Authentication

Configuring RADIUS authentication for Active Directory-based actions

Traditional logins to resources on an organizational network involve only a username and password. However, if all the data breaches in recent years teach us anything, it is that they are not sufficient. Multi-factor authentication (MFA) has become an indispensable part of logins and implementing it is mandatory to meet regulatory standards such as the GDPR and the HIPAA. RADIUS or Remote Authentication Dial-In User Service is one of the methods that can be used for MFA.

When RADIUS is used for MFA, users first need to provide their username and password. They are then asked to enter the unique RADIUS password that is mapped to their account to authenticate themselves. If the password provided is valid, they will be allowed to access the service. Implementing MFA using RADIUS and other methods during Active Directory-based actions like domain logins, password changes, and self-service password resets and account unlocks can be extremely beneficial to domain user accounts and network security.

ADSelfService Plus, an identity management solution, offers RADIUS along with 20 other authentication methods including FIDO Passkeys, Biometric Authentication, and Zoho OneAuth TOTP, to secure users during:

• Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screens.
• Windows, macOS, and Linux logins.
• Enterprise application logins through single sign-on (SSO).
• Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.

Follow these instructions to enable RADIUS authentication for MFA in ADSelfService Plus

Prerequisites

Configure a RADIUS client in the RADIUS server for ADSelfService Plus using configuration steps specific to the RADIUS server, and restart it.

Steps to configure ADSelfService Plus for RADIUS Authentication

1. Log into ADSelfService Plus with admin credentials and navigate to Configuration > Self Service > Multi-Factor Authentication > Authenticators Setup.
2. From the Choose the Policy drop-down, select a policy.

   Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected.

3. Click the RADIUS Authentication section.
4. Enter the Server Name, Server Port number, Server Protocol, Secret Key, Username Pattern, and the Request Time Out seconds.

   

5. Click Save.

RADIUS Authentication for AD password resets

1. Log into ADSelfService Plus with admin credentials and navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Reset/Unlock.
2. Under MFA for Password Reset/Account Unlock, enter the number of authentication factors to be enforced, and select RADIUS Authentication along with any other authentication techniques to be used.
3. Click Save Settings.

Enable RADIUS Authentication for machine logins

1. Log into ADSelfService Plus with admin credentials and navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
2. Under MFA for Machine Logins, enter the number of authentication factors to be enforced, and select RADIUS Authentication along with any other authentication techniques to be used.
3. Click Save Settings.

Note:

To enable MFA for Active Directory domain logins:

• The ADSelfService Plus login agent must be installed on client machines. Click here for steps on login agent installation.
• SSL must be enabled: Click here to learn how.

Learn more about ADSelfService Plus and its Multi-factor Authentication feature.