RADIUS for the Cloud Authentication Service Overview

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect to a network service. Network access servers and other devices that control access to a network usually contain a RADIUS client that communicates with a RADIUS server.

Each identity router that is deployed on the VMware, Hyper-V, or Amazon Web Services platform includes an integrated RADIUS server. The RADIUS server receives user access requests from RADIUS clients and forwards the requests through the identity router to the Cloud Authentication Service. A RADIUS client is a network device, such as a network access server, firewall, or virtual private network (VPN) server, which uses the RADIUS protocol to communicate with a RADIUS server. The Cloud Authentication Service responds to the RADIUS server, which replies to the requesting RADIUS clients.

Note: User workstations and other user devices are not RADIUS clients.

For more information, see:

Enabling RADIUS for a Cluster

You must enable RADIUS for each cluster that provides SecurID authentication for users attempting to access protected resources through RADIUS-capable authenticators. For instructions, see Enable RADIUS on Identity Routers in a Cluster. The Clusters page (Platform > Clusters) indicates whether RADIUS is enabled for each cluster.

High Availability in a RADIUS Deployment

If you want to achieve high availability in a RADIUS deployment, you can configure your RADIUS clients to determine which identity routers will receive authentication requests. See your RADIUS client documentation for guidance on configuring alternate RADIUS server(s) that can be used when the primary RADIUS server is unreachable.

Supported Authentication Methods for RADIUS

SecurID supports username and password verification for primary authentication, plus the following methods for additional authentication:

  • Approve (push notifications)

  • Authenticate OTP

  • SecurID OTP (including New PIN and Next OTP modes)

  • Biometrics

  • SMS OTP

  • Voice OTP

  • Emergency Access Code

Note: Users with invalid or expired passwords cannot change their passwords during the RADIUS authentication process. Users who need to change their passwords must do so prior to authenticating.

RADIUS Client Authentication Options

You can configure each RADIUS client to allow user authentication in one of the following ways:

Enable Both Password and Additional Authentication (Default)

After the Cloud Authentication Service validates the password, it evaluates the access policy. Results depend on whether Automatic Prompt for Push Notifications is enabled or disabled.

Automatic Prompt for Push Notifications What Happens After Password Validation
Enabled

If Always send push notifications is not selected, the Cloud Authentication Service prompts the user for either Approve or Biometrics when either method meets both of the following criteria:

  • It is the user's default method.

  • It is in the access policy configured for the resource the user is attempting to access.

If Always send push notifications is selected, the Cloud Authentication Service automatically sends push notifications even if Approve or Biometrics is not the user's default authentication method, but is available in the access policy configured for the resource the user is attempting to access. The configured timeout applies.

If the access policy does not contain Approve or Biometrics, the user is presented with other options based on the access policy.

Disabled

The user is presented with authentication options based on the access policy.

Enable Only Additional Authentication

When you enable only additional authentication, user authentication options vary depending on what users enter in the Password field.

Password Field Value User Authentication Options
1

Indicates the user wants to authenticate with the last successfully used method or the default method from the assurance level in the access policy assigned to the RADIUS client. The Cloud Authentication Service responds as described in Password Field = 1 and Automatic Prompt for Push Notifications Disabled.
SecurID OTP or Authenticate OTP

If the access policy allows SecurID OTP or Authenticate OTP, the user can enter the OTP directly in the password field to authenticate. The Cloud Authentication Service determines which method it needs to verify based on:

  • The number of digits the user enters in this field. A SecurID OTP contains four or more digits. An Authenticate OTP contains eight digits.

  • Which method was last successfully used.

  • What the assurance level allows.

If the user enters either method incorrectly, each unsuccessful attempt counts against the lockout setting described in Configure Session and Authentication Method Settings for Authenticate OTP, or in Lockout Policy for SecurID.
2, other digits, or blank

Displays a list of available authentication options, based on the assurance level.

Note: Some RADIUS clients do not send null passwords to the RADIUS server for evaluation. In this case, the client’s authentication request might time out.

Additional Authentication and Automatic Prompt for Push Notifications Both Enabled

When you enable only additional authentication and the automatic prompt for push notification, the user authentication options vary depending on what users enter in the Password field.

Password field Value User Authentication Options
1 or blank

Always send push notifications check box unselected:

The user authenticates with the last successfully used method or the default method from the assurance level in the access policy assigned to the RADIUS client. When Approve or Biometrics is the user's default method, the RADIUS client prompts for Approve and Biometrics without forcing users to select a method. The Cloud Authentication Service responds as described in Password Field = 1 and Automatic Prompt for Push Notifications Enabled and Always Send Push Notifications Not Selected .

Always send push notifications check box selected:

The user authenticates with Approve or Biometrics, based on the assurance level in the access policy assigned to the RADIUS client.
SecurID OTP or Authenticate OTP

Prompts the user to enter the OTP or press 2 for more options.
2 or other digits

Password Field = 1 and Automatic Prompt for Push Notifications Disabled

If the user enters 1 in the password field to use the last successfully used method or the default method from the assurance level, the Cloud Authentication Service responds to the user as shown in the following table.

Last Used Method or Assurance Level Default Method Cloud Authentication Service Response
Approve or Biometrics Sends push notification.
SMS OTP or Voice OTP Prompts the user to enter the six-digit OTP sent automatically by SMS or Voice. User can also enter 1 to resend the OTP or 2 for more options.

SecurID OTP, Authenticate OTP, or Emergency Access Code

Prompts the user to enter the OTP or press 2 for more options.

Password Field = 1 and Automatic Prompt for Push Notifications Enabled and Always Send Push Notifications Not Selected

If the user enters 1 in the password field to use the last successfully used method or the default method from the assurance level, the Cloud Authentication Service responds to the user as shown in the following table.

Last Used Method or Assurance Level Default Method Cloud Authentication Service Response
Approve or Biometrics Sends push notification.

SMS OTP, Voice OTP, SecurID OTP, Authenticate OTP, or Emergency Access Code

 Prompts the user with the list and asks the user to select the authentication method.

Password Field = 1 or Blank and Always Send Push Notifications is Selected

The Cloud Authentication Service always sends the user a push notification if the user enters 1 or blank in the password field to use the last successfully used method or the default method from the assurance level, and if any of the following methods are Approve or Biometrics:

  • Last used authentication method

  • Assurance level default method

  • Method users are able to complete in an assurance level

If none of the above methods are Approve or Biometrics, then Cloud Authentication Service presents a list of available authentication options to the user.

Note: Users are prompted only for methods they are able to complete, as described in Assurance Levels.

RADIUS Authentication Flow Using Cloud-Managed Primary Authentication and Access Policy

The following graphic illustrates the authentication process using RADIUS when the Cloud Authentication Service validates the directory server password and applies the access policy for additional authentication.

Note: If automatic push notifications are enabled for the RADIUS client, step 6 in the graphic works as follows. The RADIUS server on the identity router calls the Cloud Authentication Service for authentication. The Cloud Authentication Service sends the push notification and an IN PROCESS message to the RADIUS server. The RADIUS server periodically checks to see if the user approved the authentication on the mobile device.

securid_ngx_g_radiusauthflow.png

Access Policies for RADIUS Clients

You must assign an access policy to each RADIUS client to determine authentication requirements for users of that client. If the policy requires primary authentication only, users enter only their LDAP username and password. If additional authentication is required, the policy must meet both of the following criteria:

  • Contain at least one of these authentication methods: Approve, SecurID OTP, Authenticate OTP, Biometrics, SMS OTP, or Voice OTP.

  • Contain no authentication conditions. Authentication conditions are restrictions based on the context of the user's request, for example, whether the user has a known browser or is authenticating from a certain country. Conditions can be used to allow or deny a request, or to determine if additional authentication is necessary. When you add a RADIUS client, policies with conditions do not appear in the Access Policy field drop-down list. Instead, you can use identity source attributes to filter the user population and apply authentication requirements to specific categories of users. For more information, see Access Policies

For information on how assurance levels are used with RADIUS clients, see Assurance Levels

RADIUS User Experience and Automatic Push Notifications

You can simplify the user experience by configuring the RADIUS client to send push notifications for Approve and Biometrics without forcing users to select an authentication method, when Approve or Biometrics is the user's default method. Enable the Automatically prompt for push notification methods field on the Add RADIUS Client page to obtain this benefit. You must enable it separately for each client. If users do not respond to the push notification within a configured number of seconds, they are prompted to select another method that is provided from the assurance level in the access policy. If there is no alternate method, authentication fails.

When this option is disabled (the default) for a client and the default authentication method is Approve or Biometrics, RADIUS users are prompted to select a method when they authenticate through that client. For first time authentication, the default is the first method in the access policy's assurance level. For subsequent authentication attempts, the default is the last method the user successfully used.

Note: Regardless of whether this option is enabled or disabled, users must still make a selection when the default method is SMS OTP or Voice OTP. Also, users are never prompted to choose a method when the default method is SecurID OTP or Authenticate OTP.

You can enable both Automatically prompt for push notification methods and select Always send push notifications to force users to authenticate with Approve or Biometrics when those methods are in the access policy. For more information, see RADIUS Client Authentication Options.

The user can disable push notifications in the app, as described in Authentication Methods for Cloud Authentication Service Users. In this case, the user can still pull down on top of the app during authentication to receive a notification. Regardless of whether push notifications are enabled or disabled, the user must respond within n seconds, according to the timeout setting. The timeout is 90 seconds when the Cloud Authentication Service enforces the access policy without the password and Automatically prompt for push notification methods is enabled.

Streamlined OTP Authentication for RADIUS

SecurID offers a streamlined RADIUS authentication experience for users with access to both the SecurID OTP and Authenticate OTP methods. If the assurance level associated with the RADIUS client access policy allows both methods, a user can enter either type of OTP when prompted, and the RADIUS service will automatically determine the appropriate method according to the following process:

  • If the user's most recent successful authentication used the SecurID OTP method, and the OTP provided is eight digits in length, RADIUS attempts SecurID OTP authentication first. If unsuccessful, Authenticate OTP authentication is attempted.

  • If the user's most recent successful authentication used a method other than SecurID OTP, and the OTP is eight digits, Authenticate OTP is attempted first, followed by SecurID OTP.

  • If the OTP is greater or less than eight digits, RADIUS attempts SecurID OTP authentication only.