Documentation


Updated January 13, 2021

Use the SecureAuth® Identity Platform RADIUS Server to configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component is typically installed on a SecureAuth Identity Platform appliance or on a stand-alone server.

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Release notes

The following sections describe the release highlights and enhancements, including resolved and known issues, for the SecureAuth RADIUS server version 20.12.

Release highlights

Read on to learn more about the new features in the SecureAuth RADIUS server version 20.12.

Support for link-to-accept MFA

SecureAuth RADIUS supports the link-to-accept multi-factor authentication method. Administrators can enable end users to receive a link on a registered phone or email address, and then end users can click the link to authenticate. See Multi-screen login workflows.

Added GUID to identify requests for a session

By default, SecureAuth RADIUS now adds the globally unique identifier (GUID) to the authentication API X-Request-ID header for each request made to the Identity Platform. This matches requests in SecureAuth RADIUS logs with requests in the Identity Platform log. Admins needing to search the Identity Platform log file for a specific user during the same session can do so by using the GUID. See View GUID added to the X-Request-ID header.

Enhancements 

Version: 20.12
Release Date: January 13, 2021
Compatibility: Note the following compatibility requirements: 

  • SecureAuth IdP v9.2.x or later, and the SecureAuth Identity Platform v19.07 or later
  • Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only.
  • Biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.
  • Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.
  • Link-to-accept requires SecureAuth Identity Platform v19.07 with hotfix version 19.07.01-25 or later or v20.06-2 or later.
RAD-505Improvements to log levels and log messages were made to the SecureAuth RADIUS server logs.
RAD-614End users can use the following special characters in user IDs: + ~ . ! @ $ % ^ & * ' _ (that is, plus sign, tilde, period, exclamation point, at sign, dollar sign, percent, caret, ampersand, asterisk, single quote, underscore)

Known issues 

RAD-607

SecureAuth RADIUS server v20.12 sometimes has issues when importing config files that were exported from RADIUS server v20.03 or 20.06 with a shared secret configured for a RADIUS client. (No issues exist if RADIUS server v20.03 or 20.06 was configured with a general shared secret set on the RADIUS Server Settings page.)

Workaround: Set the shared secret for each v20.12 RADIUS client again.

RAD-634

Customers running SecureAuth IdP v9.2 with end users who use special characters in their user ID will not be able to authenticate.

Workaround: Customers running SecureAuth IdP v9.2 must disable support for special characters. See step 12 in Install the SecureAuth Identity Platform RADIUS server.

Version 20.06 - Release Date: October 8, 2020

Enhancements 

Version: 20.06
Release Date: October 8, 2020
Compatibility: Note the following compatibility requirements: 

  • SecureAuth IdP v9.2.x or later, and the SecureAuth Identity Platform v19.07 or later
  • Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only.
  • Biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.
  • Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.

Added security for communication between SecureAuth RADIUS Server and the Identity Platform

You can import a certificate to the RADIUS trust store to ensure secure communication between SecureAuth RADIUS and SecureAuth Identity Platform. Enabling self-signed certificates is optional. See Import certificate in RADIUS trust store.

Support for high concurrency

SecureAuth RADIUS server supports high concurrency when used with the PEAP protocol. SecureAuth has tested up to 100 parallel connections to the SecureAuth RADIUS server without any connections dropping from the server.

Dashboard metrics for SecureAuth RADIUS Server

Dashboard metrics are available for SecureAuth RADIUS server transactions. These metrics include login information for VPNs and remote server access. View metrics by selecting Home on the left side of the Identity Platform page. 

Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.

RAD-503Administrators can configure the SecureAuth Identity Platform time-out value to maximize successful login requests. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 11.
RAD-510A guidance message is displayed if a shared secret and realms are not defined for the SecureAuth RADIUS server.
RAD-519Administrators can enable Syslog logging on the SecureAuth RADIUS Server Settings page without configuration errors.
RAD-532Administrators can configure the number of Universal Datagram Protocol (UDP) threads that SecureAuth RADIUS can use to receive access-request packets. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 10.
RAD-533

If SecureAuth RADIUS receives multiple simultaneous requests to create a session for the same user, duplicate requests are rejected and the following error message is logged in the log4j2.xmlfile: "Multiple requests to create a session for the same user arrived simultaneously. Duplicate requests were rejected; check for network issues."

The cause might be network issues that force a load balancer or a VPN server to send requests that arrive at SecureAuth RADIUS at the same time. 

RAD-535In SecureAuth RADIUS, when using the Password | Second Factor workflow with Push-to-Accept as the second factor, a push notification is sent to an end user device when they restart the authentication workflow after ignoring the first push notification.
RAD-556

If your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the certificate authority (CA) that you have to sign your certificate is not installed in SecureAuth Radius trust store, you must import the certificate to the trust store. See Import certificate in RADIUS trust store.

RAD-569In SecureAuth RADIUS, when using the Username | Second Factor | Password workflow with Symbol-to-Accept as the second factor, RADIUS server authenticates end users only after they input the correct symbol and password.
RAD-597Import now works on all servers when SecureAuth RADIUS already contains data and when it is empty.

Known issues 

RAD-482

If the SecureAuth RADIUS server stops sending responses or is down, the administrator might need to increase memory.

Workaround: See the Increase memory for RADIUS server troubleshooting topic for guidance.

RAD-607

When setting shared secrets in the RADIUS Client tab, then export the config file, the exported config files are corrupted.

Workaround 1: If you have imported the corrupted config file to a new RADIUS server, set the shared secret for each RADIUS client again.

Workaround 2: Upgrade to SecureAuth RADIUS Server version 20.12 before exporting the config file.

View previous versions of the SecureAuth RADIUS server documentation to see older release notes versions.

  • No labels