Deploying RADIUS for the Cloud Authentication Service

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Jun 21, 2019
Version 25Show Document
  • View in full screen mode

Complete these high-level steps to deploy RADIUS for the Cloud Authentication Service and enable SecurID Access authentication for users attempting to access protected networks through RADIUS-capable devices.


Before you begin 

  • You must be a Super Admin in the Cloud Administration Console.
  • At least one cluster must be configured.
  • Users must access the protected network through RADIUS-capable network devices.
  • Attribute synchronization must be enabled for all identity sources containing users who authenticate using RADIUS. For instructions, see Add an Identity Source for the Cloud Authentication Service.

Note:  For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.


  1. Enable RADIUS on Identity Routers in a Cluster
  2. Add an Access Policy.
  3. Add a RADIUS Client for the Cloud Authentication Service
  4. (Optional) Configure a RADIUS Profile for the Cloud Authentication Service
  5. Configure your RADIUS client devices to direct authentication requests to the identity routers in your deployment on port 1812. For identity routers in the Amazon cloud, direct requests to the private IP address. For on-premises identity routers, use the management interface IP address. Some client devices can connect to multiple identity routers in the same cluster to provide load balancing or failover functionality. For configuration instructions, refer to the documentation provided by the device manufacturer. RSA provides configuration guides for some client devices on RSA Link.

    RADIUS for the Cloud Authentication Service supports only Password Authentication Protocol (PAP).

    Note:  The session timeout for RADIUS transactions is 300 seconds, and is not configurable. Set the communication timeout value for RADIUS clients to 120 seconds. Do not configure clients to send authorization requests to the identity router.

  6. Test the RADIUS configuration by attempting to authenticate using a RADIUS client. If unsuccessful, confirm that the RADIUS client and profile settings are correct.

After you finish 

If you have not done so already, roll out the RSA SecurID Authenticate mobile app to your users. RSA SecurID Authenticate is required to use the Approve and Authenticate Tokencode methods for RADIUS authentication. For more information, see Cloud Authentication Service Rollout to Users.

Verify that password lockout settings are properly configured. For more information, see Configure Session and Authentication Method Settings.




You are here
Table of Contents > RADIUS > Deploying RADIUS for the Cloud Authentication Service