25.0 RADIUS Server

The Advanced Authentication server provides a built-in RADIUS server that can authenticate any RADIUS client using one of the chains configured for the event.


  • The built-in RADIUS server supports the PAP and EAP-TTLS/PAP methods.

    For more information, see RADIUS EAP-TTLS-PAP Options.

  • The RADIUS server supports the following authentication methods: Email OTP, Emergency Password, LDAP Password, OATH OTP, Out-of-Band, Password, RADIUS Client, Security Questions, Smartphone, SMS OTP, Voice OTP, Flex OTP and Voice methods. It is possible to use any method using the Out-of-Band method.

    For more information, see Out-of-band.

  • By design, Advanced Authentication does not support the single-factor authentication with the Smartphone, Email OTP, SMS OTP, Security Questions, Voice OTP, or Voice method for RADIUS. These methods cannot be the first or single method in a chain. Also, the OATH TOTP and OATH HOTP methods cannot be the first methods in the chain. It is recommended to use these methods as the second-factor in a two-factor chain after the LDAP Password method.

To configure pre-defined RADIUS Server event, perform the following steps:

  1. Click Events.

  2. Click Edit next to the RADIUS Server event.

  3. Ensure that Is enabled is set to ON.

  4. Select the chains that you want to assign to the event.

  5. Specify endpoint name in Endpoints whitelist.

  6. Set Bypass user lockout in repository to ON, if you want to allow repository locked-out users to be authenticated on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users locked on repository is not allowed to authenticate.

  7. Set Return groups on logon to ON if you want to retrieve the group details of users who authenticated to the event in the authentication response.

    With Return groups on logon set to ON, if Groups is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in Groups.

    The RADIUS protocol according to RFC has a 4KB limit of response size. The authentication response might exceed the set limit, if a user is a member of several groups. Therefore, it is recommended to use Groups to limit the groups' in the response.

    By default, Return groups on logon is set to OFF, the groups of users authenticated to the event are not returned in the response.

  8. Configure Input Rule.

  9. Configure Chain Selection Rule.

  10. Configure Result Specification Rule.

    You can configure the above RADIUS rules in RADIUS Options policy also. For more information about configuring the RADIUS rules in RADIUS Options Policy, see RADIUS Options.

    The rules configured in RADIUS Options policy are called Global level rules and rules configured in RADIUS event are called Event level rules. All the RADIUS rules are executed in the following order.

    1. Input rule configured in Global level rules.

    2. Event Selection rule configured in Global level rules.

    3. Input rule configured in Event level rules.

    4. Chain selection rule configured in Event level rules.

    5. Chain selection rule configured in Global level rules (if no chain in Event level rules).

    6. Authenticate the user.

    7. Result specification configured in Global level rules.

    8. Result specification configured in Event level rules.

  11. Click Save.

IMPORTANT:If you use more than one chain with the RADIUS server, follow one of the following ways:

  1. Each chain assigned to the RADIUS event may be assigned to a different LDAP group. For example, LDAP Password+Smartphone chain is assigned to a Smartphone users group, LDAP Password+HOTP chain is assigned to a HOTP users group. If a RADIUS user is a member of both groups, the top group is used.

  2. By default, the top chain specified in the RADIUS Server event in which all the methods are enrolled is used. But, you can authenticate with the RADIUS authentication using another chain from the list when specifying <username>&<chain shortname> in username. For example, pjones&sms. Ensure that you have specified the short names for chains. Some RADIUS clients such as FortiGate and OpenVPN applications do not support this option.

NOTE:If you use the LDAP Password+Smartphone chain, you can use an offline authentication by specifying the password in the format <LDAP Password>&<Smartphone OTP>. For example, Q1w2e3r4&512385. This option is supported for LDAP Password+OATH TOTP, Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP. It is required configure the Input Rule before you use another delimiter or no delimiter.

Before using ampersand or any other special character as a delimiter, you must configure the Input Rule and Chain Selection Rule in the RADIUS Options policy.

NOTE:If the RADIUS log files are overflown of records with the error Discarding duplicate request from client, you can increase the timeout on the RADIUS Client. The optimal timeout value needs to be determined by experimenting. It must not exceed 60 seconds.

Customizing Prompt Messages For RADIUS Event

You can customize prompt messages of the authentication methods that are configured for the RADIUS event. The customized prompt messages are displayed when a user initiates authentication to RADIUS event using the configured methods.

For more information about customizing prompt message for RADIUS event, see Customizing Prompt Messages of the Authentication Methods for RADIUS Event.

Challenge-Response Authentication

If you have configured a multi-factor chain such as LDAP Password&SMS OTP or any other combination chain, some users (during the authentication) might not be able to specify the <Password>&<OTP> in a single line (because of the Password length limit in RADIUS). In this case, you can configure the existing RADIUS Client by performing the following steps:

  1. Specify an LDAP password in Password and send the authentication request.

    Advanced Authentication server returns the access-challenge response with State=<some value> (example: State=WWKNNLTTBxP6QYfiZIpvscyt7RYrYsGag4h8s0Rh8R) and Reply-Message=SMS OTP. You will receive an SMS with a one-time password on the registered mobile.

  2. Specify the OTP in Password and add an additional RADIUS attribute with State=<value> where, value is the value that is obtained in step 1.

  3. Send the authentication request.

Using RADIUS in Multitenancy Mode

When you enable Multitenancy, you can use one of the following formats to represent the user name:

  • <repository_name>\<username>

  • <tenant_name>\<repository_name>\<username>

  • <username>@<tenant_name>

  • <repository_name>\<username>@<tenant_name>

The following are the examples of integration with a RADIUS Server: