• Home
• Content Library
• Admin Docs
• Configure Application
• How to add a RADIUS App

How to add a RADIUS App

Remote Authentication Dial-In User Service (RADIUS) is a software and client-server protocol used to centrally authenticate and authorize users attempting to access a network, acting as a central point to verify user credentials before granting network access. It performs functions like authentication, authorization, and accounting (AAA) for users trying to connect to a network, like through Wi-Fi or VPNs.

miniOrange enables several different protocols for your applications, such as SAML, WS-FED, OAuth, OIDC, JWT, RADIUS, and more. We provide MFA or adaptive authentication solutions for RADIUS apps like Fortinet VPN, SonicWall VPN, AWS Workspaces, and many more.

Let’s configure your application now.

• Login into the miniOrange Admin Console.



• Click on Apps and visit the list of all configured applications and option to modify them.
• Press on Add Application.



• From All Apps dropdowns, choose RADIUS (VPN).



• Search for your application from the list if your application is not found. Search for RADIUS, and you can set up your app via RADIUS Client.



• Configure the below details in Basic settings tab.




Display Name	Any name for your reference.
Client IP	The IP address of the VPN server, which will send the RADIUS authentication request.
Shared Secret	Security key. For Eg. "shared-secret" (Keep this with you; you will need to configure the same on VPN Server)

• Click on Next.
• Go to the Advanced tab in the RADIUS client application.




Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
Include password and MFA factor in same login request from RADIUS Client	Check this option for clients, which takes a password and the OTP in the same request. Otherwise, keep it unchecked.
Allow users to change password when password is expired.	Enables a password-change flow for users whose password has expired. For Active Directory, ensure LDAPS is configured for a secure connection.
Log RADIUS Accounting Events	When enabled, logs RADIUS accounting events such as session start, stop, and usage details for auditing and reporting.
Enable RADIUS Audit for Invalid Users / Non-Existing Accounts	Logs authentication attempts from unknown or non-existent users for auditing and security analysis.
Send Message Authenticator	Sends the Message Authenticator attribute so RADIUS messages include an integrity check and are harder to spoof or tamper with.

If your application supports EAP-based authentication, complete the following on the same tab:

• Under Allowed Method, select one or more authentication methods. The following methods are supported:
  • PAP
  • MSCHAPv2
  • EAP-MSCHAPv2
  • EAP-TTLS
  
  
  
• If one or more EAP methods are selected, you must also configure a Default EAP Method from the dropdown. This defines the method the server will negotiate first during EAP authentication.



• If EAP-TTLS is selected as the Default EAP Method, download the server certificate using the Download Certificate link and upload it to your client application. This certificate is required for TLS-based authentication.



• After configuring the above details, click on the Save button.
• Go to the Attributes tab of the RADIUS Client.
• You will see an option to Send Custom Attributes in response – check this if you want to send user groups as Vendor-Specific Group Attributes.
• Under Attribute Mapping, it shows No Attribute Added if no attributes are configured yet.
• To add attributes, click Add Attribute.



• Next, click on Policies tab.
  
  
• Click on the Assign group button. A new Configure Group Assignment Modal will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• Once all the above-mentioned details are included, press the Save button. The new policy will appear in the list.



• Copy and save the RADIUS server IPs that will be required to configure your RADIUS client.




NOTE: Follow the below steps before testing the connectivity. Open Firewall Ports.

• To receive the RADIUS request, it is necessary to open UDP traffic on ports 1812 and 1813 for the machine where On-premise IDP is deployed.
• If the hosting machine is a Windows Machine, then you can follow this document.
• If the hosting machine is a Linux Machine, then you can follow this document.