RADIUS for the Cloud Authentication Service Overview

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Aug 23, 2019
Version 26Show Document
  • View in full screen mode
  

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.

Each identity router includes an integrated RADIUS server. The RADIUS server receives user access requests from RADIUS clients and forwards the requests through the identity router to the Cloud Authentication Service. A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. The Cloud Authentication Service responds to the RADIUS server, which replies to the requesting RADIUS clients.

Note:  User workstations and other user devices are not RADIUS clients.

For more information, see:

Enabling RADIUS for a Cluster

You must enable RADIUS for each cluster that provides RSA SecurID Access authentication for users attempting to access protected resources through RADIUS-capable devices. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) indicates whether RADIUS is enabled for each cluster.

High Availability in a RADIUS Deployment

If you want to achieve high availability in a RADIUS deployment, you can configure your RADIUS clients to determine which identity routers will receive authentication requests. See your RADIUS client documentation for guidance on configuring alternate RADIUS server(s) that can be used when the primary RADIUS server is unreachable.

Supported Authentication Methods for RADIUS

RSA SecurID Access supports username and password verification for primary authentication, plus the following methods for additional authentication:

  • Approve

  • Authenticate Tokencode

  • RSA SecurID Token (including New PIN and Next Tokencode modes)

  • Device Biometrics

  • SMS Tokencode

  • Voice Tokencode

Note:  Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.

RADIUS Client Authentication Options

You can configure each RADIUS client to allow user authentication in one of the following ways:

Enable Both Password and Additional Authentication (Default)

After the Cloud Authentication Service validates the password, it evaluates the access policy. Results depend on whether Automatic Prompt for Push Notifications is enabled or disabled.

                  
Automatic Prompt for Push NotificationsWhat Happens After Password Validation
Enabled

If Always send push notifications is not selected, the Cloud Authentication Service prompts the user for either Approve or Device Biometrics when either method meets both of the following criteria:

  • It is the user's default method.

  • It is in the access policy configured for the resource the user is attempting to access.

If Always send push notifications is selected, the Cloud Authentication Service automatically sends push notifications even if Approve or Device Biometrics is not the user's default authentication method, but is available in the access policy configured for the resource the user is attempting to access. The configured timeout applies.

If the access policy does not contain Approve or Device Biometrics, the user is presented with other options based on the access policy.

Disabled

Enable Only Additional Authentication

When you enable only additional authentication, user authentication options vary depending on what users enter in the Password field.

                       
Password Field ValueUser Authentication Options
1

Indicates the user wants to authenticate with the last successfully used method or the default method from the assurance level in the access policy assigned to the RADIUS client. The Cloud Authentication Service responds as described in Password Field = 1 and Automatic Prompt for Push Notifications Disabled.

SecurID passcode or Authenticate Tokencode

If the access policy allows SecurID Token or Authenticate Tokencode, the user can enter the passcode or tokencode directly in the password field to authenticate. The Cloud Authentication Service determines which method it needs to verify based on:

  • The number of digits the user enters in this field. A SecurID passcode contains four or more digits. An Authenticate Tokencode contains eight digits.

  • Which method was last successfully used.

  • What the assurance level allows.

If the user enters either method incorrectly, each unsuccessful attempt counts against the lockout setting described in Configure Session and Authentication Method Settings for Authenticate Tokencode, or in Lockout Policy for SecurID.

2, other digits, or blank

Displays a list of available authentication options, based on the assurance level.

Note:   Some RADIUS clients do not send null passwords to the RADIUS server for evaluation. In this case, the client’s authentication request might time out.

Additional Authentication and Automatic Prompt for Push Notifications Both Enabled

When you enable only additional authentication and the automatic prompt for push notification, the user authentication options vary depending on what users enter in the Password field.

                      
Password field ValueUser Authentication Options
  1 or blank

Always send push notifications checkbox unselected:

The user authenticates with the last successfully used method or the default method from the assurance level in the access policy assigned to the RADIUS client. When Approve or Device Biometrics is the user's default method, the RADIUS client prompts for Approve and Device Biometrics without forcing users to select a method. The Cloud Authentication Service responds as described in Password Field = 1 and Automatic Prompt for Push Notifications Enabled and Always Send Push Notifications Not Selected .

Always send push notifications checkbox selected:

The user authenticates with Approve or Device Biometrics, based on the assurance level in the access policy assigned to the RADIUS client.

SecurID passcode or Authenticate Tokencode

Prompts the user to enter the tokencode or press 2 for more options.

2 or other digits

Password Field = 1 and Automatic Prompt for Push Notifications Disabled

If the user enters 1 in the password field to use the last successfully used method or the default method from the assurance level, the Cloud Authentication Service responds to the user as shown in the following table.

                       
Last Used Method or Assurance Level Default MethodCloud Authentication Service Response
Approve or Device BiometricsSends push notification.
SMS Tokencode or Voice TokencodePrompts the user to enter the six-digit code sent automatically by SMS or Voice. User can also enter 1 to resend the tokencode or 2 for more options.

SecurID Token or Authenticate Tokencode

Prompts the user to enter the tokencode or press 2 for more options.

Password Field = 1 and Automatic Prompt for Push Notifications Enabled and Always Send Push Notifications Not Selected

If the user enters 1 in the password field to use the last successfully used method or the default method from the assurance level, the Cloud Authentication Service responds to the user as shown in the following table.

                   
Last Used Method or Assurance Level Default MethodCloud Authentication Service Response
Approve or Device BiometricsSends push notification.

SMS Tokencode, Voice Tokencode, SecurID Token, or Authenticate Tokencode

Prompts the user with the list and asks the user to select the authentication method.

Password Field = 1 or Blank and Always Send Push Notifications is Selected

The Cloud Authentication Service always sends the user a push notification if the user enters 1 or blank in the password field to use the last successfully used method or the default method from the assurance level, and if any of the following methods are Approve or Device Biometrics:

  • Last used authentication method

  • Assurance level default method

  • Method users are able to complete in an assurance level

If none of the above methods are Approve or Device Biometrics, then Cloud Authentication Service presents a list of available authentication options to the user.

Note:  Users are prompted only for methods they are able to complete, as described in Assurance Levels.

RADIUS Authentication Flow Using Cloud-Managed Primary Authentication and Access Policy

The following graphic illustrates the authentication process using RADIUS when the Cloud Authentication Service validates the directory server password and applies the access policy for additional authentication.

Note:   If automatic push notifications are enabled for the RADIUS client, step 6 in the graphic works as follows. The RADIUS server on the identity router calls the Cloud Authentication Service for authentication. The Cloud Authentication Service sends the push notification and an IN PROCESS message to the RADIUS server. The RADIUS server periodically checks to see if the user approved the authentication on the mobile device.

Access Policies for RADIUS Clients

You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:

  • Contain at least one of these authentication methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode.

  • Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies

For information on how assurance levels are used with RADIUS clients, see Assurance Levels

RADIUS User Experience and Automatic Push Notifications

You can simplify the user experience by configuring the RADIUS client to send push notifications for Approve and Device Biometrics without forcing users to select an authentication method, when Approve or Device Biometrics is the user's default method. Enable the Automatically prompt for push notification methods field on the Add RADIUS Client page to obtain this benefit. You must enable it separately for each client. If users do not respond to the push notification within a configured number of seconds, they are prompted to select another method that is provided from the assurance level in the access policy. If there is no alternate method, authentication fails.

When this option is disabled (the default) for a client and the default authentication method is Approve or Device Biometrics, RADIUS users are prompted to select a method when they authenticate through that client. For first time authentication, the default is the first method in the access policy's assurance level. For subsequent authentication attempts, the default is the last method the user successfully used.

Note:   Regardless of whether this option is enabled or disabled, users must still make a selection when the default method is SMS Tokencode or Voice Tokencode. Also, users are never prompted to choose a method when the default method is SecurID Token or Authenticate Tokencode.

You can enable both Automatically prompt for push notification methods and select Always send push notifications to force users to authenticate with Approve or Device Biometrics when those methods are in the access policy. For more information, see RADIUS Client Authentication Options.

The user can disable push notifications in the app, as described in Supported Authentication Methods. In this case, the user can still pull down on top of the app during authentication to receive a notification. Regardless of whether push notifications are enabled or disabled, the user must respond within n seconds, according to the timeout setting. The timeout is 90 seconds when the Cloud Authentication Service enforces the access policy without the password and Automatically prompt for push notification methods is enabled.

Streamlined Tokencode Authentication for RADIUS

RSA SecurID Access offers a streamlined RADIUS authentication experience for users with access to both the RSA SecurID Token and Authenticate Tokencode methods. If the assurance level associated with the RADIUS client access policy allows both methods, a user can enter either type of tokencode when prompted, and the RADIUS service will automatically determine the appropriate method according to the following process:

  • If the user's most recent successful authentication used the SecurID Token method, and the tokencode provided is eight digits in length, RADIUS attempts SecurID Token authentication first. If unsuccessful, Authenticate Tokencode authentication is attempted.

  • If the user's most recent successful authentication used a method other than SecurID Token, and the tokencode is eight digits, Authenticate Tokencode is attempted first, followed by SecurID Token.

  • If the tokencode is greater or less than eight digits, RADIUS attempts SecurID Token authentication only.

 

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > RADIUS > RADIUS for the Cloud Authentication Service Overview

Attachments

    Outcomes