Enabling RADIUS Two-Factor Authentication

Procedure

Secret Server allows the use of RADIUS two-factor authentication on top of the normal authentication process for additional security.

See the full RADIUS Integration Guide for additional information.

To configure RADIUS for the Secret Server instance:

  1. Log on Secret Server with an account with "Administer Configuration" and "Administer RADIUS" permissions.

  2. Navigate to Administration menu.

  3. Type RADIUS in the search box and press <Enter>. The RADIUS Configuration page appears.

  4. Click the Edit button.

  5. Type the following as needed:

    • RADIUS Login Explanation: (custom message or instruction). Defaults to "Please enter your RADIUS passcode."

    • RADIUS Default Username: select the related RADIUS username from the dropdown. The default RADIUS username determines the credential Secret Server uses when attempting to authenticate against your RADIUS server. If your RADIUS server requires a UPN (User Principal Name), this setting should be modified accordingly. The UPN is stored in the database. If a Username is used, Secret Server will send the SAM Account Name (domain\username) to the RADIUS server. This setting can be customized to meet the specific requirements of your RADIUS server by navigating to Admin > Users when configuring RADIUS as the two-factor authentication method.

    • RADIUS Client Port Range: (default 1812) source ports, instructing Secret Server to send requests exclusively through the defined client port range. By entering a value of 0, you can configure Secret Server to use the ephemeral port range for outgoing requests.
      If your RADIUS server runs on the same machine as Secret Server, the client and server ports must be different.
    • RADIUS Server Port: (default 1812 for RSA and 1812 for AuthAnvil).
    • RADIUS Server IP: (IP address to your RADIUS Server). See RADIUS IP Addresses.
    • Leave Use Same RADIUS Shared Secret for All Users: selected.
    • RADIUS Shared Secret, which must match chosen RADIUS shared secret on your RADIUS Server. (Shared Secret is a RADIUS term and not related to any Secret Server secret.)
    Attempt Silent Authentication: Silent answer is a new configuration option for RADIUS that allows setting the RADIUS response to a defined string value. This is to support push notification and other interactive variations in advanced RADIUS authentication configuration. The new setting replaces "Attempt User Password" and allows for sending the user password or another predefined string.

    • RADIUS Protocol: select UDP or EAP-TTLS-PAP from the dropdown.

    • Time out (seconds): set the number of seconds for time out.

    • Enable Failover RADIUS Server: enabling a failover RADIUS server will allow another server to fail over to.

    • Failover RADIUS Server Port: enter the related failover server port.

    • Failover RADIUS Server IP: enter the IP address of your failover RADIUS server.

    • Failover RADIUS Shared Secret: enter the related secret for RADIUS failover server.

    • Failover Time Out (Seconds): set the number of seconds for RADIUS failover server time out.

    • Attempt Silent Authentication: select User Password or Static Value. For Static Value, enter the value below to send to RADIUS as the password.

    • Enable RADIUS NAS-Identifier: Check to enable and configure the NAS-Identifier that will be sent with the RADIUS Access-Request. This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.

      Note that NAS-Identifier must not be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet must be used to select the shared secret.

    • Disable RADIUS NAS-IP-Address attribute: check to disable. This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet.

      Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet must be used to select the shared secret.

  6. Click the Save button.

To test RADIUS settings:

  1. Click the Test RADIUS Login button. A popup appears.

  2. Type the RADIUS username and password.

  3. Click the OK button.

  4. After enabling RADIUS on Secret Server, you must enable RADIUS two-factor authentication for each user:

    1. Sign into an account with "Administer Configuration" and "Administer RADIUS" permissions.

    2. Navigate to Administration > Users. The Users page appears.

    3. Select the desire user.

    4. Click the Edit button.

    5. Click to select the RADIUS Two Factor Authentication check box.

    6. Type the username in the RADIUS Username text box.

      NOTE: Secret Server defaults this value to its username. If you wish to use this default name, it must match the username on the RADIUS server.

    7. Review the settings and click Save.

    8. Repeat these steps for each user that needs to use RADIUS.

RADIUS IP Addresses

Please see the Secret Server Cloud Architecture Documentation for a listing of IP addresses.