RADIUS third-party token support
RADIUS is a configuration that can be used with any third-party token. Its purpose is to provide enterprises with a simple and effective migration path from their existing third-party vendor’s authentication product to SAS and, in the process, extend most of the SAS management functionality including PIN management, automated provisioning, authentication history and reporting, and pre-authentication rules to users with the third-party tokens.
This method bears similarity with RADIUS proxy but there are substantial differences:
| Similarities | Differences |
|---|---|
SAS is configured as a RADIUS Client to the third-party RADIUS server. Configuration is standard RADIUS – IP, port #, shared secret. |
In RADIUS proxy, all user, token management, authentication history, reporting etc. must be done at the third-party RADIUS server. However, in RADIUS token mode, all management can be done through SAS except for reassignment of third-party tokens. |
Any third-party tokens imported into SAS using the RADIUS option automatically use the method as configured in this module.
The following diagram illustrates migration using RADIUS token:
-
On the SAS console, select Policy > Token Policies > Third-Party Authentication Options.
-
In the Third-Party Token Type list, select RADIUS and select Edit.
-
Configure the options as required:
-
RADIUS IP—This is the IP address of the third-party authentication server’s RADIUS server. During authentication, SAS passes the OTP via this connection to the third-party server for passcode verification.
-
Secondary RADIUS IP—Provides redundancy for the RADIUS IP setting above. This setting is optional but recommended.
-
RADIUS Port—The port number on to be used for RADIUS requests. Default is 1812. This value must match the settings at the third-party authentication server.
-
RADIUS Shared Secret—This is the shared secret used to encrypt RADIUS traffic. It must be identical in both SAS and the third-party RADIUS server.
-
User Name—User ID. Must exist in both SAS and the third-party RADIUS server. In addition, the token assigned to the user must have been imported as a “RADIUS” token and must be the same token assigned to the user in the third-party server.
-
User Password
-
Test—Provides a way to test the configuration before saving the changes. Displays the results of the authentication test.
-
Configure RADIUS IP addresses and Port numbers
This functionality is only available to administrators.
To configure RADIUS IP addresses and port numbers:
- Click On-Boarding > Auth Nodes > RADIUS IP/Port #s. The RADIUS IP/Port #s section displays.
- Select Custom. The RADIUS IP address and port number fields display.
- Complete the fields provided.
- Primary RADIUS Server—Configure your RADIUS client (for example, VPN gateway) to use this address as the primary RADIUS server.
- Failover RADIUS Server—Configure your RADIUS client (for example, VPN gateway) to use this address as the failover RADIUS server.
- Primary Agent DNS—Configure your Agent (for example, Logon Agent for Windows) to use this address as the primary authentication server.
- Failover RADIUS Server—Configure your Agent (for example, Logon Agent for Windows) to use this address as the failover authentication server. Configuring the RADIUS client to use the failover RADIUS server as its primary or failing to configure a failover RADIUS server may result in reduced performance or authentication outage.
- Click Apply.
For more information regarding configuration of auth node, check out the Authentication nodes section.
Configure PUSH support for RADIUS tokens
SAS PCE with its 3.8 release, is capable of forwarding PUSH authentication requests and receiving return responses from the SAS Cloud RADIUS server. As a result, Operators and users can now use PUSH service to authenticate (and access applications) with RADIUS tokens.
Preprequisites
- SAS Cloud Account
- Capacity of PUSH capable MobilePASS+ token
Configuration – SafeNet Authentication Service Cloud
- Add users in SAS Cloud. These user details should be exactly identical in both SAS platforms (Cloud and PCE).
- Provision it with MobilePASS+ token.
Configuration – SafeNet Authentication Service PCE
- Verify users in SAS PCE.
- Configure RADIUS tokens in SAS PCE.
- Assign RADIUS tokens to users.
-
Add RADIUS settings in SAS PCE to point to the SAS Cloud RADIUS Server with a defined Secret Key.
Note
- Ensure that a user (FirstName, LastName, Userid, Email) that exists in SAS PCE also exists in SAS Cloud. The user details should be exactly identical in both SAS platforms to ensure that the same user is found when searched in either platform.
- Ensure that a user whom is provisioned a RADIUS token in SAS PCE is also provisioned a MobilePASS+ token in SAS Cloud.
See also bulk assign third-party tokens.
