Summary / Overview
SecureAuth is a technology leader providing access control to mobile, cloud, web, and network resources, serving over 10 million users worldwide. The SecureAuth IdP all-in-one is a completely scalable solution that manages and enforces access based on existing user entitlements. SecureAuth IdP seamlessly integrates with any device or application that supports RADIUS Authentication to provide strong two-factor authentication using One-Time-Token delivered via SecureAuth OTP application.
Use this document to install SecureAuth RADIUS v1.0.1.X on the SecureAuth server.
This RADIUS service only supports PAP authentication. To use any other protocol, contact SecureAuth Support.
- SecureAuth IdP appliance: Windows Server 2003 and above
- JRE 1.7 32-bit
- UDP ports 1812 and 1813 open
- SecureAuth IdP realm 998 configured to deliver One Time Password (OTP) (https://docs.secureauth.com/x/1hXy)
If SecureAuth RADIUS 126.96.36.199 is installed on the SecureAuth IdP server, then please disable the existing Radius service before proceeding with the new installation to upgrade to this version
1. Disable the existing RADIUS installation:
Navigate to Service.msc, scroll to the service "SecureAuthRadiusService" – > Right click and Properties --> Startup type = disabled
2. Install and test the RADIUS server v1.0.1.X (follow the Installation and Configuration steps in the doc below)
Once completed, uninstall the previous SecureAuth RADIUS version via one of the two options presented below:
1. Open the command prompt as administrator
2. Navigate to D:\SecureAuthRadiusInterface-188.8.131.52-dist\
3. Type install-install-service.bat uninstall
1. Open the command prompt as administrator
2. Type after sc delete, SecureAuthRadiusService
To Download RADIUS
- Contact support to receive the link to download the RADIUS file.
- Unzip the contents of the zip file secureauth-radius-1.0.1.x-dist.zip in the D Drive of the SecureAuth Server.
This creates a folder secureauth-radius-1.0.1.x-dist.
- Open a command prompt with administrator privileges and navigate to D:\secureauth-radius-1.0.1.x-dist\secureauth-radius-1.0.1.x\bin directory.
- Run the installWindowsService.bat file.
- Open services.msc and verify SA Radius 2 service is installed.
- Open the SA Radius service and set the logon rights to the current user.
- Set the SA Radius 2 service to Automatic and start the service.
To Configure RADIUS Service
- In the Windows explorer, navigate to D:\secureauth-radius-1.0.1.x-dist\secureauth-radius-1.0.1.x\webapp\WEB-INF\classes and open appliance.radius.properties file in Notepad.
In the radius.secureauth_endpoint url, set the IP address or FQDN of your SecureAuth Appliance.
This is the secure endpoint of the SecureAuth Server that receives authentication requests for validation from the SecureAuth Radius Interface. It can verify the (username, password) and (username, otp) pairs. This needs to be up and running for the service to function correctly. The complete url should be specified here.
This is the shared secret that the SecureAuth Radius Interface shares with its clients. The same needs to be defined on all the radius clients for this service. All clients share the same secret with this radius interface.
This is the list of client IP addresses, authentication type for each client and the client name.
Each client definition is enclosed in square brackets (). And you may specify multiple client definitions. For multiple client definitions, place each definition within  and separate each one with a comma.
Each client definition has the following parts. All of the parts must be supplied:
- CLIENT IP ADDRESS: This parameter specifies a valid IP address for the client
- AUTHENTICATION TYPE: This specifies the authentication type for the client. It has to be one of the value described below.
- OTP_ONLY: This only performs a username, OTP authentication. If successful, it returns an
ACCESS_ACCEPT, else ACCESS_REJECT
radius response is returned to the client.
- PASSWORD_ONLY:This only performs username and password authentication. If successful, it returns and
ACCESS_ACCEPT, else ACCESS_REJECT radius response is returned to the client.
- PASSWORD_AND_OTP: This performs a 2-factor authentication for the client authentication requests. The first request performs a username, password authentication. If successful, it returns an
radius packet to prompt the end user for an OTP.
The second request performs a second factor authentication for username and otp. If successful, an
radius response is returned, else and
radius response is returned to the client.
- OTP_AND_PASSWORD: This performs a 2-factor authentication for the client authentication requests. The first request performs a username, OTP authentication. If successful, it returns an
radius packet to prompt the end user for an PASSWORD.
The second request performs a second factor authentication for username and password. If successful, an
ACCESS_ACCEPT radius response is returned, else and ACCESS_REJECT radius response is returned to the client.
- OTP_SLASH_PASSWORD: The password is a single string of your Soft Token and Password separate by a slash "/"
- CLIENT NAME: This currently is a free form alphanumeric string that is passed to the SecureAuth endpoint for additional client context. It is suggested that you use generic client names depending on the particular context like - VPN, VDI.
Examples configurations for the property radius.clients
radius.clients=[172.16.0.39, OTP_ONLY, VPN],[172.16.0.21, PASSWORD_AND_OTP, VDI],[172.16.0.1, OTP_ONLY, VPN]
This is the authentication port that the SecureAuth Radius Interface listens to. It defaults to the radius standard of 1812 and can be changed to another free port if needed. The same should be marked in the radius client during its configuration for this radius interface.
This needs to be numeric.
This is the accounting port that the SecureAuth Radius Interface listens to. It defaults to the radius standard of 1813 and can be changed to another free port if needed. The same should be marked in the radius client during its configurations for this radius interface. This needs to be numeric.
- ChallengeMessage: For Radius authentication type like OTP_AND_PASSWORD and PASSWORD_AND_OTP where a user is prompted for Access-Challenge, you can Specify what text you want to display along with the Challenge.
If SecureAuth RADIUS 184.108.40.206 is installed on the SecureAuth server, then copy the relevant settings from the config (radius.config) file of the previous radius to the config (appliance.radius.properties) file of the new RADIUS installation
To Encrypt the RADIUS Shared Secret
- Log into the SecureAuth appliance as a Local Admin
- In the Radius config file (appliance.radius.properties) Set radius.encrypt_shared_secret to true.
This performs encryption of the Radius Shared Secret. By default this value is set to false. To encrypt the shared secret set this value to true.
Open mmc console and export the certificate from the SecureAuth appliance (machine store) with private key and install it in the user store.
The Friendly Name of this certificate or issued to name in case friendly name is absent.
- Enter the friendly name of the certificate in step 2 for keystoreAliasName in the Radius config file.
Open Command Prompt as administrator, go to
D:\secureauth-radius-1.0.1.x-dist\secureauth-radius-1.0.1.x\bin folder, and run the updateSharedSecret.bat file.
The secret is not visible while you type it as a security feature. You can encrypt the radius secret as many times as you want.
- After encrypting the secret, the radius secret in the radius config file (appliance.radius.properties) will look like the image below.
- Logon the Radius Service with "Local Admin" credentials and restart the Service.
To uninstall RADIUS
- Open a command prompt with administrator privileges and type in
sc delete SecureAuthRadiusService2
Additional: Radius Attribute and User groups
VPNs like WatchGuard Require Attribute 11 and Usergroup information to be sent back after the authentication. For this, you can enable group attribute and specify the user group in the "jradius.server.properties" file.
To make this change navigate to D:\secureauth-radius-1.0.1.x-dist\secureauth-radius-1.0.1.x\webapp\WEB-INF\classes and open the jradius.server.properties file.
- Set 2faas.resp.enableGroupAttrs to true.
This enables the GroupAttribute.
- Use 2faas.resp.group to specify the User Group name required by Radius client in here. (By default, WatchGuard required SSLVPN-Users group).
The Radius logs can be found at the following location C:\Windows\System32\Logfiles\Apache