2nd Authentication Factor

The end-user has more than one of that item registered for 2nd Factor Authentication – i.e. more than one phone number or email address for each registered mobile device

2. A prompt appears for the end-user to select which mobile device, phone number, or email address to use in the Multi-Factor Authentication workflow session

 

 

Optional Feature: Adaptive Authentication

If Adaptive Authentication is used with the user group check feature enabled, RADIUS responds accordingly in these login failure scenarios based on the authentication workflow

Workflow 1 = Password + Time-based Passcode or 2-Factor Challenge Options
Workflow 2 = Password & Mobile Login Request (Accept / Deny)
Workflow 3 = Password
Workflow 4 = Time-based Passcode
Workflow 5 = Time-based Passcode / Password
Workflow 6 = Password + Time-based Passcode
Workflow 7 = Username + 2FA Options
Workflow 8 = Username + 2FA Options + Password
 

Login failure scenarioEnd-user experience from RADIUS
-- Workflows 1, 2, 6, 7, 8
End-user experience from RADIUS
-- Workflows 3, 4, 5
Hard stopLogin Failed message receivedLogin Failed message received
Step up authenticationPrompt received for 2nd Authentication FactorLogin request fulfilled
Step down authentication2nd Authentication Factor skipped; login request fulfilledLogin request fulfilled
Resume authenticationPrompt received for 2nd Authentication FactorLogin request fulfilled
Post authentication2nd Authentication Factor skipped; login request fulfilledLogin request fulfilled
RedirectionLogin Failed message deliveredLogin Failed message received
No failurePrompt received for 2nd Authentication FactorLogin request fulfilled

RADIUS Logs

RADIUS logs can assist in troubleshooting the RADIUS server

To set up logs for the RADIUS server

1. Go to C:\idpRADIUS\bin\conf\log4j2.xml

2. Under "<Loggers>", find logger name="com.secureauth" and change the level value to " all " – i.e.

     <logger name="com.secureauth" level="all" additivity="false">

3. Save edits

4. Find log files stored in C:\IdPRADIUS\bin\Logs\saRadiusServer

The table below shows log levels in order by verbosity

LevelDescription
ALLCaptures all logging
TRACECaptures finer-grained informational events than DEBUG (contains all package attributes to / from the VPN)

DEBUG

Captures fine-grained informational events for debugging RADIUS

INFO

Captures diagnostic information at a coarse-grained level

WARN

Designates potentially harmful situations

ERROR

Captures critical or error conditions that still allow RADIUS to run

FATAL

Captures emergency conditions for severe error events
OFFDisables logging
Release Notes

Release Date: July 18, 2018

Version: 2.3.14

Compatibility: SecureAuth IdP version 9.2

Resolved Issue: This release resolves the issue in which RADIUS cannot locate end-users' Multi-Factor Authentication methods because the environment uses UPN to handle the same user IDs on multiple domains.

Release Date: February 1, 2018

Version: 2.3.12

Compatibility: SecureAuth IdP version 9.2

Resolved Issue: This release was issued to address an incompatibility with SecureAuth IdP versions 8.2 and 9.1

Release Date: April 7, 2017

Version: 2.3.9

Compatibility: SecureAuth IdP versions 8.2 - 9.1

Resolved Issue: RAD-136 - TOTP value may not be validated properly when using the “Time-Based Passcode/Password” workflow

 

  • No labels