6.0 RADIUS Server

The Advanced Authentication server provides a built-in RADIUS server that can authenticate any RADIUS client using one of the chains configured for the event.


  • The built-in RADIUS server supports only the PAP method.

  • The RADIUS server supports the following authentication methods: Email OTP, Emergency Password, LDAP Password, OATH OTP, Password, RADIUS Client, Security Questions, Smartphone, SMS OTP, Voice OTP, and Voice methods.

  • By design, Advanced Authentication does not support the single-factor authentication with a Smartphone, Email OTP, SMS OTP, Security Questions, Voice OTP, and Voice method for RADIUS. These methods cannot be the first or single method in a chain. It is recommended to use it in a two-factor chain with the LDAP Password method.

To configure pre-defined RADIUS Server event, perform the following steps:

  1. Click Events.

  2. Click Edit next to the RADIUS Server event.

  3. Ensure that Is enabled is set to ON.

  4. Select the chains that you want to assign to the event.

  5. Select RADIUS from Endpoint whitelist.

  6. Click Add to add and assign a RADIUS Client to the event:

    1. Specify the IP address of the RADIUS Client in IP Address.

    2. Specify the RADIUS Client name in Name.

    3. Specify the RADIUS Client secret and confirm the secret.

    4. Ensure that the RADIUS Client is set to ON.

    5. Click next to the RADIUS Client.

    6. Add more RADIUS Clients if required.

  7. Set Return user groups to ON to enable the RADIUS server to return all the groups of a user in the filter-id attribute in an authentication response to the RADIUS Client.

    By default the option is set to OFF and the RADIUS server does not return the filter-id attribute in the authentication response.

    1. Specify the preferred user groups in User groups white list to allow the RADIUS server to return only the specified groups of a user in the filter-id attribute to the RADIUS Client.

      If you set the Return user groups to ON and the User groups white list is empty, all the groups of a user are returned in the filter-id attribute.

    2. You can specify any attribute you want to return instead of the Filter-ID attribute in Groups attribute. For example, you can specify the class attribute in Groups attribute and the class attribute will be returned instead of the Filter-Id attribute. By default, the Filter-Id attribute is returned in an authentication response to the RADIUS Client.

    NOTE:It is recommended to enable the Return user groups option and specify the preferred user groups because in large environments a user can be part of many groups and as a result, the list of all groups that are returned by the RADIUS server can be large. The size of RADIUS response exceeds the maximum size of RADIUS packet.

  8. (Optional) Specify NAS ID while adding custom RADIUS server event. You must use the same NAS ID on the configured RADIUS clients to associate them with the custom RADIUS server event.

  9. Set Bypass user lockout in repository to ON, if you want to allow repository locked-out users to be authenticated on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users locked on repository is not allowed to authenticate.

  10. Click Save.

IMPORTANT:If you use more than one chain with the RADIUS server, follow one of the following ways:

  1. Each chain assigned to the RADIUS event may be assigned to a different LDAP group. For example, LDAP Password+Smartphone chain is assigned to a Smartphone users group, LDAP Password+HOTP chain is assigned to a HOTP users group. If a RADIUS user is a member of both groups, the top group is used.

  2. By default, the top chain specified in the RADIUS Server event in which all the methods are enrolled is used. But, you can authenticate with the RADIUS authentication using another chain from the list when specifying <username>&<chain shortname> in username. For example, pjones&sms. Ensure that you have specified the short names for chains. Some RADIUS clients such as FortiGate do not support this option.

NOTE:If you use the LDAP Password+Smartphone chain, you can use an offline authentication by specifying the password in the format <LDAP Password>&<Smartphone OTP>. For example, Q1w2e3r4&512385. This option is supported for LDAP Password+OATH TOTP, Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP.

When you want to add multiple RADIUS clients, you can add them to the predefined RADIUS Server event. But all the RADIUS clients will use the same authentication chain(s). If you want to configure specific authentication chain(s) for different RADIUS clients, then you must create a custom RADIUS event. While adding the custom RADIUS event ensure to specify NAS ID that is essential to associate clients with the custom RADIUS event.

For more information about the custom RADIUS event, see Creating a RADIUS Event.

NOTE:If the RADIUS log files are overflown of records with the error Discarding duplicate request from client, you can increase the timeout on the RADIUS Client. The optimal timeout value needs to be determined by experimenting. It must not exceed 60 seconds.

Customizing Prompt Messages For RADIUS Event

You can customize prompt messages of the authentication methods that are configured for the RADIUS event. The customized prompt messages are displayed when a user initiates authentication to RADIUS event using the configured methods.

For more information about customizing prompt message for RADIUS event, see Customizing Prompt Messages of the Authentication Methods for RADIUS Event.

Challenge-Response Authentication

If you have configured a multi-factor chain such as LDAP Password&SMS OTP or any other combination chain, some users (during the authentication) might not be able to specify the <Password>&<OTP> in a single line (because of the Password length limit in RADIUS). In this case, you can configure the existing RADIUS Client by performing the following steps:

  1. Specify an LDAP password in Password and send the authentication request.

    Advanced Authentication server returns the access-challenge response with State=<some value> (example: State=WWKNNLTTBxP6QYfiZIpvscyt7RYrYsGag4h8s0Rh8R) and Reply-Message=SMS OTP. You will receive an SMS with a one-time password on the registered mobile.

  2. Specify the OTP in Password and add an additional RADIUS attribute with State=<value> where, value is the value that is obtained in step 1.

  3. Send the authentication request.

Using RADIUS in Multitenancy Mode

The following are the examples of integration with a RADIUS Server: