RADIUS for the Cloud Authentication Service Overview

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Jun 15, 2018
Version 12Show Document
  • View in full screen mode

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.

Each identity router includes an integrated RADIUS server. The RADIUS server receives user access requests from RADIUS clients and forwards the requests through the identity router to the Cloud Authentication Service. A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. The Cloud Authentication Service responds to the RADIUS server, which replies to the requesting RADIUS clients.

Note:  User workstations and other user devices are not RADIUS clients.

You must enable RADIUS for each cluster that provides RSA SecurID Access authentication for users attempting to access protected resources through RADIUS-capable devices. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) displays whether RADIUS is enabled for each cluster.

For more information, see:

Supported Authentication Methods for RADIUS

RSA SecurID Access supports username and password verification for primary authentication, plus the following methods for additional authentication:

  • Approve
  • Authenticate Tokencode
  • RSA SecurID Token (including New PIN and Next Tokencode modes)
  • Device Biometrics
  • SMS Tokencode
  • Voice Tokencode

Note:  Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.

RADIUS Authentication Flow

The following graphic illustrates the authentication process using RADIUS.

Access Policies for RADIUS Clients

You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:

  • Contain at least one of these authentication methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode.
  • Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies

For information on how assurance levels are used with RADIUS clients, see Assurance Levels




You are here
Table of Contents > RADIUS > RADIUS for the Cloud Authentication Service Overview