Documentation


Updated September 14, 2020

Use the SecureAuth® Identity Platform RADIUS Server to configure two-factor authentication login access to a VPN and remote resources via RADIUS. This optional component is typically installed on a SecureAuth Identity Platform appliance or on a stand-alone server.

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

Release notes

New features and enhancements

Version: 20.06
Release Date: September 14, 2020
Compatibility: SecureAuth IdP v9.2+, and the SecureAuth® Identity Platform v19.07+

  • Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only.
  • Biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.
  • Transactional logging requires SecureAuth Identity Platform v20.06 or later, using the /authenticated endpoint.

Learn about new features and enhancements, resolved issues, and known issues in the following sections.

RAD-503Administrators can configure the SecureAuth Identity Platform time-out value to maximize successful login requests. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 11.
RAD-532Administrators can configure the number of Universal Datagram Protocol (UDP) threads that SecureAuth RADIUS can use to receive access-request packets. This is configured in the appliance.radius.properties file. See Install the SecureAuth® Identity Platform RADIUS Server, step 10.
RAD-574SecureAuth RADIUS server supports high concurrency when used with the PEAP protocol. SecureAuth has tested up to 100 parallel connections to the SecureAuth RADIUS server without any connections dropping from the server.
RAD-584

Administrators can view dashboard metrics for SecureAuth RADIUS server transactions. The metrics include login information for VPNs and remote server access. Dashboard metrics are available in the Identity Platform version 20.06+ for customers that use the /authenticated endpoint and add the request ID to the request header to gather transactions. 

Resolved issues 

RAD-510A guidance message is displayed if a shared secret and realms are not defined for the SecureAuth RADIUS server.
RAD-519Administrators can enable Syslog logging on the SecureAuth RADIUS Server Settings page without configuration errors.
RAD-533

If SecureAuth RADIUS receives multiple simultaneous requests to create a session for the same user, duplicate requests are rejected and the following error message is logged in the log4j2.xml file: "Multiple requests to create a session for the same user arrived simultaneously. Duplicate requests were rejected; check for network issues."

The cause might be network issues that force a load balancer or a VPN server to send requests that arrive at SecureAuth RADIUS at the same time. 

RAD-535In SecureAuth RADIUS, when using the Password | Second Factor workflow with Push-to-Accept as the second factor, a push notification is sent to an end user device when they restart the authentication workflow after ignoring the first push notification.
RAD-556If your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the certificate authority (CA) that you have to sign your certificate is not installed in SecureAuth Radius trust store, you must import the certificate to the trust store. See Import certificate in RADIUS trust store.
RAD-569In SecureAuth RADIUS, when using the Username | Second Factor | Password workflow with Symbol-to-Accept as the second factor, RADIUS server authenticates end users only after they input the correct symbol and password.
RAD-597Import now works on all servers when SecureAuth RADIUS already contains data and when it is empty.

Known issues 

RAD-482

If the SecureAuth RADIUS server stops sending responses or is down, the administrator might need to increase memory.

Workaround: See the Increase memory for RADIUS server troubleshooting topic for guidance.

Version 20.03 - Release Date: April 28, 2020

New features and enhancements

Version: 20.03
Release Date: April 28, 2020
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth® Identity Platform v19.07 or later

Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only. Additionally, biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.

RAD-318A message is displayed if a client is not defined in the Client list when the client attempts to make an authentication request to the RADIUS endpoint.
RAD-324Validation checks ensure that the following hosts and addresses are correctly defined so that the RADIUS client can connect to SecureAuth IdP: Client IdP Host (RADIUS Clients page) and Primary IdP Host and Backup IdP Host (IdP Realms page).
RAD-333When RADIUS sends a push-to-accept notification to SecureAuth IdP, sometimes the delivery is not completed to the end user; a new guidance message is displayed in the VPN client to help guide end users to a successful authentication.

RAD-351

RAD-483

The log file was enhanced to show better messaging with guidance if the reply message packet exceeds the maximum length of 4096 bytes. Also, the log file shows more readable output when there is a SocketTimeoutException.
RAD-387

A fresh installation is added by default in the C:\Program Files directory (not C:\Program Files (x86)) because SecureAuth RADIUS Server runs on the 64-bit version of the JDK. 

An upgrade to an installation directory of C:\Program Files (x86) will not change the directory path to C:\Program Files.

RAD-406Add an optional radius.oath.strategy property to the "appliance.radius.properties" file if end users in your organization have multiple devices and you want to let them select which device to authenticate with. SecureAuth RADIUS server supports both HOTP and TOTP in seed and token modes.
RAD-417In the RADIUS Clients page, administrators can add and remove standard RADIUS identifiers and their values, which is useful for restricting access and enabling additional control over the client configuration.
RAD-418

Each SecureAuth RADIUS client has its own optional, local, shared secret for authenticating with SecureAuth IdP. If a local shared secret is not specified, the SecureAuth RADIUS client uses the global shared secret, which is defined on the "RADIUS Server Settings" page. 

RAD-439Organizations that use MS-CHAPv2 can have a network policy server (NPS) for each RADIUS client by configuring the IP Address and Port fields in the new NPS Proxy Configuration section on the RADIUS Clients page. You no longer must restart the RADIUS server after setting the NPS proxy values.
RAD-471

Customers running AIX servers can now use SecureAuth RADIUS server to provide MFA capabilities. See the AIX tab in the PAM RADIUS installation and configuration guide, which gives general setup guidance; please refer to your PAM RADIUS documentation for specific setup instructions.

Resolved issues 

RAD-392For PAM RADIUS customers, the Linux setup hides the end user password and OTP on the login screen.
RAD-415When using the TOTP or HOTP method, on first login, RADIUS server sends a deny access request for a fake user. (This is useful in focused use cases; this change has no impact on the majority of organizations.)
RAD-493A RADIUS client is created correctly, without a 400 error.
RAD-485Invalid characters in user IDs sent to the RADIUS server are handled appropriately; SecureAuth RADIUS sends an Access-Reject message to the log if an invalid user ID is used. See Enable RADIUS server logs.
RAD-486Sites using MFA throttling are no longer locked out of their accounts after successful logins with push notifications.

Known issues 

RAD-482

If the SecureAuth RADIUS server stops sending responses or is down, the administrator might need to increase memory.

Workaround: See the Increase memory for RADIUS server troubleshooting topic for guidance.

RAD-489

The VPN closes the connection between SecureAuth RADIUS and the VPN server because of a timeout issue. When this occurs, end users log into the VPN, but they are not sent an MFA screen.

Workaround: Ensure that the VPN server timeout is set higher than 30 seconds, for example, 45 or 60 seconds, depending on the location of the VPN server.

TW-926

When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

Workaround: None

Version 19.09 - Release Date: October 8, 2019

New features and enhancements

Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth® Identity Platform v19.07 or later

Biometric face and fingerprint recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later only. Additionally, biometric fingerprint and face (iOS only) recognition require SecureAuth Identity Platform v19.07 or later, using the 2019 theme.

RAD-220SecureAuth RADIUS supports the help desk OTP multi-factor authentication method.
RAD-290In the RADIUS Server Settings screen, selecting Import Settings or Import PEAP Certificate displays the same interface.
RAD-305SecureAuth RADIUS supports the mobile biometric multi-factor authentication method, including face and fingerprint recognition.
RAD-315SecureAuth RADIUS supports the mobile symbol-to-accept multi-factor authentication method.
RAD-327SecureAuth RADIUS supports Windows Server 2019.
RAD-340In the RADIUS Server Settings screen, use the "eye" icon to show characters as you type a shared secret instead of seeing dots.
RAD-364SecureAuth RADIUS automatically checks the validity of the value added to IdP Realm in the RADIUS Clients screen, SecureAuth IdP Settings section. If invalid, the error message now provides guidance to correct the value.

Resolved issues 

RAD-49

SecureAuth RADIUS PIN option is displayed when using the Password | Second Factor workflow.

RAD-229SecureAuth RADIUS passes framed-IP-Address, stored in the Active Directory msRADIUSFramedIPAddress user attribute, to dictate which IP address the AnyConnect user will be assigned to.
RAD-285SecureAuth RADIUS end users receiving a OTP through SMS or text in the Authentication app will see the device name; that is, the device name will not be masked.
RAD-289Administrators receive an improved error message with guidance when uploading a corrupt or invalid configuration file.
RAD-291When entering a Shared Secret in the RADIUS Server Settings, the secret is now masked.
RAD-294When Syslog logging is enabled and invalid characters or values are used, the Syslog port returns error messages that are consistent with other parts of the RADIUS server.
RAD-311, RAD-293When the admin configures SecureAuth RADIUS, only valid numbers (1-65535) are allowed or the Authentication Port setting will not be saved. (The Authentication Port cannot be empty.)
RAD-325Sites that have integrated NetMotion Wireless Mobility server with SecureAuth RADIUS will not see an error during Username | Second Factor login if the NetMotion Auto-Response Mode is disabled. See NetMotion Mobility RADIUS configuration guide for details.
RAD-328When end users log in by using the SecureAuth RADIUS PIN | OTP workflow through any VPN client, access is denied if end user logs in with username and password. End users must enter a PIN and OTP.
RAD-329When end users log in by using the SecureAuth RADIUS Password | OTP workflow through any VPN client, access is denied if end user logs in with username and PIN. End users must enter a password and OTP.
RAD-332Admins are required to log in as administrator to install SecureAuth RADIUS. If already logged in as administrator, no further action is necessary.
RAD-355

A guidance message now informs admins to check that "User Management" is enabled in the API realm in "API Permissions." The setting enables the IdP API to retrieve user profiles.

RAD-356Admins no longer need to add the OTPFieldMapping key to the IdP Web Config file if running SecureAuth Identity Platform 19.07 or later hybrid or cloud.  
TW-774In the Classic IdP Experience, in the API Permissions section, under "Authentication," leave the OTP Validation Property dropdown blank to ensure the API works correctly with the SecureAuth RADIUS server on the cloud and hybrid model of SecureAuth® Identity Platform version 19.07 or later.

Known issue

TW-926

When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

Workaround: None

Version 19.06 - Release Date: July 11, 2019

Version: 19.06
Compatibility: SecureAuth IdP v9.1.x - v9.3.x, and the SecureAuth Identity Platform v19.07

RAD-241SecureAuth RADIUS supports MS-CHAPv2, as documented in MS-CHAPv2 and RADIUS (SP-initiated) for Cisco and Netscaler configuration guide.
RAD-258

SecureAuth RADIUS masks all phone numbers consistently with asterisks, regardless of the format in which they are saved in Active Directory.

RAD-259SecureAuth RADIUS supports Yubico OTP token as a second-factor passcode, in the "Username | Second Factor" and "Username | Second Factor | Password" workflows.
RAD-271SecureAuth RADIUS supports the "Yubico OTP only" workflow, where end users can use the YubiKey code as the password.
RAD-272SecureAuth RADIUS supports Yubico OTP token as the password or passcode, in the "Password | Yubico One-Time Passcode" workflow.
RAD-273SecureAuth RADIUS now uses the AdoptOpenJDK 8 Java Runtime Environment (JRE), and no longer uses the Oracle JRE.
RAD-301SecureAuth RADIUS supports PAM RADIUS version pam_radius-1.4.0-2.el7.x86_64 and earlier.

Resolved issues 

RAD-195Toast (pop-up) messages in Realms and Clients tabs are implemented and work correctly.
RAD-257Clicking the Add Attribute text in the Static Value Mapping section of the RADIUS Client tab no longer adds a custom attribute to the page.
RAD-261The Import Settings and Export Settings buttons were moved into the RADIUS Server Settings section on the Settings tab.
RAD-262If end users receive a login screen after they have logged in with a 2FA passcode method of SMS/Text, Voice, Email, or Send passcode to mobile app, a guidance message in the log file explains the following workaround for administrators: 

In order to avoid errors with 2FA passcode methods, ensure that the following key is removed from the SecureAuth Identity Platform Web Config file in the appSettings section:

<add key="OTPFieldMapping" value="<SecureAuth IdP Profile Property>" />
RAD-265Connections to disabled realms fail as expected because the realm is inactive.

RAD-268

The first created IdP realm is automatically assigned to the default RADIUS client.
RAD-270End users receive better error messages with guidance when using NetMotion to import the PEAP certificate for a machine.
RAD-282Administrators can create a valid personal exchange format (PFX) certificate without a password and import it into a RADIUS Protected Extensible Authentication Protocol (PEAP) page.
RAD-295End user cannot connect to VPN using a deleted shared secret value.
RAD-300The "Password | One-Time Passcode (TOTP/HOTP) or Second Factor" workflow was renamed to "Password | Second Factor".
RAD-302On Firefox Quantum versions 67.0.2 and 67.0.4, if end users set an attribute with invalid characters, they can remove the attribute row without saving or leaving the page.
RAD-304Administrators cannot select the installation path in an upgrade process. The directory can be selected only in a new installation. (Documentation was corrected.)
RAD-306After converting SecureAuth RADIUS from SAM to UPN by adding a domainUPNSuffixes.properties file, end users can now log into a RADIUS Client, with PEAP as its authentication schema, by using a UPN-format username. 
Version 2.5 - Release Date: April 16, 2019

New features and enhancements

Version: 2.5
Compatibility: SecureAuth IdP versions 9.0 - 9.3

RAD-83

A warning is displayed when an installation of an older version of RADIUS is attempted while a newer version is installed.

RAD-150End users' phone numbers and email addresses displayed in authentication applications are hidden consistently with asterisks.
RAD-218TOTP and HOTP with YubiKey as second factor is supported in RADIUS version 2.5.1.
RAD-237RADIUS client user interface and documentation were refreshed with the latest brand logo and color.
RAD-238SecureAuth RADIUS supports Windows Server 2016.

Resolved issues

RAD-179SonicWall NetExtender created a hotfix to resolve a RADIUS client problem with 2FA methods. All 2FA methods are available.

RAD-202

Editing and saving a disabled realm no longer enables the realm.
RAD-204The Static Value field is empty by default in the RADIUS Client tab, in the Static Value Mapping section.
RAD-206The Static Value field allows up to 247 characters in the RADIUS Client tab, in the Static Value Mapping section.
RAD-208Uppercase letters are allowed in the Static Value field, in the RADIUS Client tab, in the Static Value Mapping section.
RAD-212Clicking the context-sensitive help (small i) over a disabled client setting shows information for disabled clients in the RADIUS Client tab.
RAD-249Numerous minor bug fixes were completed.
RAD-252

When creating a RADIUS client and clicking the Add Attribute button, the client is no longer saved when the Add Client button is not selected.

RAD-253RADIUS client attribute values are restricted to the supported RADIUS protocol length of 253 bytes.
TW-698The FileSync Service version installed on SecureAuth IdP is now documented in the RADIUS Installation Guide.

Known issue

RAD-210

When running the RADIUS client with the Pulse Secure client and 2FA options, Pulse Secure limits the maximum number of characters to 210. End users can see all options in the Pulse Secure web client when the number of characters is less than 210.

A second Pulse Secure limitation causes options 5 - 8 to be cut off from end users' view on the 2FA list. End users can select options 5 - 8, even though they are off-screen and there is no scrollbar.

Optionally, modify text in the RADIUS uiTextsBundle.properties configuration file to shorten messages from the multi-factors message. See "Modify text showing on client user interface during login" in Configuration guide - v2.5 - SecureAuth IdP RADIUS server.

Version 2.4 - Release Date: October, 2018

New features and enhancements

Version: 2.4
Compatibility: SecureAuth IdP versions 8.2 - 9.2

---IdP realms and RADIUS clients can be disabled and enabled.
RAD-13Authentication workflow names are standardized for consistency with IdP naming conventions.
RAD-44Additional logging is available for Adaptive Authentication steps.
RAD-58Text hints appear on the IdP Realm page.
RAD-91Toggling is available on RADIUS clients page to enter either a NAS-IP or client IP address.
RAD-107Single page workflow was added for Username, Second Factor, and Password.
RAD-110Wild cards are supported when defining RADIUS client IP values.
RAD-143One or more backup IdP hosts can be specified for failover functionality.
RAD-147PIN + TOTP end user workflow was added.

Resolved issues

RAD-215Custom API header with millisecond-precision dates now works with SecureAuth IdP version 9.2
  • No labels