Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.
Each identity router includes an integrated RADIUS server. You can enable RADIUS for a cluster to provide RSA SecurID Access authentication for users attempting to access protected resources through RADIUS-capable devices. The RADIUS server receives user access requests from RADIUS clients, such as VPN servers and firewalls, and forwards the requests through the identity router to the Cloud Authentication Service. The Cloud Authentication Service sends responses to the RADIUS server, which forwards the messages to the requesting RADIUS clients. For more information, see RADIUS Clients for the Cloud Authentication Service .
RADIUS is automatically installed on every identity router, but you must use the Cloud Administration Console to enable RADIUS for each cluster that includes identity routers which connect to RADIUS devices. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) displays whether RADIUS is enabled for each cluster.
RSA SecurID Access supports username and password verification for primary authentication, plus the following methods for additional authentication:
- Authenticate Tokencode
- RSA SecurID Token (including New PIN and Next Tokencode modes)
- Device Biometrics
- Eyeprint Verification
- SMS Tokencode
- Voice Tokencode
Note: Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.
The following graphic illustrates the authentication process using RADIUS.