You configure the User Auth service in the Workspace ONE Access connector to use the connector-based RADIUS (cloud deployment) authentication method when users log into Workspace ONE. You enable the RADIUS authentication method and configure the RADIUS settings in the Workspace ONE Access console.

Prerequisites

  • Install and configure the RADIUS software on an authentication manager server. Because RADIUS two-factor authentication solutions work with authentication managers installed on separate servers, the RADIUS server must be configured and accessible to the Workspace ONE Access service. For RADIUS authentication, follow the vendor's configuration documentation.

    The following RADIUS server information is required to configure RADIUS on the Workspace ONE Access service.

    • IP address or DNS name of the RADIUS server.
    • Authentication port numbers. Authentication port is usually 1812.
    • Authentication type. The authentication types include PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP1, MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol, versions 1 and 2).
    • RADIUS shared secret that is used for encryption and decryption in RADIUS protocol messages.
    • Specific timeout and retry values needed for RADIUS authentication.
  • The User Auth service installed as a component of the Workspace ONE Access connector.

Procedure

  1. In the Workspace ONE Access console Integrations > Connector Authentication Methods page, click NEW and select RADIUS (cloud deployment).
  2. To configure with this authentication method, select the Directory and the Service Host, and click NEXT.
  3. Configure the RADIUS authentication method settings.
    Option Action
    Number of authentication attempts allowed Enter the maximum number of failed login attempts when using RADIUS to log in. The default is five attempts.
    Login page passphrase hint Enter the text string to display as the message on the user login page to direct users to enter the correct RADIUS passcode. The default text string is RADIUS Passcode. The default message is Please enter the RADIUS Passcode.
    Custom passphrase hint for login page If you enter a custom passphrase hint in this text box, this hint displays as the message on the user login page in place of the login page passphrase hint. For example, if this text box is configured with Enter your AD password first and then SMS passcode, the login page message reads Enter your AD password first and then SMS passcode..
    Enable direct authentication to RADIUS server Change NO to YES to enable direct user authentication. Users are not required to reenter their credentials. In this case, the same username is used for the password.

    Enable this option only when Access-Challenge is configured in the RADIUS server.

    To use direct authentication to the RADIUS server, the user name must be configured the same way on both the RADIUS server and in Active Directory. Note that a user name JSmith in Active Directory does not match jsmith in the RADIUS server.
    Number of attempts to RADIUS server Enter the total number of retry attempts. If the primary server does not respond, the service waits for the configured time before retrying again.
    Server timeout in seconds

    Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does not respond.

    RADIUS Server Hostname/Address (Optional) Enter the host name or the IP address of the RADIUS server.
    Authentication port Enter the RADIUS authentication port number. The port is usually 1812.
    Accounting port Enter 0 for the port number. The accounting port is not used currently.
    Authentication type Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP, MSCHAP1, OR MSCHAP2.
    Shared secret Enter the shared secret that is used between the RADIUS server and the Workspace ONE Access service.
    Realm prefix (Optional) The user account location is called the realm. Enter the realm prefix to use.

    If you enter a realm prefix string, the string is placed at the beginning of the user name when the name is sent to the RADIUS server. For example, if the user name is entered as jdoe and the realm prefix DOMAIN-A\ is specified, the user name DOMAIN-A\jdoe is sent to the RADIUS server. If you do not configure the Realm text boxes, only the user name that is entered is sent.

    Realm suffix (Optional) If you specify a realm suffix, the string is placed at the end of the user name. For example, if the suffix is @myco.com, the user name jdoe@myco.com is sent to the RADIUS server.
    Enable basic MSCHAPv2 Validation Change NO to YES to enable basic MS-CHAPv2 validation. If this option is set to YES, then the additional validation of response from the RADIUS server is skipped. By default, full validation will be performed.
  4. You can enable a secondary RADIUS server for high availability.
    Configure the secondary server as described in step 4.
  5. Click NEXT to review the configuration and then click SAVE.
    Screenshot of the server configuration page

What to do next

Add RADIUS as an authentication method to the built-in identity provider configuration page.

Add the RADIUS authentication method to the default access policy. In the console, go to the Resources > Policies page and edit the default policy rules to add the RADIUS authentication method to the rule. See Managing Access Policies in the Workspace ONE Access Service.

For high availability, associate this RADIUS authentication method to other registered Workspace ONE Access connectors where the enterprise service User Auth component is installed.