Setting Up RADIUS

(Versions 7.4+)

Password Server supports authenticating against an external RADIUS server as a Two-Factor Provider.

RADIUS Configuration

Most RADIUS setups should have little need for additional configuration. For Password Server to authenticate, you will need:

Clarification Notes:
  • Complicated Authentication procedures involving Challenge-responses, are not yet supported.
  • If you use something like a biometric scanner, make sure it can output the necessary data as text.

Password Server Configuration

In Password Server itself, the configuration is simple.

  1. Go to Users and Roles > Manage Policies and click the name of the user policy containing the users you want to authenticate against RADIUS.
  2. Scroll down to Two Factor Policy and look for RADIUS in the configuration list. Click the [Configure] link in that row.
  3. Using the details required by RSA SecurID, fill in the fields:
    • Set Enabled to True
    • Set "User Can Self-Enroll in this Provider"
    • Server Address
    • Server Port
    • Select an Authentication Protocol - enabled for RSA SecurID
    • Shared Secret
  4. Click Save.

Attach and Enroll Users

Additional Users can be attached to this policy by either:

Disabled: Users attached to the policy will show as disabled, until they are enabled or enrolled or self-enrolled.

Enabling 2FA for a User

Two-Factor Authentication can also be enabled individually for all users you would like to authenticate against a RADIUS server:

  1. Go to Users and Roles > Manage Users and click the name of the user you want to enable RADIUS for.
  2. Scroll down to Policy Information and look for RADIUS in the Two Factor Authentication list. Click the [Configure] link in that row.
  3. Click the Enable button on that screen. The user will now be prompted for a password for the RADIUS server each time they log in.
  4. If RADIUS needs to be disabled for a user, you can go back to the previous screen and a Disable button will be present instead of the Enable button.

User Configuration and Self-Enrollment

The prompt is the same: for user configuration setup, and subsequently, for each time they use 2FA:

Configuration error:

Token entry error:

Using RADIUS via Duo

The support documentation on Duo's website has instructions for setting up the Duo proxy service as a RADIUS server or client.

Setup Requirement: The only requirement for using this setup with Password Server is that PAP must be selected as the authentication protocol in the policy configuration.

When a user logs in, they must type in both their password and Duo token as described in Duo's documentation here. If you are using the Duo-only client, this is unnecessary; users just need to type in their Duo token to authenticate.