A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. User workstations and other user devices are not RADIUS clients.
You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:
- Contain at least one of these authentication methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, Voice Tokencode, or Eyeprint ID.
- Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies
For information on how assurance levels are used with RADIUS clients, see Assurance Levels