Configure RADIUS Settings

RADIUS settings allow you to perform routine RADIUS administrative tasks that apply to all RADIUS servers and clients in a deployment.

Procedure 

1. In the Security Console, click Setup > System Settings.

2. Under Advanced Settings, click RADIUS.

3. Under RADIUS Settings, do the following:

   • In the RADIUS Profile Priority field, select a profile to use when both the agent and the user are assigned RADIUS profiles.

   • In the Default RADIUS Profile field, select the RADIUS profile that AM (AM) assigns to a user's request when there is no assigned profile. AM  does not contain a default RADIUS profile. If you want a default profile, you must specify one. For more information, see Add a RADIUS Client.

   • Select Send RADIUS Attributes if you want AM  to send RADIUS user attributes to the RADIUS server after the user has authenticated.

   • In the RADIUS Attribute Format field, specify the format of the attributes in the return list. The format must be compatible with the RADIUS clients. Most RADIUS clients can handle only the attribute value, but some older RADIUS clients can handle additional attribute formats. For more information, see your RADIUS client documentation.

4. In the Authentication Settings section, select how validation is performed for user requests to this RADIUS cleint.

   1. For Authentication Preference, select one of the following:

      • Global settings (all RADIUS clients): Select this option if you want all RADIUS clients to use global settings, overriding the client-level local settings during authentication.

      • Local settings (RADIUS client level): Select this option if you want RADIUS clients to use their client-level local settings instead of global settings. This is the default selection.

   2. When Global settings is selected, configure the following:

      1. Password Authentication: Select this option to use the password as the primary authentication method. This allows AM to validate your password for this client.

         When enabled, you must first provide your password for authentication. Once the password is successfully verified, you are prompted to authenticate using any available step-up authentication methods. For example, if using SecurID, you must enter your password first. Once verified, you are prompted to select the SecurID authentication method and enter the SecurID OTP. Inline password changes are not supported during RADIUS authentication.

         Note:  RADIUS authentication for Trusted Realms is supported only if both AM servers are on version 8.8 or later. For more details, see Add a RADIUS Client Agent.

      2. Cloud MFA Experience: A connection to Cloud Authentication Service (CAS) allows you to enable or disable the Cloud MFA Experience. If you select this option, you can configure the RADIUS client to use Cloud MFA authentication methods. If you enable Cloud MFA Experience, you must configure an Access policy, and you can optionally set up Push notification.

      Note:  The Cloud MFA Experience is not supported for users authenticating through Trusted Realms.

      If enabled, configure the following:

      Note:  The options for Access Policy, Push Notification, Authentication Method Timeout and Allow Code Matching, appear only when Cloud MFA Experience is enabled. If Cloud MFA Experience is not enabled, these options are not available.

      • Access policy: This field is, by default, populated with CAS policy used when the AM is connected to the CAS. You can change it to any custom CAS access policy that is up to 255 characters. Ensure it includes at least one of following methods: Approve, SecurID OTP, Authenticate OTP, Device Biometrics, SMS OTP, Voice OTP, or Emergency Access Code.

        Note:  RADIUS does not support other methods or authentication conditions in access policies. For more details on authentication conditions, see Access Policies.

      • Push Notification: (Optional) Enable this option to allow the RADIUS client to send push notifications for Approve and Device Biometrics methods. This setting enables users to authenticate without manually selecting a method. If you do not respond within 40 seconds, they are prompted to choose an alternative method from the Access policy.

        • Always Send Push Notification: This option is available only when Push Notification is enabled. If selected, you must authenticate using Approve or Device Biometrics, based on the assurance level specified in the access policy for the RADIUS client.

      • Authentication Method Timeout: Configure a timeout when you have enabled Password Authentication, Cloud MFA Experience, and Push Notification. The default server timeout is 40 seconds, but it can be adjusted. If the assurance level provides an alternate method, SecurID recommends allowing users 10-40 seconds to complete that method, without exceeding the client's connection timeout.

        • If the user interacts with notification or opens the SecurID app, the timeout resets to 60 seconds. If there is no interaction and the device does not receive notification, mobile authentication will time out on the RADIUS Client after 90 seconds, resulting in authentication failure.
          

          Note:  You cannot configure the timeout if Cloud MFA Experience and Push Notification are enabled without Password authentication. In this case, the default timeout will be 90 seconds.

      • Allow Code Matching: This field is enabled by default to allow the RADIUS client to send code matching prompts to users based on the CAS configuration. For more details, see Configure Code Matching Settings.

        Note:  Ensure that this setting is enabled on both CAS and AM so users can receive prompts for Approve or Device Biometrics methods. Disable this setting in AM for any RADIUS client that does not support code matching.

5. Click Save.