Configure MFA for a RADIUS Client

RADIUS client resources represent devices that send RADIUS packets to the AuthPoint Gateway. These are commonly used to authenticate users for firewalls and VPNs.

You must link RADIUS client resources to the AuthPoint Gateway and you must specify a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can communicate.

See the AuthPoint Integration Guides for steps to configure AuthPoint multi-factor authentication (MFA) for specific RADIUS client resources.

AuthPoint supports RADIUS authentication with PAP and MS-CHAPv2. 802.1x authentication is not supported.

AuthPoint truncates RADIUS packets that contain more than 3000 characters of group information for a user. If the names of all groups a user belongs to total more than 3000 characters, AuthPoint truncates the group information and the response includes only the first 3000 characters.

RADIUS Authentication Workflow

This section explains the authentication flow when a user authenticates with the RADIUS protocol. The authentication workflow is different for local AuthPoint users and users synced from an LDAP database, and for RADIUS client resources that use MS-CHAPv2.

Add a RADIUS Client Resource

  1. In the AuthPoint management UI, select Resources.
    The Resources page opens.

  1. From the Choose a resource type drop-down list, select RADIUS Client. Click Add Resource.
    The RADIUS client resource page opens.
  2. In the Name text box, type a descriptive name for the resource.
  3. In the RADIUS client trusted IP or FQDN text box, type the IP address that your RADIUS client uses to send RADIUS packets to the AuthPoint Gateway. This must be a private IP address. For Fireboxes, this is usually the Trusted IP address of your Firebox.
  4. From the Value sent for RADIUS attribute 11 drop-down list, select the value to send for the attribute 11 (Filter-ID) value in RADIUS responses. You can send either the user's AuthPoint groups or the user's Active Directory groups.

    If you have configured a group sync to sync groups from Active Directory or Azure Active Directory to AuthPoint, the option to send the user's AuthPoint groups includes any Active Directory or Azure Active Directory groups that the user is a member of.

  5. In the Shared Secret text box, type the password that the RADIUS server (AuthPoint Gateway) and the RADIUS client will use to communicate.

  1. To configure the RADIUS client resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle. You might do this if you want to configure AuthPoint MFA for IKEv2.
    Additional fields appear.

    To use the MS-CHAPv2 feature, you must install version 5.3.1 or higher of the AuthPoint Gateway.

  2. In the NPS RADIUS Server trusted IP or FQDN text box, type the IP address or FQDN of the NPS RADIUS server.
  3. In the Port text box, type the port number for the Gateway (RADIUS server) to use to communicate with NPS. The default port is 1812.

    If NPS and the Gateway are installed on the same server, the port that the Gateway uses to communicate with NPS must be different than the port that the Gateway uses to communicate with the RADIUS client.

  4. In the Timeout in Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.

  1. Click Save.
  2. Add the RADIUS resource to your existing authentication policies, or add new authentication policies for the RADIUS resource. Authentication policies specify which resources users can authenticate to and which authentication methods they can use. For more information, see About AuthPoint Authentication Policies.

    For RADIUS authentication, policies that have a network location do not apply because AuthPoint does not have the IP address of the user. We recommend that you configure policies for RADIUS resources without network locations.

    You must enable the push authentication method for policies with MS-CHAPv2 RADIUS resources.

Add a RADIUS Client Resource to a Gateway Configuration

After you add a RADIUS client resource, you must add it to the configuration for your AuthPoint Gateway. This enables the RADIUS client to communicate with the RADIUS server (Gateway) and with AuthPoint.

If you have not already installed the AuthPoint Gateway, see About Gateways for detailed steps to download and install the AuthPoint Gateway.

To add a RADIUS client resource to the Gateway configuration:

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.

  1. In the RADIUS section, in the Port text box, type the port number for the RADIUS client to use to communicate with the Gateway (RADIUS server). The default Gateway ports are 1812 and 1645.

    If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port to communicate with the Gateway.

  1. From the Select a RADIUS resource list, select your RADIUS client resource(s).

  1. Click Save.

Configure the RADIUS Client

After you successfully add a RADIUS client resource and connect it with your Gateway, the last step is to configure your RADIUS client for authentication. Refer to the AuthPoint Integration Guides for the steps to configure specific RADIUS client resources.

See Also

Configure MFA for a Firebox

Firebox Mobile VPN with SSL Integration with AuthPoint

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Active Directory Users

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Firebox Cloud Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Firebox Mobile VPN with IPSec Integration with AuthPoint

Firebox Mobile VPN with L2TP Integration with AuthPoint

Firebox Mobile VPN with L2TP Integration with AuthPoint for Azure Active Directory Users

AuthPoint Integration Guides

About Gateways

How RADIUS Server Authentication Works