Configuring RADIUS back-end authentication

To enable RADIUS back-end authentication

1. Launch the OneSpan Authentication Server Appliance Configuration Tool and enter your credentials (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select Authentication Server > Authentication Back-Ends.
3. Select Enabled for the RADIUS back-end server.
4. Click SAVE.

To add a RADIUS back-end server record

1. Log on to the OneSpan Authentication Server Administration Web Interface (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Switch to the BACK-END tab and click Register RADIUS Back-End.

3. Fill in the necessary fields. Note the following points for the relevant fields:

   • The default value of Authentication Port is 1812, but you need to use the port that was selected for your installation.
   • The values for Accounting IP Address and Accounting Port are only necessary if accounting is required.
   • The default value of Accounting Port is 1813, but you need to use the port that was selected for your installation.
   • Type the IP address of the RADIUS back-end server in the Authentication IP Address and Account IP Address boxes.
   • Type the shared secret used by the RADIUS back-end server in the Shared Secret and Confirm Shared Secret boxes.
   • The value of the Timeout (seconds) box is mandatory.
   • In the Retries box, enter the number of retries before abandoning attempts to send an authentication request to the RADIUS server.
   • Enter the encoding/locale format required by the RADIUS server in the Character Encoding box.
   • Specify whether to include the realm in the userName RADIUS attribute of an authentication request.
   • Specify the realm to be included in the userName RADIUS attribute of an authentication request in the Custom Realm box.

4. Click CREATE.

To adjust the authentication policy settings

1. Log on to the OneSpan Authentication Server Administration Web Interface (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select POLICIES > List.

3. Select the policy to be used and click Edit to configure the policy settings:

   • Local Authentication: Digipass only (local authentication is always used with an authenticator)
   • Back-End Authentication: Always (back-end authentication is always used)
   • Back-End Protocol: RADIUS
4. Click SAVE.

This procedure configures authenticator-only authentication with RADIUS back-end authentication in the assigned policy. Other authentication settings and authentication options (e.g. grace period, assignment methods) can also be configured.

For more information about the possible policy settings, refer to the OneSpan Authentication Server Appliance Product Guide, Section "Policies". For a list and explanation of the pre-loaded default policies, refer to the OneSpan Authentication Server Appliance Administrator Reference.

For different policy options for examples of practical setups using a RADIUS simulator client, see  Test scenarios.

To create a client record and assign the policy

1. Create a client record in the OneSpan Authentication Server Administration Web Interface (see Client component records).
2. Assign the policy for which you have adjusted the back-end authentication settings in the Policy ID box.