RADIUS for the Cloud Authentication Service Overview

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Jun 21, 2019
Version 24Show Document
  • View in full screen mode

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.

Each identity router includes an integrated RADIUS server. The RADIUS server receives user access requests from RADIUS clients and forwards the requests through the identity router to the Cloud Authentication Service. A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. The Cloud Authentication Service responds to the RADIUS server, which replies to the requesting RADIUS clients.

Note:  User workstations and other user devices are not RADIUS clients.

For more information, see:

Enabling RADIUS for a Cluster

You must enable RADIUS for each cluster that provides RSA SecurID Access authentication for users attempting to access protected resources through RADIUS-capable devices. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) indicates whether RADIUS is enabled for each cluster.

High Availability in a RADIUS Deployment

If you want to achieve high availability in a RADIUS deployment, you can configure your RADIUS clients to determine which identity routers will receive authentication requests. See your RADIUS client documentation for guidance on configuring alternate RADIUS server(s) that can be used when the primary RADIUS server is unreachable.

Supported Authentication Methods for RADIUS

RSA SecurID Access supports username and password verification for primary authentication, plus the following methods for additional authentication:

  • Approve

  • Authenticate Tokencode

  • RSA SecurID Token (including New PIN and Next Tokencode modes)

  • Device Biometrics

  • SMS Tokencode

  • Voice Tokencode

Note:  Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.

RADIUS Client Authentication Options

Configure each RADIUS client to allow user authentication in one of the following ways:

  • Cloud Authentication Service validates the user's directory server password and applies the access policy that is configured for the RADIUS client for additional authentication (default).

  • Cloud Authentication Service only applies the configured access policy for additional authentication. In this case, either the RADIUS client must require password authentication, or the access policy must require all users to perform additional authentication.

See how this works.

If you select Cloud Authentication Service only applies access policy for additional authentication, users can enter the following values in the password field.

Password Field ValueUser Authentication Options

Indicates the user wants to authenticate with the last successfully used method or the default method from the assurance level in the access policy assigned to the RADIUS client. The Cloud Authentication Service responds as described in Password Field Value 1 - Cloud Response.

SecurID passcode or Authenticate Tokencode

If the access policy allows SecurID Token or Authenticate Tokencode, the user can enter the passcode or tokencode directly in the password field to authenticate. The Cloud Authentication Service determines which method it needs to verify based on:

  • The number of digits the user enters in this field. A SecurID passcode contains four or more digits. An Authenticate Tokencode contains eight digits.

  • Which method was last successfully used.

  • What the assurance level allows.

If the user enters either method incorrectly, each unsuccessful attempt counts against the lockout setting described in Configure Session and Authentication Method Settings for Authenticate Tokencode, or in Lockout Policy for SecurID.

2, other digits, or blank

Displays a list of available authentication options, based on the assurance level.

Note:   Some RADIUS clients do not send null passwords to the RADIUS server for evaluation. In this case, the client’s authentication request might time out.

Password Field Value 1 - Cloud Response

If the user enters 1 in the password field to use the last successfully used method or the default method from the assurance level, the Cloud Authentication Service responds to the user as shown in the following table.

Last Used Method or Assurance Level Default MethodCloud Authentication Service Response
Approve or Device BiometricsSends push notification.
SMS Tokencode or Voice TokencodePrompts the user to enter the six-digit code sent automatically by SMS or Voice. User can also enter 1 to resend the tokencode or 2 for more options.
SecurID Token or Authenticate Tokencode

Prompts the user to enter the tokencode or press 2 for more options.

Note:  Users are prompted only for methods they are able to complete, as described in Assurance Levels.

RADIUS Authentication Flow Using Cloud-Managed Primary Authentication and Access Policy

The following graphic illustrates the authentication process using RADIUS when the Cloud Authentication Service validates the directory server password and applies the access policy for additional authentication.

Note:   If automatic push notifications are enabled for the RADIUS client, step 6 in the graphic works as follows. The RADIUS server on the identity router calls the Cloud Authentication Service for authentication. The Cloud Authentication Service sends the push notification and an IN PROCESS message to the RADIUS server. The RADIUS server periodically checks to see if the user approved the authentication on the mobile device.

Access Policies for RADIUS Clients

You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:

  • Contain at least one of these authentication methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode.

  • Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies

For information on how assurance levels are used with RADIUS clients, see Assurance Levels

RADIUS User Experience and Automatic Push Notifications

You can simplify the user experience by configuring the RADIUS client to send push notifications for Approve and Device Biometrics without forcing users to select an authentication method, when Approve or Device Biometrics is the user's default method. Enable the Automatically prompt for push notification methods field on the Add RADIUS Client page to obtain this benefit. You must enable it separately for each client. If users do not respond to the push notification within a configured number of seconds, they are prompted to select another method that is provided from the assurance level in the access policy. If there is no alternate method, authentication fails.

When this option is disabled (the default) for a client and the default authentication method is Approve or Device Biometrics, RADIUS users are prompted to select a method when they authenticate through that client. For first time authentication, the default is the first method in the access policy's assurance level. For subsequent authentication attempts, the default is the last method the user successfully used.

Note:   Regardless of whether this option is enabled or disabled, users must still make a selection when the default method is SMS Tokencode or Voice Tokencode. Also, users are never prompted to choose a method when the default method is SecurID Token or Authenticate Tokencode.

The user can disable push notifications in the app, as described in Supported Authentication Methods. In this case, the user can still pull down on top of the app during authentication to receive a notification. Regardless of whether push notifications are enabled or disabled, the user must respond within n seconds, according to the timeout setting.

Streamlined Tokencode Authentication for RADIUS

RSA SecurID Access offers a streamlined RADIUS authentication experience for users with access to both the RSA SecurID Token and Authenticate Tokencode methods. If the assurance level associated with the RADIUS client access policy allows both methods, a user can enter either type of tokencode when prompted, and the RADIUS service will automatically determine the appropriate method according to the following process:

  • If the user's most recent successful authentication used the SecurID Token method, and the tokencode provided is eight digits in length, RADIUS attempts SecurID Token authentication first. If unsuccessful, Authenticate Tokencode authentication is attempted.

  • If the user's most recent successful authentication used a method other than SecurID Token, and the tokencode is eight digits, Authenticate Tokencode is attempted first, followed by SecurID Token.

  • If the tokencode is greater or less than eight digits, RADIUS attempts SecurID Token authentication only.




You are here
Table of Contents > RADIUS > RADIUS for the Cloud Authentication Service Overview