Introduction
SecureAuth IdP RADIUS server lets you configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component of the SecureAuth IdP product is typically installed on a stand-alone server or on a SecureAuth IdP appliance.
Using the RADIUS feature, enterprises can provide strong adaptive authentication for RADIUS clients, such as VPNs and other applications, that leverage RADIUS for two-factor authentication used with SecureAuth IdP.
See the Release notes to learn about new features, enhancements, bug fixes, and known issues.
See SecureAuth IdP RADIUS server v2.4 integration guide for information about the previous product release.
This document is organized into four parts:
- Topics in this guide include:
- Installation – see Installation guide - v2.5 - SecureAuth IdP RADIUS server
- Configuration – see Configuration guide - v2.5 - SecureAuth IdP RADIUS server
- End-user experience – see End-user experience - v2.5 - SecureAuth IdP RADIUS server
Prerequisites
- SecureAuth IdP version 9.0 or later
- Authentication API (v9.1+, v9.0) configured and enabled on the realm
Supported SecureAuth IdP components and integrated components
SecureAuth IdP features | SecureAuth IdP version | Configuration notes | ||||||||||||||||||
Adaptive Authentication | Configure threat checking for:
| |||||||||||||||||||
Push-to-Accept | ||||||||||||||||||||
Attribute Mapping | Configure and enable Identity Management API (v9.1+, v9.0.x) on the realm to grant / deny end-user logon access. Group based authentication – Optionally configure Membership Connection Settings to grant / deny logon access:
| |||||||||||||||||||
UPN Logon | ||||||||||||||||||||
Multi-Factor Authentication methods | SecureAuth IdP version | SecureAuth IdP v9.x supported server and required components | ||||||||||||||||||
Time-based One-Time Passcode (TOTP) | v9.1+, v9.0 | NetMotion Wireless VPN:
NOTE: SecureAuth employees, refer to NetMotion Mobility RADIUS Configuration Guide. | ||||||||||||||||||
HMAC-based One-Time Passcode (HOTP) | 9.1+ | |||||||||||||||||||
SMS | v9.1+, v9.0 | |||||||||||||||||||
Phone | v9.1+, v9.0 | |||||||||||||||||||
v9.1+, v9.0 | ||||||||||||||||||||
Passcode OTP (Push Notification) | v9.1+, v9.0 | |||||||||||||||||||
Mobile Login Request | v9.1+, v9.0 | |||||||||||||||||||
PIN | v9.1+, v9.0 | |||||||||||||||||||
Supported platforms | ||||||||||||||||||||
Server:
| Protocols:
| SecureAuth IdP Adaptive Authentication IP Checking feature:
| ||||||||||||||||||
Port settings | ||||||||||||||||||||
Inbound:
| ||||||||||||||||||||
RADIUS VPN and product support | ||||||||||||||||||||
Supported RADIUS clients:
| Other compatible RADIUS clients include:
Contact SecureAuth Professional Services with inquiries.
| To configure a Palo Alto Networks GlobalProtect VPN to send the client IP to SecureAuth IdP RADIUS server: | ||||||||||||||||||
RADIUS client configuration | ||||||||||||||||||||
Though not all RADIUS clients are configured in the same manner, the following basic connectivity parameters must be configured on RADIUS clients to be used with SecureAuth IdP:
NOTE: A valid certificate must be installed if using NetMotion Wireless VPN. Sample RADIUS authentication server configuration:
| ||||||||||||||||||||
SecureAuth IdP RADIUS server v2.5 installation | ||||||||||||||||||||
Upgrade If SecureAuth RADIUS v1.0.x is currently installed, review the upgrade instructions in the Installation guide before installing the newer version of RADIUS. If SecureAuth IdP RADIUS server v2.0.x - v2.2.x is currently installed, use the install instructions in Install SecureAuth IdP RADIUS server v2.5 to upgrade while retaining the current configuration settings. If SecureAuth IdP RADIUS server v2.3.9 / v2.3.12 is currently installed, use the install instructions in Install SecureAuth IdP RADIUS server v2.5 to upgrade while retaining the current configuration settings . If SecureAuth IdP RADIUS server v2.4.x is currently installed, use the install instructions in Install SecureAuth IdP RADIUS server v2.5 to upgrade while retaining the current configuration settings. New installation If installing SecureAuth IdP RADIUS server v2.5.x for the first time on the designated appliance, follow the install instructions in the installation guide. SecureAuth IdP RADIUS logs for troubleshooting See SecureAuth IdP RADIUS server logs for information about using the RADIUS logs for troubleshooting.
|
Adaptive Authentication
If Adaptive Authentication is used with the user group check feature enabled, RADIUS responds accordingly in these login failure scenarios based on the authentication workflow:
- Workflow 1 = Password | One-Time Passcode (TOTP/HOTP) or Second Factor
- Workflow 2 = Password & Mobile Login Request (Approve / Deny)
- Workflow 3 = Password Only
- Workflow 4 = One-Time Passcode (TOTP/HOTP) Only
- Workflow 5 = One-Time Passcode (TOTP/HOTP) / Password
- Workflow 6 = Password | One-Time Passcode (TOTP/HOTP)
- Workflow 7 = One-Time Passcode (TOTP/HOTP) | Password
- Workflow 8 = Username | Second Factor
- Workflow 9 = Username | Second Factor | Password
- Workflow 10 = PIN + TOTP
- Workflow 11 = Password & One-Time Passcode (TOTP/HOTP)
Login failure scenario | End-user experience from RADIUS | End-user experience from RADIUS |
---|---|---|
Hard stop; refuse authentication request | Login failed message received | Login failed message received |
Step up, require two-factor authentication | Prompt received for second authentication factor | Login request fulfilled |
Step down, skip two-factor authentication | Second authentication factor skipped; login request fulfilled | Login request fulfilled |
Resume authentication workflow | Prompt received for second authentication factor | Login request fulfilled |
Skip to post-authentication | Second authentication factor skipped; login request fulfilled | Login request fulfilled |
Redirect to realm or URL | Login failed message delivered | Login failed message received |
No failure | Prompt received for second authentication factor | Login request fulfilled |
SecureAuth IdP RADIUS server logs
Enable logs
SecureAuth IdP RADIUS server logs can assist in troubleshooting the SecureAuth IdP RADIUS server.
To set up logs for the SecureAuth IdP RADIUS server:
1. Go to C:\idpRADIUS\bin\conf\log4j2.xml
2. Under "<Loggers>", find logger name="com.secureauth" and change the level value to "all". For example:
<logger name="com.secureauth" level="all" additivity="false">
3. Save edits.
4. Find log files stored in C:\IdPRADIUS\bin\Logs\saRadiusServer
The table below shows log levels in order by verbosity: :
Level | Description | Messages added in RADIUS server v2.4 |
---|---|---|
ALL | Captures all logging | |
TRACE | Captures finer-grained informational events than DEBUG (contains all package attributes to and from the VPN) | |
DEBUG | Captures fine-grained informational events for debugging RADIUS | |
INFO | Captures diagnostic information at a coarse-grained level, and Adaptive Authentication password state results |
|
WARN | Designates potentially harmful situations | |
ERROR | Captures critical or error conditions that still allow RADIUS to run | |
FATAL | Captures emergency conditions for severe error events | |
OFF | Disables logging |
Sample logs for different RADIUS failover scenarios
Failover to a SecureAuth IdP RADIUS backup server is configured under Step B: IdP Realms configuration, Add IdP Realm in the Configuration guide - v2.5 - SecureAuth IdP RADIUS server.
Release notes
Next step...
Install SecureAuth IdP RADIUS server v2.5
Related documentation
Installation guide - v2.5 - SecureAuth IdP RADIUS server
Configuration guide - v2.5 - SecureAuth IdP RADIUS server
End-user experience - v2.5 - SecureAuth IdP RADIUS server
Prior version
SecureAuth IdP RADIUS server v2.4 integration guide
Installation guide - v2.4 - SecureAuth IdP RADIUS server