Deploying RADIUS for the Cloud Authentication Service

Complete these high-level steps to deploy RADIUS for the Cloud Authentication Service and enable SecurID authentication for users attempting to access protected networks through RADIUS-capable devices.

Note: This topic does not apply to deployments that use the embedded identity router in Authentication Manager.

Before you begin

Note: For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.


  1. Enable RADIUS on Identity Routers in a Cluster

  2. Add, Clone, or Delete an Access Policy.

  3. Add a RADIUS Client for the Cloud Authentication Service

  4. (Optional) Configure a RADIUS Profile for the Cloud Authentication Service

  5. Configure your RADIUS client devices to direct authentication requests to the identity routers in your deployment on port 1812. For identity routers in the Amazon cloud, direct requests to the private IP address. For on-premises identity routers, use the management interface IP address. Some client devices can connect to multiple identity routers in the same cluster to provide load balancing or failover functionality. For configuration instructions, refer to the documentation provided by the device manufacturer. SecurID provides configuration guides for some client devices on RSA Link.

    Note: Do not configure clients to send authorization requests to the identity router.

    RADIUS for the Cloud Authentication Service supports only Password Authentication Protocol (PAP).

    Note: The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds. In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout. See Add a RADIUS Client for the Cloud Authentication Service for more information.

  6. Test the RADIUS configuration by attempting to authenticate using a RADIUS client. If unsuccessful, confirm that the RADIUS client and profile settings are correct.

After you finish

If you have not done so already, roll out the SecurID Authenticate mobile app to your users. SecurID Authenticate is required to use the Approve and Authenticate Tokencode methods for RADIUS authentication. For more information, see Cloud Authentication Service Rollout to Users.

Verify that password lockout settings are properly configured. For more information, see Configure Session and Authentication Method Settings.