8.0 RADIUS Server

The Advanced Authentication server provides a built-in RADIUS server that can authenticate any RADIUS client using one of the chains configured for the event.

IMPORTANT:

  • The built-in RADIUS server supports only the PAP method.

  • The RADIUS server supports all authentication methods except Card, FIDO U2F, Notaris ID, Fingerprint, and PKI methods.

  • By design, Advanced Authentication does not support the single-factor authentication with a Smartphone method for RADIUS. It is recommended to use it in a two-factor chain with the LDAP Password method.

To configure an authentication event for RADIUS, perform the following steps:

  1. Click Events.

  2. Click Edit next to the Radius Server event.

  3. Ensure that Is enabled is set to ON.

  4. Select the chains that you want to assign to the event.

  5. Select Radius from Endpoint whitelist.

  6. Click Add to add and assign a RADIUS Client to the event:

    1. Specify the IP address of the RADIUS Client in IP Address.

    2. Specify the RADIUS Client name in Name.

    3. Specify the RADIUS Client secret and confirm the secret.

    4. Ensure that the RADIUS Client is set to ON.

    5. Click next to the RADIUS Client.

    6. Add more RADIUS Clients if required.

  7. Set Return user groups to ON to enable the RADIUS server to return all the groups of a user in the filter-id attribute in an authentication response to the RADIUS Client. To enable the RADIUS server to send only specific groups of a user in place of all the groups of a user in the filter-id attribute, specify the particular user groups in User groups white list. For example, Bob\mydomain.

    By default the option is set to OFF and the RADIUS server does not return the filter-id attribute in the authentication response.

    If you set the option to ON and the User groups white list is empty, all the groups of a user are returned in the filter-id attribute.

    NOTE:It is recommended to enable the Return user groups option and specify the particular user groups because in large environments a user can be part of many groups and as a result, the list of all groups that are returned by the RADIUS server can be large. The size of RADIUS response exceeds the maximum size of RADIUS packet.

  8. Click Save.

IMPORTANT:If you use more than one chain with the RADIUS server, follow one of the following ways:

  1. Each chain assigned to the RADIUS event may be assigned to a different LDAP group. For example, LDAP Password+Smartphone chain is assigned to a Smartphone users group, LDAP Password+HOTP chain is assigned to a HOTP users group. If a RADIUS user is a member of both groups, the top group is used.

  2. By default, the top chain specified in the Radius Server event in which all the methods are enrolled is used. But, you can authenticate with the RADIUS authentication using another chain from the list when specifying <username>&<chain shortname> in username. For example, pjones&sms. Ensure that you have specified the short names for chains. Some RADIUS clients such as FortiGate do not support this option.

NOTE:If you use the LDAP Password+Smartphone chain, you can use an offline authentication by specifying the following the password in the <LDAP Password>&<Smartphone OTP> format. For example, Q1w2e3r4&512385. This option is supported for LDAP Password+OATH TOTP, Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP.

Challenge-Response Authentication

If you have configured a multi-factor chain such as LDAP Password&SMS OTP or any other combination chain, some users (during the authentication) might not be able to specify the <Password>&<OTP> in a single line (because of the Password length limit in RADIUS). In this case, you can configure the existing RADIUS Client by performing the following steps:

  1. Specify an LDAP password in Password and send the authentication request.

    Advanced Authentication server returns the access-challenge response with State=<some value> (example: State=WWKNNLTTBxP6QYfiZIpvscyt7RYrYsGag4h8s0Rh8R) and Reply-Message=SMS OTP. You will receive an SMS with a one-time password on the registered mobile.

  2. Specify the OTP in Password and add an additional RADIUS attribute with State=<value> where, value is the value that is obtained in step 1.

  3. Send the authentication request.

When you enable Multitenancy, you can use one of the following formats to represent the user name:

  • <repository_name>\<username>

  • <tenant_name>\<repository_name>\<username>

  • <username>@<tenant_name>

  • <repository_name>\<username>@<tenant_name>

Advanced Authentication stores the RADIUS event settings only on a server where the administrator performs the configuration (typically this is the DB Master server). After the DB Slave server is converted to DB Master server, the configuration may be lost. Goto the Radius Server event settings and click Save to apply the configuration.

The following are the examples of integration with a RADIUS Server: