Deploying RADIUS for the Cloud Authentication Service

Document created by RSA Information Design and Development Employee on Apr 14, 2017Last modified by RSA Information Design and Development Employee on Oct 20, 2020
Version 45Show Document
  • View in full screen mode

Complete these high-level steps to deploy RADIUS for the Cloud Authentication Service and enable SecurID Access authentication for users attempting to access protected networks through RADIUS-capable devices.

Note:  This topic does not apply to deployments that use the embedded identity router in RSA Authentication Manager.


Before you begin 

  • You must be a Super Admin in the Cloud Administration Console.

  • At least one cluster must be configured.

  • Users must access the protected network through RADIUS-capable network devices.

  • Attribute synchronization must be enabled for all identity sources containing users who authenticate using RADIUS. For instructions, see Add an Identity Source for the Cloud Authentication Service.

Note:  For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.


  1. Enable RADIUS on Identity Routers in a Cluster

  2. Add an Access Policy.

  3. Add a RADIUS Client for the Cloud Authentication Service

  4. (Optional) Configure a RADIUS Profile for the Cloud Authentication Service

  5. Configure your RADIUS client devices to direct authentication requests to the identity routers in your deployment on port 1812. For identity routers in the Amazon cloud, direct requests to the private IP address. For on-premises identity routers, use the management interface IP address. Some client devices can connect to multiple identity routers in the same cluster to provide load balancing or failover functionality. For configuration instructions, refer to the documentation provided by the device manufacturer. RSA provides configuration guides for some client devices on RSA Link.

    Note:  Do not configure clients to send authorization requests to the identity router.

    RADIUS for the Cloud Authentication Service supports only Password Authentication Protocol (PAP).

    Note:   The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds. In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout. See Add a RADIUS Client for the Cloud Authentication Service for more information.

  6. Test the RADIUS configuration by attempting to authenticate using a RADIUS client. If unsuccessful, confirm that the RADIUS client and profile settings are correct.

After you finish 

If you have not done so already, roll out the RSA SecurID Authenticate mobile app to your users. RSA SecurID Authenticate is required to use the Approve and Authenticate Tokencode methods for RADIUS authentication. For more information, see Cloud Authentication Service Rollout to Users.

Verify that password lockout settings are properly configured. For more information, see Configure Session and Authentication Method Settings.





You are here
Table of Contents > RADIUS > Deploying RADIUS for the Cloud Authentication Service