Configure MFA for a RADIUS Client

RADIUS client resources represent Fireboxes or other devices that send RADIUS packets to the AuthPoint Gateway. These are commonly used to authenticate users for firewalls and VPNs.

You must link RADIUS client resources linked to the AuthPoint Gateway and you must specify a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can communicate.

See the AuthPoint Integration Guides for steps to configure AuthPoint MFA for specific RADIUS client resources.

Only local AuthPoint users and users synced from Active Directory can authenticate to RADIUS client resources that use MS-CHAPv2.

Add a RADIUS Client Resource

  1. In the AuthPoint management UI, select Resources.
    The Resources page in the AuthPoint management UI opens.
  2. From the Choose a resource type drop-down list, select RADIUS Client. Click Add Resource.

  1. In the Name text box, type a descriptive name for the resource.
  2. In the RADIUS client trusted IP or FQDN text box, type the IP address that your RADIUS client uses to send RADIUS packets to the AuthPoint Gateway. This must be a private IP address. For Fireboxes, this is usually the Trusted IP address of your Firebox.
  3. From the Value sent for RADIUS attribute 11 drop-down list, select the value to send for the attribute 11 (Filter-ID) value in RADIUS responses. You can send either the user's AuthPoint group or the user's Active Directory groups.

    To use this feature, you must install version 5 or higher of the AuthPoint Gateway.

  4. In the Shared Secret text box, type the password that the RADIUS server (AuthPoint Gateway) and the RADIUS client will use to communicate.

  1. To configure the RADIUS client resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle. You might do this if you want to configure AuthPoint MFA for IKEv2.
    Additional fields appear.

    To use this feature, you must install version 5.3.1 or higher of the AuthPoint Gateway.

  2. In the NPS RADIUS Server trusted IP or FQDN text box, type the IP address or FQDN of the NPS RADIUS server.
  3. In the Port text box, type the port number for the Gateway (RADIUS server) to use to communicate with NPS. The default port is 1812.

    If NPS and the Gateway are installed on the same server, the port that the Gateway uses to communicate with NPS must be different than the port that the Gateway uses to communicate with the RADIUS client.

  4. In the Timeout in Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.

  1. Click Save.

After you configure the RADIUS client resource, you must assign an access policy to an AuthPoint user group for the RADIUS client resource. Access policies specify which resources require authentication and which authentication method to use for the users that are in that user group. For more information, see Access Policies.

The access policy for a RADIUS client resource that uses MS-CHAPv2 can only use the push authentication method. You cannot use the OTP authentication method if MS-CHAPv2 is enabled.

Add a RADIUS Client Resource to a Gateway Configuration

After you add a RADIUS client resource, you must add it to the configuration for your AuthPoint Gateway. This enables the RADIUS client to communicate with the RADIUS server (Gateway) and with AuthPoint.

If you have not already installed the AuthPoint Gateway, see About Gateways for detailed steps to download and install the AuthPoint Gateway.

To add a RADIUS client resource to the Gateway configuration:

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.

  1. In the RADIUS section, in the Port text box, type the port number for the RADIUS client to use to communicate with the Gateway (RADIUS server). The default Gateway ports are 1812 and 1645.

    If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port to communicate with the Gateway.

  1. From the Select a RADIUS resource list, select your RADIUS client resource(s).

  1. Click Save.

Configure the RADIUS Client

After you successfully add a RADIUS client resource and connect it with your Gateway, the last step is to configure your RADIUS client for authentication. Refer to the AuthPoint Integration Guides for the steps to configure specific RADIUS client resources.

See Also

Firebox Mobile VPN with SSL Integration with AuthPoint

Firebox Mobile VPN with IPSec Integration with AuthPoint

Firebox Mobile VPN with IKEv2 Integration with AuthPoint

Firebox Mobile VPN with L2TP Integration with AuthPoint

AuthPoint Integration Guides

About Gateways