Deploying RADIUS for the Cloud Authentication ServiceDeploying RADIUS for the Cloud Authentication Service
Complete these high-level steps to deploy RADIUS for the Cloud Authentication Service and enable SecurID authentication for users attempting to access protected networks through RADIUS-capable devices.
Note: This topic does not apply to deployments that use the embedded identity router in Authentication Manager.
Before you begin
-
You must be a Super Admin in the Cloud Administration Console.
-
At least one cluster must be configured.
-
Users must access the protected network through RADIUS-capable network devices.
-
Attribute synchronization must be enabled for all identity sources containing users who authenticate using RADIUS. For instructions, see Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service.
Note: For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.
Procedure
-
(Optional) Configure a RADIUS Profile for the Cloud Authentication Service
-
Configure your RADIUS client devices to direct authentication requests to the identity routers in your deployment on port 1812. For identity routers in the Amazon cloud, direct requests to the private IP address. For on-premises identity routers, use the management interface IP address. Some client devices can connect to multiple identity routers in the same cluster to provide load balancing or failover functionality. For configuration instructions, refer to the documentation provided by the device manufacturer. SecurID provides configuration guides for some client devices on RSA Link.
Note: Do not configure clients to send authorization requests to the identity router.
RADIUS for the Cloud Authentication Service supports only Password Authentication Protocol (PAP).
Note: The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds. In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout. See Add a RADIUS Client for the Cloud Authentication Service for more information.
-
Test the RADIUS configuration by attempting to authenticate using a RADIUS client. If unsuccessful, confirm that the RADIUS client and profile settings are correct.
After you finish
If you have not done so already, roll out the SecurID Authenticate mobile app to your users. SecurID Authenticate is required to use the Approve and Authenticate OTP methods for RADIUS authentication. For more information, see Cloud Authentication Service Rollout to Users.
Verify that password lockout settings are properly configured. For more information, see Configure Session and Authentication Method Settings.
