Secure Mobile Access 12.4 Administration Guide

Configuring RADIUS with User or Token-Based Credentials

The appliance supports two different types of credentials for RADIUS: username and password, and token-based user credentials, such as SecurID or SoftID, which are validated against a database on a RADIUS server. You can configure the RADIUS authentication method to use either type of credential.

You can also deploy PhoneFactor authentication using RADIUS. When a user logs into their company’s VPN, a RADIUS request is made to the PhoneFactor Agent, which acts as a RADIUS proxy server. It first validates the user name and password with the target RADIUS server before initiating a PhoneFactor authentication. There are two methods for two-factor authentication using PhoneFactor:

  • The user enters his username and password and is then called by PhoneFactor. The user answers his phone and presses # or enters a PIN.

  • The user enters his username and password and then PhoneFactor sends him a text message containing a one-time passcode. The user replies to the text message with the passcode, or the passcode and his PIN, to authenticate.

To configure RADIUS for user- or token-based credentials

  1. In the AMC, navigate to System Configuration > Authentication Servers.

  2. Click New.

  3. Under Authentication directory, click RADIUS.

  4. Under Credential type, click Username/Password or Token/SecurID.

  5. Click Continue.

    The Edit Authentication Server displays.

  6. In the Name field, type a name for the authentication server.

  7. In the Primary RADIUS server field, type the host name or IP address of your primary RADIUS server. If your RADIUS server is listening on a port other than 1645 (the well-known port for RADIUS), you can specify a port number as a colon-delimited suffix (:<port number>).
  8. In the Secondary RADIUS server field, type the host name or IP address of your secondary RADIUS server. You can also add a port number if necessary.
  9. In the Shared secret field, type the password used to secure communication with the RADIUS server. This must be the same secret that is specified on the designated RADIUS server.
  10. In the Match RADIUS groups by list, select the attribute containing the groups of which the user is a member. The value returned from RADIUS will be used in the group portion of the appliance access rule. There are three possible values:

    RADIUS groups matching
    Match RADIUS groups byDescription
    NoneIgnores the group attribute
    filterid attribute (11)Matches against the FilterID attribute
    class attribute (25)Matches against the Class attribute
  11. In the Connection timeout field, type the number of seconds to wait for a reply from the RADIUS server before timing out the authentication attempt. The default is 5 seconds, with a range of 5 to 300 seconds. When using PhoneFactor, increase this value to give users time to receive the confirmation call.
  12. Expand the Advanced button to see additional, optional settings; these are described in Configuring Advanced RADIUS Settings.
  13. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.