Authentication to a third-party RADIUS server

You can configure an authentication profile that requires users to submit login credentials to a remote authentication dial-in user service (RADIUS) server.

You can configure a RADIUS authentication profile for an HTTP access service or for a connection profile that supports mobile access services. When users log in to the SafeLinx Server through a service that uses a RADIUS authentication profile, the SafeLinx Server routes the authentication requests to a RADIUS server.

HTTP access services examine the HTTP headers for a user ID and password on each request. If the user credentials are available in the request, then the user is not challenged. Otherwise, when a client sends a request, the SafeLinx Server challenges the request and waits for the client to return its user ID and password. These credentials are then used to complete the RADIUS authentication.

For mobile access services, each mobile network connection (MNC) specifies a connection profile. Connection profiles can be configured to use a password-based key exchange algorithm together with a RADIUS authentication profile. Under this configuration, a user who logs in from a SafeLinx Client can be challenged to submit two sets of credentials. Users must first submit their SafeLinx user ID and password, and then submit their RADIUS credentials. You can configure the user credentials to be the same for SafeLinx and the RADIUS server. If the credentials that are used on the RADIUS server match the SafeLinx credentials, you can configure the RADIUS authentication profile not to challenge users twice. Instead, the RADIUS authentication request is made with the credentials that were used to log in to the SafeLinx Server.

Depending on your security requirements, you can configure the SafeLinx Client so that it saves the SafeLinx credentials between sessions and users are not prompted to log in. However, if a RADIUS authentication profile is configured, users are still required to submit credentials to the RADIUS server.

When you create a RADIUS authentication profile, you identify a list of RADIUS servers to use. All of the RADIUS servers that are named in a single authentication profile must use the same shared secret and same port number.

Although some RADIUS software vendors support the ability for users to change their RADIUS passwords, SafeLinx users cannot change their RADIUS passwords from the SafeLinx Client. The SafeLinx Client includes an option to change the password, but the option is not active and the password cannot be changed.