OneSpan Authentication Server Appliance in a RADIUS environment

OneSpan Authentication Server Appliance can be used in a RADIUS environment in a number of ways, depending on your company's requirements.

In the RADIUS protocol, attributes are used for authorization and configuration of the remote access session in many cases. OneSpan Authentication Server Appliance can return authorization attributes from the user account. Alternatively, a separate RADIUS server can provide these attributes instead.

In many cases, a RADIUS client may be a dial-up network access server (NAS), firewall/VPN appliance, wireless access point (WAP), or another device that uses the RADIUS protocol for user authentication. Some software applications can also use RADIUS for authentication, and can therefore also act as RADIUS clients.

OneSpan Authentication Server Appliance supports authentication over a wireless connection, using the RADIUS protocol (see Wireless RADIUS).

Supported password protocols

Standalone: RADIUS attributes from user account

In this scenario, OneSpan Authentication Server Appliance retrieves RADIUS attributes from the user account and returns them with an Accept message to the RADIUS client.

This scenario can be implemented with the following supported password protocols:

• PAP
• CHAP
• MS-CHAP
• MS-CHAP v2

Figure: Standalone: RADIUS attributes from user account

Standalone: No RADIUS attributes required

This scenario is identical to Standalone: RADIUS attributes from user account, except that it does not use RADIUS attributes to authenticate users.

Figure: Standalone: No RADIUS attributes required

Wireless RADIUS

Using this method, the user only enters the OTP (and PIN if required). OneSpan Authentication Server Appliance has to learn the static password for the user. As such, when the user gives the correct OTP, OneSpan Authentication Server Appliance can send the static password to the RADIUS server.

The Wireless RADIUS method can be used if one of the supported protocols is used (see Supported RADIUS protocols).

Figure: OneSpan Authentication Server Appliance with Wireless RADIUS

Proxy target: RADIUS server acts as proxy

In this scenario, a RADIUS server acts as a proxy for authentication, effectively delegating the authentication process to OneSpan Authentication Server Appliance. The RADIUS server provides the authorization attributes after OneSpan Authentication Server Appliance has accepted the user credentials.

A RADIUS server can forward authentication to OneSpan Authentication Server Appliance if:

• The RADIUS server supports the proxying of authentication while returning attributes itself.
• The RADIUS server can forward authentication request using one of the supported password protocols (see Supported password protocols).
• The RADIUS server supports an access-challenge response from OneSpan Authentication Server Appliance if required. The access-challenge mechanism is used for challenge/response and Virtual Mobile Authenticator, although it is still possible to use Virtual Mobile Authenticator without that mechanism.

If the RADIUS server is capable, this scenario allows OneSpan Authentication Server Appliance to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to OneSpan Authentication Server Appliance.

Figure: OneSpan Authentication Server Appliance with RADIUS server acting as a proxy

Intermediary: RADIUS server as back-end server

After validating the OTP, OneSpan Authentication Server Appliance forwards requests to a RADIUS server to retrieve authorization attributes. It is necessary to provide a static password to the RADIUS server to achieve this.

There are two methods of implementing this scenario:

Login via OTP only

Using this method, the user only enters the OTP (and PIN if required). OneSpan Authentication Server Appliance has to learn the static password for the user. This allows OneSpan Authentication Server Appliance to send the static password to the RADIUS server when the user provides the correct OTP.

Figure: RADIUS server as back-end server (Users log on with OTP only)

This method can be used if:

• One of the supported password protocols is used (see Supported password protocols).
• The static passwords can be 'learnt' by OneSpan Authentication Server Appliance.

If the PAP authentication protocol is used, OneSpan Authentication Server Appliance can learn the static passwords automatically. The user then has to perform at least one logon with the static password. If the RADIUS server accepts the password, OneSpan Authentication Server Appliance can learn it.

However, if one of the other password protocols is used, this process is not possible. In that case, there are a few other ways in which the passwords can be learnt, through administrative data entry or using the OneSpan User Websites.

Logon via password and OTP

Using this method, the user enters a static password and OTP at each logon. OneSpan Authentication Server Appliance validates the OTP. If the OTP is valid, OneSpan Authentication Server Appliance forwards the static password to the RADIUS server.

Figure: RADIUS server as back-end server (Users log on with password and OTP)

This method can be used if the PAP authentication protocol is used only, because OneSpan Authentication Server Appliance uses both CHAP and MS-CHAP to hash the password and OTP together inseparably.