Authentication

Authentication » RADIUS Authentication for Active Directory

Confguring RADIUS authentication for Active Directory-based actions

Traditional Active Directory logins involve only a username and password. However, if all the data breaches in recent years teach us anything, it is that they are not sufficient. Multi-factor authentication (MFA) has become an indispensable part of logins and implementing it is even mandatory to meet the certain requirements of GDPR and HIPAA compliance. RADIUS or Remote Authentication Dial-In User Service is one of the methods that can be used for MFA.

When RADIUS is used in MFA, users first need to provide their username and password. They are then asked to enter the unique RADIUS password that is mapped to their account to authenticate themselves. If the password provided is valid, they will be allowed to access the service. Implementing MFA using RADIUS and other methods during Active Directory-based actions like domain logins, password changes, and self-service password resets and account unlocks can be extremely beneficial to domain user accounts and network security.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution offers RADIUS along with 14 other authentication methods including Duo Security, security questions and answers, SAML authentication, and Google Authenticator to secure users during:

  1. Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screens.
  2. Windows, macOS, and Linux logins.
  3. Enterprise application logins through single sign-on (SSO).
  4. Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.

Follow these instructions to enable RADIUS authentication for MFA in ADSelfService Plus

Prerequisites:

Integrate RADIUS with ADSelfService Plus:

  1. Log in to RADIUS server.
  2. Navigate to clients.conf file.(default location:/etc/raddb/clients.conf)
  3. Add the following snippet in the clients.conf file.

    client AdsspServerName
    {
    ipaddr = xxx.xx.x.xxx
    secret = secretCode
    nastype = other
    }

  4. Restart the RADIUS server.

Steps to configure ADSelfService Plus for RADIUS:

  1. Navigate to Configuration → Self Service → Multi-Factor Authentication → Authenticators Setup.
  2. From the Choose the Policy drop-down, select a policy.

    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected.

  3. Click the RADIUS Authentication section.
  4. Enter the Server Name, Server Port number, Server Protocol, Secret Key, Username Pattern, and the Request Time Out seconds.

  5. Click Save.

Enable RADIUS Authentication for AD password resets

  • Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select RADIUS Authentication along with the other authentication techniques to be used.
  • Click Save Settings.

Enable RADIUS Authentication for AD domain logins

  • Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the Endpoint MFA section, select the RADIUS Authentication from the drop-down.
  • Enable the Bypass TFA if ADSelfService Plus is down option.
  • Click Save Settings.

Note:

To enable MFA for Active Directory domain logins:

  • The ADSelfService Plus login agent must be installed on client machines. Click here for steps on login agent installation.
  • SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option.

Learn more about ADSelfService Plus and its Multi-factor Authentication feature.

Simplify password management with ADSelfService Plus.

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.