Your suggested change has been received. Thank you.

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

SAS PCE

RADIUS integration

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
RADIUS integration

RADIUS integration

SafeNet Authentication Service (SAS) provides different options for integrating with RADIUS-based applications. These options also eliminate the requirement for having IPsec VPN tunnels to connect to the RADIUS server. This article highlights these different options and outlines considerations for choosing the one that best matches your needs.

Secure RADIUS traffic over the public internet

It is important to consider the security of the RADIUS traffic while it is carried through the public network. An attacker could intercept the RADIUS traffic between your data center and the SAS server that is hosting the RADIUS server, which could lead to a leak of RADIUS request and response information.

This type of attack can occur because the RADIUS traffic is protected by the RADIUS shared secret and a hiding mechanism that is based on a combination of stream cipher and md5 hash, rather than a standard encryption scheme. In particular, in PAP mode, the password data is protected by the RADIUS shared secret, and in MSCHAPv2 mode, the password data is further protected by the MS-CHAP authentication protocol.

SAS offers RADIUS integration options that are designed to protect your traffic from this risk. One integration option is based on the RADIUS PEAP (EAP-MSCHAPv2) protocol, which secures the information that is transported through the use of a TLS connection. Other integration options use the SafeNet agents that are built for RADIUS integration and are deployed on your premises. These agents interconnect with your RADIUS client and transport the traffic to SAS using a proprietary security protocol.

Deployment options for RADIUS integration

The following RADIUS integration options are available:

Connect your RADIUS client directly to SAS and use the RADIUS PEAP protocol: Use the RADIUS PEAP (EAP-MSCHAPv2) protocol. This option tunnels a MSCHAPv2 request in a secure TLS connection. Your RADIUS client needs to support PEAP.
Connect your RADIUS client to one of the SafeNet RADIUS agents: To use the agents, terminate the RADIUS traffic in your data center by configuring an on-premises RADIUS server with a SafeNet RADIUS agent. Thales offers two agents for RADIUS integration. Both agents support the same protocols. The difference between the agents is the deployment environment:
- SafeNet Agent for FreeRADIUS is delivered in a bucket (Docker) container.
- SafeNet Agent for NPS is for a Windows environment.
  
  If using the FreeRADIUS agent, see also block RADIUS authentication.

How to choose your integration option

If your RADIUS client supports PEAP, Thales recommends that you connect your RADIUS client directly to SAS and use the RADIUS PEAP protocol.
If your RADIUS client does not support PEAP:
- First check whether your application supports OIDC. If yes, Thales recommends that you integrate your application with OIDC instead of RADIUS.
- If your application does not support SAML or OIDC, choose one of the agent-based deployment options:
  - For agent deployment in a Windows Server environment: Use SafeNet Agent for NPS.
  - For agent deployment in a Docker container environment: Use SafeNet Agent for FreeRADIUS.

On this page

Secure RADIUS traffic over the public internet
Deployment options for RADIUS integration
How to choose your integration option

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link