Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.
Each identity router includes an integrated RADIUS server. The RADIUS server receives user access requests from RADIUS clients and forwards the requests through the identity router to the Cloud Authentication Service. A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. The Cloud Authentication Service responds to the RADIUS server, which replies to the requesting RADIUS clients.
Note: User workstations and other user devices are not RADIUS clients.
You must enable RADIUS for each cluster that provides RSA SecurID Access authentication for users attempting to access protected resources through RADIUS-capable devices. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) displays whether RADIUS is enabled for each cluster.
For more information, see:
- Supported Authentication Methods for RADIUS
- RADIUS Authentication Flow
- Access Policies for RADIUS Clients
RSA SecurID Access supports username and password verification for primary authentication, plus the following methods for additional authentication:
- Authenticate Tokencode
- RSA SecurID Token (including New PIN and Next Tokencode modes)
- Device Biometrics
- SMS Tokencode
- Voice Tokencode
Note: Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.
The following graphic illustrates the authentication process using RADIUS.
You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:
- Contain at least one of these authentication methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode.
- Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies
For information on how assurance levels are used with RADIUS clients, see Assurance Levels