Introduction

Many network appliances can be configured to use a RADIUS server for user authentication. For example, when a user establishes an IPsec VPN using their desktop VPN client, the network appliance can send an Access-Request to a RADIUS server, which authenticates the entered credentials against a user store.

OneLogin provides a RADIUS interface that processes RADIUS authentication requests. When OneLogin receives a RADIUS Access-Request message, the user's credentials are authenticated against the directory linked to the user. OneLogin's RADIUS interface also supports second-factor authentication, such as a one-time-password (OTP), either concatenated with the user password in a one-step authentication scheme, or as a response to a secondary challenge in a two-step authentication scheme.

The OneLogin RADIUS Server interface has a maximum limit on invalid login attempts. If a user attempts and is rejected from authenticating through RADIUS, their invalid login attempts will be incremented unless a certain period of time has passed since the last failed attempt. The user will then be blocked from logging in again for several minutes. 

The OneLogin RADIUS server can authenticate users with the credentials below.

• User name: username, email, or sAMAccountName
• Password: password, OTP only, or password+OTP (concatenated as a password string and optionally comma delimited)
• Second-step challenge: OTP (for untunneled RADIUS PAP only with devices that support challenge) 
  Note: 'password: OTP, password+OTP' is only supported with PAP and EAP-TTLS PAP.

The MFA factors below are supported by RADIUS.

• OneLogin Protect
• Google Authenticator
• Symantec VIP
• Yubikey

Check out our video training for Configuring OneLogin's RADIUS Server Interface.

This article includes the following topics:

• Prerequisites
• Configure RADIUS in OneLogin
• Configure NAS
• Troubleshoot RADIUS service

For detailed instructions about configuring a Meraki Access Point to use OneLogin RADIUS server for authentication, see Configure the RADIUS Server Interface with Meraki Access Points. 

Note: Adaptive Authentication can only be applied to a user policy and isn't compatible with RADIUS authentication.

Prerequisites

• A device that supports the RADIUS protocol using either PAP, EAP-TTLS/PAP, or EAP-PEAP/MSCHAPv2. 

  These devices are known as Network Access Servers, or NAS.  Examples are:

  
  
  • Cisco ASA
  • Fortinet 200B
  • Juniper SSL VPN

  Note: OneLogin supports the RADIUS PAP, EAP-TTLS/PAP, and EAP-PEAP/MSCHAPv2 authentication methods. Other RADIUS authentication methods such as MS-CHAP, MSCHAPv2 (without EAP-PEAP), and EAP-TLS aren't supported.

  Please submit a request through the button in your OneLogin admin portal for authentication methods you would like to see supported.

• A basic understanding of how to configure the RADIUS protocol on your NAS.

• Every RADIUS configuration requires a unique routable IP address. For example, for 3 RADIUS configs, you need 3 unique routable IP addresses. 

• Access to your NAS IP address and shared secret.

Configure RADIUS in OneLogin

1. Log in to OneLogin as an administrator.

2. Go to Authentication > RADIUS.

3. Click the New Configuration button.

   The RADIUS configuration page appears.

   

4. Enter a Name to identify this configuration; for example, My Cisco ASA. 

5. In the Secret field, enter the string defined as the shared secret in your NAS. If you create a new shared secret, it can take up to an hour to be usable due to caching.

   Note: There is a 30 character limit for shared secrets. Shared secrets support the following special characters: ~ ! @ # $ % ^ & *( ) _ + | \ = - ' { } [ ] : " ' ; < > ? / . ,

6. Enter the Internet routable IP address of your NAS.

   You can enter more than one, separated by spaces.

7. (Optional) If you want to restrict access to users in certain OneLogin roles, select the role from the Role Restriction drop-down.

8. (Optional) If your NAS supports two-step authentication, select Require OTP verification as a 2nd step.

   Use this option to require users to provide a one-time password (OTP) as a second step after entering the user name and password. If you enable this option, users must register their OTP device in their OneLogin profile before they can authenticate and must use OneLogin Protect, Symantec VIP, Google Authenticator, or Yubikey as their OTP provider.  This option is not supported if you are using the EAP-PEAP/MSCHAPv2 authentication method.

   Note: Instead of this option, you can incorporate second-factor authentication as a single step by requiring a concatenated password + one-time password (OTP). To set up single-step authentication with OTP, skip this step and go to step 9, below.

   When you have selected the Require OTP verification option, two additional options appear.

   

   Select for all users to require all users to provide an OTP after they have entered their username and password. Select if user's OneLogin policy requires OTP (recommended) to require this second authentication step only for users who have been assigned a security policy that requires multi-factor authentication. For more information about policies requiring multi-factor authentication, see User Policies.

   Important Note: You must configure your NAS for RADIUS challenge authentication. After validating the user name and password, OneLogin RADIUS returns a RADIUS Access-Challenge to your NAS, which prompts the user. Consult your NAS provider for guidance. NAS must support Access-Challenge to use this feature. Access-Challenge is only supported by OneLogin with untunneled PAP authentication.

   OneLogin RADIUS Push Support

   If OneLogin Protect is the user's default MFA device, you can send push notifications to their registered default Protect device. Users receive a OneLogin Protect push notification if the following conditions are met:

   
   
   • OneLogin Protect is registered as the default MFA device, and;
   • Password+OTP is required and the user only enters their password, or;
   • OTP is required and the user enters the keyword push, or; 
   • Challenge is required and the user enters the keyword push.

9. (Optional) In the Password section, select the Enable Password Expiration Policy Enforcement setting to have the OneLogin RADIUS server enforce the user's OneLogin password expiration policy. 

   You can enable NT Hash for EAP-PEAP/MSCHAPv2.

   RADIUS EAP-PEAP/MSCHAPv2 authentication is commonly used with enterprise WiFi access services. Because a oneway NT Hash of the user's password is sent by the client, OneLogin must compare the NT Hash against a stored NT hash. Enabling this feature allows OneLogin to store an NT Hash of the user password. Users must log in or change their OneLogin password at least once before the NT hash is captured and available to use.

10. After you click Save, the Credentials section displays the mapping of RADIUS attributes (left) to OneLogin attributes (right). Confirm or modify your attribute mappings.

    

    By default, the OneLogin RADIUS service uses the OneLogin Email as the RADIUS User-Name and the OneLogin Password as the RADIUS User-Password.

    Your options are:

    User-Name: 

    
    
    • OneLogin Email (default)
    • OneLogin Username
    • sAMAccountName

    User-Password: 

    
    
    • OneLogin Password only (default), if your'e using OTP verification as a 2nd step (see step 8), or if you don't need OTP.
    • OTP only- Users don't provide their password.

      Note. This is typical of RADIUS implementations that use PAP only. Passwords can be compromised. If you use OTP only, with OTP codes that change with each authentication request, the vulnerability is removed.

    • Password+OTP- Users enter both password and OTP as a concatenated string (mypassword12345, where 12345 is the OTP) or use an optional comma delimiter (which looks like mypassword,12345)

    Click any row to change the attribute mapping. Click Save if you edited mappings.

11. OneLogin RADIUS Attributes

    The RADIUS specification includes standardized attributes used to communicate information between a client and a server. Because these attributes are standardized, the attribute data is predefined and recognized by RADIUS clients and servers. RADIUS Vendor-Specific Attributes (VSAs) are derived from a single attribute-vendor-specific, attribute 26. Attribute 26 allows a registered vendor to create additional attributes in any way.

    You can set your OneLogin RADIUS configuration to return VSAs and some standard attributes (such as Filter-ID attribute 11) with the RADIUS Access-Accept message. Support for both static values and dynamically matched OneLogin role values is provided.

    OneLogin RADIUS only returns VSAs and values defined by the FreeRADIUS 3 dictionary files. The name match isn't case sensitive. If the VSAs return unexpected results, please check your NAS documentation to verify that you entered the names and values correctly.

     

    We only support VSAs that are found in the FreeRADIUS Dictionary.
    
    Note: In order to enable this feature you will need to contact your Account Manager.

    Configure Attributes

    Use the same steps to configure both standard RADIUS attributes and VSAs, as described below.

    
    

    1. In the Attributes section of your RADIUS configuration, click the Add Attribute button and enter the name and value of a static attribute in the dialog. Click Save. A new attribute name and value appears in the attributes table.

       

    2. If the attribute you added is dynamically selected from matching OneLogin roles, check the Attribute has dynamic group value checkbox. When checked, the dialog changes to enable selection of OneLogin roles to match against. Any roles selected, that match an authenticating user’s roles, will be returned with this attribute using the delimiter you specify, or a space delimiter by default. Click Save. A new attribute name, with the matching roles, appears in the attributes table.

       

       Note: You may find it helpful to create and assign OneLogin Roles specific to your NAS configuration.

    3. Upon completion, your configuration displays the attributes you entered. Click on an attribute row to edit or delete in the dialog.

       

    Testing Attributes

    We recommend you use a RADIUS test client such as radtest to easily verify that the attributes you expect are returned with the Access-Accept message. For the configuration above, a successful authentication for a user with all matching roles, would return:

    $ sudo radtest donald xxxxxx radius.us.onelogin.com 0 test123
    Sent Access-Request Id 41 from 0.0.0.0:56852 to 62.44.255.206:1812 length 76
         User-Name = "donald"
         User-Password = "xxxxxx"
         NAS-IP-Address = 10.13.10.251
         NAS-Port = 0
         Message-Authenticator = 0x00
         Cleartext-Password = "xxxxxx"
    Received Access-Accept Id 41 from 62.44.255.206:1812 to 10.13.10.251:56852
    length 100
         Tunnel-Private-Group-Id:0 = "Default;Administrator;IT Systems"
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IPv4
         Filter-Id = "Default;Administrator;IT Systems"
    

    Note: You must use PAP to see the attributes in the command-line while testing or via a wire sniffer.

12. Proceed to your NAS configuration.

Configure NAS

Configure RADIUS for authentication on your device using the following settings:

Note. If you don't know whether your OneLogin account is on the US or EU region, contact OneLogin support.

When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.

Troubleshoot RADIUS service

Why is authentication failing against the OneLogin RADIUS service?

You may have configured the RADIUS service in OneLogin to use the wrong RADIUS User-Name value. The default configuration in OneLogin uses the OneLogin email value as the RADIUS User-Name. However, your NAS may be passing sAMAccountName or the value held in the OneLogin Username field instead, in which case authentication fails.

Check to see what value is being passed by your NAS. Then go to Settings > RADIUS, select your RADIUS service, and go to the Attributes section to confirm that the OneLogin attribute is the same. If not (let's say your NAS uses sAMAccountName and it's set to OneLogin Email in the Attributes section), change the OneLogin attribute and save the page.