Deploying Typical RADIUS Environments

You can deploy OneSpan Authentication Server in various, typical RADIUS environments.

Standalone OneSpan Authentication Server in a RADIUS environment

This topology is ideal for services where RADIUS attributes are not required and one of the supported password protocols is used:

• PAP
• CHAP
• MS-CHAP
• MS-CHAP v2

When using CHAP, note that score-based authenticator applications do not support CHAP-based RADIUS authentications.

This deployment requires the following:

• The IP address of the RADIUS client.
• The shared secret used by the RADIUS client. Alternatively, you can select a secret to use now if the RADIUS client isn't yet equipped with a shared secret.

Figure: Standalone OneSpan Authentication Server in a RADIUS environment

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy a standalone OneSpan Authentication Server instance in a RADIUS environment

1. Log on to the Administration Web Interface.
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS client
   • Policy ID: Policy you want to use for this RADIUS client
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS client
4. Click Create.

When you have configured OneSpan Authentication Server (either via this procedure or during Basic installation), configure your RADIUS client to send authentication request to OneSpan Authentication Server. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).

OneSpan Authentication Server as RADIUS proxy target

You may want to use this topology in the following cases:

• The RADIUS server supports the proxying of authentication while returning attributes itself.

• The RADIUS server can forward the authentication request using one of the supported password protocols:

  • PAP
  • CHAP
  • MS-CHAP
  • MS-CHAP v2
• The RADIUS server supports an Access-Challenge response from OneSpan Authentication Server if required. The Access-Challenge mechanism is used for challenge/response and Virtual Mobile Authenticator, although it is still possible to use Virtual Mobile Authenticator without it.

If the RADIUS server is capable, this scenario allows OneSpan Authentication Server to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to OneSpan Authentication Server.

This deployment requires the following:

• The IP address of the RADIUS server.
• The shared secret used by the RADIUS server.

Figure: OneSpan Authentication Server as RADIUS proxy server

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy OneSpan Authentication Server as a RADIUS proxy server

1. Log on to the Administration Web Interface.
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS server
   • Policy ID: Policy you want to use for this RADIUS server
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS server
4. Click Create.

When you have configured OneSpan Authentication Server (either via this procedure or during Basic installation), configure your RADIUS server to send authentication request to OneSpan Authentication Server. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).

OneSpan Authentication Server as intermediate server

When used as an intermediate authentication server, OneSpan Authentication Server can be set up in two basic modes:

• OTP-Only. OneSpan Authentication Server keeps a record of a user's static password and relays it to the back-end server.

  

  Figure: OneSpan Authentication Server as intermediate server (OTP-Only)

• OTP-Password. The user enters an OTP and password, which is not stored by OneSpan Authentication Server, but is relayed to the back-end server for authentication.

  

  Figure: OneSpan Authentication Server as intermediate server (OTP-Password)

Both modes require the following:

• The IP address of both RADIUS client and RADIUS server.
• The shared secret used by both RADIUS client and RADIUS server.

This procedure is for manual deployment after installation. The following configuration is also available during the initial configuration of a Basic installation.

To deploy OneSpan Authentication Server as an intermediate server

1. Log on to the Administration Web Interface.
2. Select CLIENTS > Register.

3. Create a new client component with the following settings:

   • Client Type: RADIUS Client
   • Location: IP address of the RADIUS client
   • Policy ID: Policy you want to use for this RADIUS client
   • Protocol ID: RADIUS
   • Shared Secret: Shared secret used by the RADIUS client
4. Click Create.
5. When you have configured OneSpan Authentication Server (either via this procedure or during Basic installation), configure your RADIUS client to send authentication request to OneSpan Authentication Server. Information about the IP address and port of the RADIUS communicator is available in the Configuration Utility (in the Communicators > RADIUS tab).
6. Select BACK-END > Register RADIUS Back-End.

7. Configure the back-end server with following settings:

   • Back-End Server ID: An identifier for the RADIUS server.
   • Domain Name: This is master if the RADIUS server should process authentication requests from all domains, else a specific domain.
   • Priority: Use this if you want to define multiple back-end servers for failover reasons – the one with the highest priority will be used first.
   • Authentication IP Address: The IP address that the RADIUS server is using for authentication requests.
   • Authentication Port: The port that the RADIUS server is using for authentication requests.
   • Accounting IP Address: The IP address that the RADIUS server is using for accounting requests.
   • Accounting Port: The port that the RADIUS server is using for accounting requests.
   • Shared Secret: The shared secret of the RADIUS server.
   • Timeout (seconds): Timeout value for the connection to the RADIUS server.
   • Retries: Number of retries before abandoning attempts to send an authentication request to the RADIUS server.
   • Character Encoding: Encoding/locale format required by the RADIUS server.
   • Include Realm: Determines whether to include the realm in the userName RADIUS attribute of an authentication request.
   • Custom Realm: The realm to be included in the userName RADIUS attribute of an authentication request.
8. Click Create.