Integrating RADIUS Support

The following sections describe how to integrate existing RADIUS environments with DigitalPersona MFA to authenticate users for Windows logon, Password Manager and DigitalPersona Identity Provider using the RADIUS authentication feature.

RADIUS (Remote Authentication Dial In User Service) is a simple Client/Server communication standard described in RFC2865.

The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned.

RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.

To authenticate using RADIUS, the client creates an Access-Request containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing.

Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request. The user entry in the database contains a list of requirements which must be met to allow access for the user. This always includes verification of the password but can also specify the client(s) or port(s) to which the user is allowed access.

Configure RADIUS Server for DigitalPersona RADIUS Authentication

Every RADIUS Client must be configured in the RADIUS Server Configuration Console to accept Access-Requests. As a result, all DigitalPersona Servers must be configured as RADIUS Clients in the RADIUS Server Configuration Console.

The GUI to configure a RADIUS Client is vendor specific and depends on which RADIUS Server is being used. However, generally there are two parameters which must be set: the RADIUS Client IP address and the Shared Secret.

Configure DigitalPersona Server for RADIUS Authentication

The following steps are required to configure a DigitalPersona Server for RADIUS Authentication.

  1. On a computer with DigitalPersona Admin Tools deployed, run the Group Policy Management Editor.

  2. Navigate to Computer Configuration\Policies\Software Settings\HID DigitalPersona Client\Security\RADIUS.

  3. Double-click on RADIUS Configuration. The RADIUS Configuration Properties dialog box will pop up.

  4. Select Enabled.

  5. Either click Add to add a new server or select an existing server and click Edit to modify the configuration.

    Alternatively, you can delete a configured server by selecting it in the list and clicking Remove.

  6. Enter your RADIUS Server IP address and Port.

  7. Enter the same Shared Secret that was specified in the RADIUS Server configuration console when configuring the RADIUS client.

  8. Enter the required Reply timeout in seconds.

    For example, 30 or more. This value indicates how much time the DigitalPersona Server will wait for the RADIUS Server reply.

  9. Enter the number of Retries.

    For example, 1 or a few. This number indicates how many times the DigitalPersona Server will try to send an Access-Request if communication with the RADIUS Server fails.

  10. Enter the required Priority level.

    This value defines the priority of the RADIUS Server in the order of configured servers. A lower value indicates a higher priority. The range is 0 to 65535. The default value is 0.

  11. Enter the required Weight.

    This value defines a relative weight between 0 and 65535 for records with the same priority. The default value is 100.

Note:  

  • If multiple RADIUS Servers are configured, DigitalPersona AD will always use the RADIUS Server with lowest Priority to send RADIUS Access-Request.

    Only if this RADIUS Server is not answering for any reason, another RADIUS Server with a lower priority will be used.

  • If multiple RADIUS Servers with the same Priority are configured, DigitalPersona AD will use the RADIUS Server randomly based on the configured Weight.

Test the RADIUS Configuration

Before saving your RADIUS Configuration to the DigitalPersona Server, you should test it.

  1. Enter your RADIUS Username in the Username field.

  2. Enter your RADIUS password in the Password field.

    Depending on your RADIUS provider, the RADIUS password may or may not be your Windows account password.

  3. Click Test Settings.

  4. If the test succeeds, click OK to save the configuration and close the dialog.

Configure Enrollment and Authentication Policies

Enrollment Policy

To allow users to enroll a RADIUS credential for DigitalPersona authentication, make sure that the RADIUS credential is part of the Enrollment Policy specified in the Enrollment Policy GPO.

If the policy is not configured or is disabled, RADIUS credential enrollment will not be allowed.

Authentication Policy

To allow users to authenticate with their RADIUS credentials, make sure that the RADIUS credential is part of the applicable Logon Authentication Policy and Session Authentication Policy specified in the relevant GPO.

If a policy is not configured or is disabled, then RADIUS credentials are not allowed for authentication.