Configuring RADIUS Silent Authentication

If you have an identity service provider (such as Duo, Okta, SecureID, and so forth) that you use for MFA logins and you've integrated that with Server Suite and you have a RADIUS server for MFA with your identity provider and also a RADIUS server integrated with Server Suite, you can set up silent authentication so that your users don't have to enter their passwords or security question answers twice.

You can configure the credential provider to silently send the user's password as the first response to the authentication workflow. This feature prevents prompting the user for password multiple times when a 3rd party radius is being used as the authentication mechanism.

You can deploy these registry settings as group policies.

To control this new feature we have 3 new registry settings:

  • SilentAuthPromptDetectionRegex (string)

    This is a regular expression that we match against an authentication prompt that RADIUS sends us. If there is a match, we'll try to automatically respond. For example, if the RADIUS prompt is "Enter your password" we can set this regular expression to

    .*password.*

  • SilentAuthPromptResponseType (uint):

    This setting controls the kind of response we provide.

    0 - (default) No auto-response: The service prompts the user for the password even if there's a regular expression match.

    1 - Silent auto-response: The service responds with the same password that the user just entered as a Windows login credential.

    2 - Fixed response: Instead of responding automatically with the password, we respond automatically with a fixed response (a static string, for example "This is an automatic response"). Use the SilentAuthPromptFixedResponse to store the fixed response text.

  • SilentAuthPromptFixedResponse (string):

    The fixed response if the SilentAuthPromptResponseType is configured as 2. Use this setting to store the fixed response, such as "This is an automatic response."

When you create these registry entries, put them in HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAuthorize\Agent.