Setting Up RADIUS Authentication
When RADIUS is configured, it serves as a communication channel to an external authentication provider (for example, Duo Security).
The provider manages all aspects of verification, including Time-Based One-Time Passwords (TOTP), emergency tokens, or any other types of identification configured on that provider.
In the case of TOTP authentication, the generated tokens are sent to and verified by the external provider.
If the RADIUS service is not functioning - meaning the external provider is unreachable - authentication cannot proceed through that provider.
In such situations, alternative verification methods must be used, such as internal checks through the native MFA product (for example, security questions or OTP).
These fallback methods should be preconfigured in advance to ensure user acces continuity.
To set up RADIUS, select 43. RADIUS from the Definitions menu (STRMFA > 21). The Work with Radius Definitions screen appears.
| Work with Radius Definitions Type options, press Enter. Subset . . . . . . . 1=Select 3=Copy 4=Delete Opt Provider Active Description DUO Y Duo Security RSA N SecurID Bottom F3=Exit F6=Add new |
For each provider, a line on the screen shows the Provider name, whether the provider is Active, and a plain text Description of the provider.
To modify a RADIUS definition, enter 1 in the Opt field for that provider. The Modify Radius Definition screen appears:
| Modify Radius Definition Type choices, press Enter. Provider . . . . . . . . DUO Description . . . . . . Duo Security Active . . . . . . . . . Y Y=Yes, N=No User ID . . . . . . . . X E=Email, X=External ID Shared secret . . . . . Case sensitive, 100A Host URL . . . . . . . . 1.1.1.110 Port . . . . . . . . . . 1812 1-65535 Request password . . . . N Timeout . . . . . . . . 60 Seconds F3=Exit F12=Cancel |
The information for most of the fields is generated when you set up your organization's RADIUS authentication server. Copy the information for that server to corresponding fields on this screen.
The remaining fields have these values:
Provider
A unique name for the provider.
Description
A free text description of the provider.
Active
Setting this to Y makes the service active. Setting it to N makes it inactive.
User ID
It is possible to set an External ID for a person in addition to the mandatory email address, as shown in Modifying a Person. Set this field to X to use the External ID or E to use the email address.
Timeout
The maximum number of seconds that the system waits for a response from the provider.
To copy a RADIUS definition, enter 3 in the Opt field for that server on the Work with Radius Definitions screen. The Copy Radius Definition screen appears. Enter the name of the new server in the To: Definition field of that screen, then press Enter.
To delete a RADIUS definition, enter 4 in the Opt field for that server on the Work with Radius Definitions screen. The Delete Radius Definition screen appears, displaying information about the server. Press Enter to delete that definition.
To add a RADIUS definition, press the F6 key on the Work with Radius Definitions screen. The Add New Radius Definition screen appears, with the same fields as the Modify Radius Definition screen.