This site requires JavaScript to be enabled
External Customer KB > General > Configuring the RADIUS Server Interface
Configuring the RADIUS Server Interface
Article: KB0010425 Published: 09/26/2023 Last modified: 09/26/2023

Many network appliances can be configured to use a RADIUS server for user authentication. For example, when a user establishes an IPsec VPN using their desktop VPN client, the network appliance can send an Access-Request to a RADIUS server, which authenticates the entered credentials against a user store. OneLogin provides a RADIUS configuration for processing these authentication requests. When OneLogin receives a RADIUS Access-Request message, the user's credentials are authenticated against the directory linked to the user.

Configuring OneLogin's RADIUS Server Interface

Take a look at this brief training video to learn more about RADIUS and how to configure it with OneLogin.

Watch Now

Prerequisites

  • A Network Access Server (NAS) device supporting the RADIUS protocol with PAP, EAP-TTLS/PAP, or EAP-PEAP/MSCHAPv2, e.g.:
    • Cisco ASA
    • Fortinet 200B
    • Juniper SSL VPN
    Note: Other RADIUS authentication methods such as MS-CHAP, MSCHAPv2 (without EAP-PEAP), and EAP-TLS are not currently supported.
  • Administrative access to and familiarity with the RADIUS protocol configuration in your NAS
  • Access to your NAS IP address and shared secret
  • A unique routable IP address for each individual RADIUS configuration

 


 

RADIUS Configuration

In your OneLogin admin portal, go to Authentication > RADIUS and click New Configuration or select an existing configuration.

RADIUS - New Configuration

Configurations

Secret

Enter a secret string as shared with your NAS.

  • Shared secrets may be up to 30 characters and include the following special characters: ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | / ? < > , . ; : ' "
  • When creating a brand new shared secret, please allow up to an hour for the secret to be cached and usable.

IP Addresses

Enter one or more internet-routable IP addresses or ranges for your NAS, separated by spaces.

Roles Restriction

If desired, select a role in OneLogin to restrict access to only members of that role.

Configurations

Login challenge

If your NAS supports two-step authentication, you may select Require OTP verification as a 2nd step to require users to provide a temporary one-time passcode (OTP) after entering their username and password, then choose whether to apply the requirement to all users or only those whose security policy already requires an OTP authentication.

You may instead prefer to incorporate OTP verification in a single step by requiring users to enter the code concatenated with their password. In this case, leave Require OTP verification as a 2nd step unselected and choose OTP+Password when configuring Credentials below.

Login challenge

If 2nd-step OTP verification is required, your NAS must support Access-Challenge with untunnelled PAP authentication, and users must register their OTP device in their OneLogin profile with one of the following OTP providers:

This option is not supported by the EAP-PEAP/MSCHAPv2 authentication method.

Password

Enable Password Expiration Policy Enforcement

Enable this setting to have the OneLogin RADIUS server enforce the password expiration configured in the user's security policy.

Enable NT hash for EAP-PEAP/MSCHAPv2

If using EAP-PEAP/MSCHAPv2 authentication, enable this setting to allow OneLogin to store an NT hash of the user's password. Users must log in or reset their OneLogin password at least once before the NT hash is captured and available to use.

Password

Credentials

If creating a new RADIUS configuration, Save the configuration in order to access these settings.

By default, the user's User-Name attribute in RADIUS is mapped to the Email attribute in their OneLogin record, with their RADIUS User-Password mapped to their OneLogin Password. If preferred, you may select either mapping and choose a different OneLogin attribute to act as the user's credentials.

Credentials

User-Name

Email

(Default) The user's email address as stored in their OneLogin user record

Username

The user's username as stored in their OneLogin user record

SAMAccountName

The user's sAMAccountName as synced from Active Directory to their OneLogin user record

User-Password

Password

(Default) The user enters only their OneLogin password in the password field.

This option may be combined with a second prompt for OTP verification if enabled in your Login challenge settings.

OTP

The user enters only the temporary passcode generated by an OTP provider in the password field.

If this option is enabled, the user does not enter their OneLogin password at any stage of RADIUS authentication. This can be useful in RADIUS implementations that ues PAP only as it bypasses any vulnerabilities caused by compromised passswords.

Password+OTP

The user enters both their password and OTP concatenated together. For example, if the user's password is P@ssw0rd! and the code generated by their OTP provider is 123456, they must enter P@ssw0rd!123456 in the password field.

Edit RADIUS Credential Mapping

Attributes

This setting is only enabled by request. Contact your OneLogin account manager to allow access to this configuration.

If necessary, you can set your OneLogin RADIUS configuration to return a vendor-specific attribute (VSA) found in the FreeRADIUS Dictionary or some standard attributes, such as Filter-ID attribute 11, with the RADIUS Access-Accept message.

Click Add Attribute or select a previously configured attribute to edit or remove it.

Attributes

Attribute has dynamic group value

Leave this setting disabled for a static attribute value, or enable it to dynamically match the attribute based on OneLogin roles.

RADIUS Attribute Name

Enter the RADIUS attribute's name.

Name matching is not case sensitive. If the VSAs return unexpected results, please check your NAS documentation to verify that the names and values are entered correctly.

RADIUS Attribute Value

If using a static attribute, enter its value.

Roles to match

If using a dynamic attribute, select one or more roles to match to the attribute's value.

Use a delimiter

By default, multiple values for dynamic attributes are delimited by spaces. If preferred, you may enter an alternate delimiter, such as a comma or semicolon.

New RADIUS Attribute - Static

New RADIUS Attribute - Dynamic

Best Practice: After configuring your attributes, we strongly recommend using a RADIUS test client such as radtest to verify that the attributes you expect are returned with the Access-Accept message.

 


 

NAS Configuration

After completing your RADIUS configuration in OneLogin, use the following settings for your OneLogin region to complete configuration with your NAS. Consult your NAS documentation for configuration details.

NAS Configuration

OneLogin - US

OneLogin - EU

AAA/RADIUS Primary Server

Domain: radius.us.onelogin.com

IP: 52.34.255.206

Domain: radius.eu.onelogin.com

IP: 35.156.138.255

AAA/RADIUS Secondary Server

Domain: radius2.us.onelogin.com

IP: 18.216.23.112

Domain: radius2.eu.onelogin.com

IP: 54.246.141.64

Authentication Scheme

PAP or EAP-TTLS/PAP

RADIUS Port

UDP/1812

Secret/Key

Enter the Secret string from your OneLogin configuration.

Best Practice: When possible, use the RADIUS server domain name rather than the IP address, as IP addresses are more likely to change over time.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo