Limitations of RADIUS support in OneSpan Authentication Server Appliance

  • Published on Jul 8, 2025
  • 1 minute(s) read
Prev Next

RADIUS support of OneSpan Authentication Server Appliance has some caveats and limitations.

Limitations of RADIUS password protocols

Some OneSpan Authentication Server Appliance features are not supported with CHAP or MS-CHAP, because these protocols hash logon data together. This prevents separation of various entries.

The following features are unsupported:

  • You cannot perform self-assignment.
  • You cannot change the server PIN.
  • You cannot use Challenge/Response.
  • Windows back-end authentication is not supported, unless the user ID and Windows password are manually stored and stored password proxy is enabled.
  • You cannot use password autolearning, because clear text passwords cannot be identified.
  • Virtual Mobile Authenticator OTP requests are not supported.

Using OneSpan User Websites can circumvent many of these problems by allowing users to manage their account and authenticators. Users can:

  • Perform self-assignment.
  • Change their server PINs.
  • Change their own stored static password.

Unsupported RADIUS password protocols

The following RADIUS password protocols are unsupported:

  • MSCHAP with LM Hash.
  • The password change mechanism for MS-CHAP and MS-CHAP v2.

Limitations of international character support

A number of OneSpan Authentication Server Appliance components provide international character support, but some limitations apply:

RADIUS

International character support in OneSpan Authentication Server Appliance using the RADIUS protocol depends on the RADIUS client(s) used. If a RADIUS client uses UTF-8 encoding, international characters will be fully supported. If a RADIUS client uses a localized encoding (eg. ISO-8859-13), the same locale setting must be configured on each computer.

If OneSpan Authentication Server Appliance is used as an intermediary between a RADIUS client and RADIUS server, verify the encoding expected/required by the RADIUS server. If the RADIUS server requires any encoding format other than UTF-8, you need to configure OneSpan Authentication Server Appliance accordingly.

Web

Digipass Authentication for OWA Basic and Digipass Authentication for OWA Forms limit international character support to a single configured encoding.

Limitations of web basic authentication

In OneSpan Authentication Server Appliance, the HTTP basic authentication mechanism does not support a 2-step logon process. In addition, Challenge/Response is also unsupported.

Limitations for score-based authenticator applications

Score-based authenticator applications do not support CHAP-based RADIUS authentications.