Deploying Typical RADIUS Environments

You can deploy OneSpan Authentication Server Appliance in various, typical RADIUS environments.

Standalone OneSpan Authentication Server Appliance in a RADIUS environment

This topology is ideal for services where RADIUS attributes are not required and one of the supported password protocols is used:

• PAP
• CHAP
• MS-CHAP
• MS-CHAP v2

When using CHAP, note that score-based authenticator applications do not support CHAP-based RADIUS authentications.

This deployment requires the following:

• The IP address of the RADIUS client.
• The shared secret used by the RADIUS client. Alternatively, you can select a secret to use now if the RADIUS client isn't yet equipped with a shared secret.

Figure: Standalone OneSpan Authentication Server Appliance in a RADIUS environment

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy a standalone OneSpan Authentication Server Appliance instance in a RADIUS environment

1. Log on to the OneSpan Authentication Server Administration Web Interface (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS client
   • Policy ID: Policy you want to use for this RADIUS client
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS client
4. Click Create.

When you have configured OneSpan Authentication Server Appliance (either via this procedure or during Basic installation), configure your RADIUS client to send authentication request to OneSpan Authentication Server Appliance. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).

OneSpan Authentication Server Appliance as RADIUS proxy target

You may want to use this topology in the following cases:

• The RADIUS server supports the proxying of authentication while returning attributes itself.

• The RADIUS server can forward the authentication request using one of the supported password protocols:

  • PAP
  • CHAP
  • MS-CHAP
  • MS-CHAP v2
• The RADIUS server supports an Access-Challenge response from OneSpan Authentication Server Appliance if required. The Access-Challenge mechanism is used for challenge/response and Virtual Mobile Authenticator, although it is still possible to use Virtual Mobile Authenticator without it.

If the RADIUS server is capable, this scenario allows OneSpan Authentication Server Appliance to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to OneSpan Authentication Server Appliance.

This deployment requires the following:

• The IP address of the RADIUS server.
• The shared secret used by the RADIUS server.

Figure: OneSpan Authentication Server Appliance as RADIUS proxy server

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy OneSpan Authentication Server Appliance as a RADIUS proxy server

1. Log on to the OneSpan Authentication Server Administration Web Interface (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS server
   • Policy ID: Policy you want to use for this RADIUS server
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS server
4. Click Create.

When you have configured OneSpan Authentication Server Appliance (either via this procedure or during Basic installation), configure your RADIUS server to send authentication request to OneSpan Authentication Server Appliance. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).

OneSpan Authentication Server Appliance as intermediate server

When used as an intermediate authentication server, OneSpan Authentication Server Appliance can be set up in two basic modes:

• OTP-Only. OneSpan Authentication Server Appliance keeps a record of a user's static password and relays it to the back-end server.

  

  Figure: OneSpan Authentication Server Appliance as intermediate server (OTP-Only)

• OTP-Password. The user enters an OTP and password, which is not stored by OneSpan Authentication Server Appliance, but is relayed to the back-end server for authentication.

  

  Figure: OneSpan Authentication Server Appliance as intermediate server (OTP-Password)

Both modes require the following:

• The IP address of both RADIUS client and RADIUS server.
• The shared secret used by both RADIUS client and RADIUS server.

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy OneSpan Authentication Server Appliance as an intermediate server

1. Log on to the OneSpan Authentication Server Administration Web Interface (see  Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS client
   • Policy ID: Policy you want to use for this RADIUS client
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS client
4. Click Create.
5. When you have configured OneSpan Authentication Server Appliance (either via this procedure or during Basic installation), configure your RADIUS client to send authentication request to OneSpan Authentication Server Appliance. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).
6. Select BACK-END > Register RADIUS Back-End.

7. Configure the back-end server with following settings:

   • Back-End Server ID: An identifier for the RADIUS server.
   • Domain Name: This is master if the RADIUS server should process authentication requests from all domains, else a specific domain.
   • Priority: Use this if you want to define multiple back-end servers for failover reasons – the one with the highest priority will be used first.
   • Authentication IP Address: The IP address that the RADIUS server is using for authentication requests.
   • Authentication Port: The port that the RADIUS server is using for authentication requests.
   • Accounting IP Address: The IP address that the RADIUS server is using for accounting requests.
   • Accounting Port: The port that the RADIUS server is using for accounting requests.
   • Shared Secret: The shared secret of the RADIUS server.
   • Timeout (seconds): Timeout value for the connection to the RADIUS server.
   • Retries: Number of retries before abandoning attempts to send an authentication request to the RADIUS server.
   • Character Encoding: Encoding/locale format required by the RADIUS server.
   • Include Realm: Determines whether to include the realm in the userName RADIUS attribute of an authentication request.
   • Custom Realm: The realm to be included in the userName RADIUS attribute of an authentication request.
8. Click Create.