RADIUS and VPN

You can integrate RADIUS applications with Identity as a Service to provide strong, second-factor authentication for your application solution using Identity as a Service.

warning

The integration guides provide instructions for configuring RADIUS authentication with the RADIUS version tested by Entrust. Some configuration steps may differ from the documentation provided or the steps in the integration guides may not be effective (due to Entrust not having tested and validated with the version you are using). For different versions, the integration guides may still offer a standard base to help fast-track RADIUS authentication setup for your application, but in the event there are issues, contact support@entrust.com for assistance.

How it works

Identity as a Service can be configured to handle both first-factor authentication and second-factor authentication. In this environment, the RADIUS proxy agent within the Enterprise Gateway connected to Identity as a Service intercepts messages between the VPN server and Identity as a Service.

The authentication flow between the VPN server and Identity as a Service supports the PAP authentication protocol.

VPN authentication with Identity as a Service using MSCHAPv2 follows these steps:

1. A user enters their user ID and token response.
2. A request is sent to the Enterprise Service Gateway, which communicates with Identity as a Service to validate the credentials.
3. The Enterprise Service Gateway returns a RADIUS ACCEPT or REJECT message to the VPN server.

Prerequisites

Complete the following steps before integrating your authentication system with Identity as a Service:

1. Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
2. Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before you integrating with Identity as a Service.
3. Install and configure Identity as a Service and an Identity as a Service gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
4. If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

Supported authenticators

Standard RADIUS supports the following protocols:

• PAP
• CHAP
• MSCHAPv1
• MSCHAPv2

EAP - Extended Authentication Protocol supports the following protocols:

• EAP-GTC
• EAP-MSCHAPv2

In the RADIUS scenario, there are the following variations:

• First-factor only (either just password or just token)
• First-factor and second-factor (password plus any of the second-factor authenticators supported by Identity as a Service)
• External first-factor and second-factor (which also supports any second-factor authenticators supported by Identity as a Service). This may or may not be supported by all VPN vendors.
• With an Enterprise Service Gateway or 5.8 or later, RADIUS EAP supports PASSWORD and EXTERNAL for first-factor authentication. If PASSWORD is configured, the user is prompted for password and then the second-factor during VPN server authentication. With earlier versions of the Gateway, VPN authentication will fail when password is configured as first-factor.

info

Entrust recommends that when you configure multiple RADIUS applications that you give each RADIUS application is given a unique shared secret.

Topics in this section

📄️Barracuda Web Application Firewall

This technical integration guide describes how to integrate Barracuda and Identity as a Service. This integration assumes that you are familiar with the administration interface of the Barracuda SSL VPN appliance.

📄️Check Point Security Gateway

This technical integration guide describes how to integrate Check Point Security Manager Gateway and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your Check Point Security Manager Gateway using Identity as a Service.

📄️Cisco ASAv Series Adaptive Security Appliance

This technical integration guide describes how to integrate Cisco ASAv Series Adaptive Security Appliances and Identity as a Service. To set up the Cisco ASAv Series appliance, you must add the Entrust Identity as a Service RADIUS proxy as an AAA (Authentication Authorization Accounting) client, and then configure an IPSec connection profile, or a Clientless SSL connection profile, or both.

📄️Cisco Identity Services Engine

This technical integration guide describes how to integrate a Cisco ISE Series Adaptive Security Appliance and Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. You can integrate Identity as a Service with a RADIUS server. In this environment, the Identity as a Service RADIUS agent intercepts messages between the VPN server and the RADIUS agent.

📄️Citrix Netscaler

This technical integration describes how to integrate Citrix NetScaler and Identity as a Service. Once integrated, access to the server will require Identity as a Service authentication. The NetScaler details, such as the IP address, name, configuration secret, and ports can be added or modified during the VPN server configuration.

📄️F5 BIG-IP Access Policy Manager (APM)

This technical integration guide describes how to integrate a F5 BIG-IP Access Policy Manager (APM) Appliance and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your F5 BIG-IP Access Policy Manager (APM) appliance solution using Identity as a Service.

📄️Fortinet-FortiGate

This technical integration guide describes how to integrate a Fortinet-Fortigate and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your Fortinet-Fortigate VPN solution using Identity as a Service.

📄️NetMotion Mobility XE VPN

This technical integration guide describes how to integrate a NetMotion Mobility Software and an Identity as a Service Authentication Service account. Although this document specifically covers the NetMotion Mobility Software, the information provided applies to all NetMotion appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your NetMotion Mobility Software solution using Identity as a Service.

📄️OpenVPN

OpenVPN is a virtual private network system to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. See https://www.openvpn.net. You can protect access to OpenVPN by integrating OpenVPN with Identity as a Service. Once integrated, users can use single sign-on to log in to their OpenVPN account through Identity as a Service.

📄️Palo Alto Virtual Appliance

This technical integration guide describes how to integrate a Palo Alto VM-300 and Identity as a Service. Although this document specifically covers the Palo Alto KVM appliance, the information provided applies to all Palo Alto PA-VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Palo Alto PA-VM Series appliance solution using Identity as a Service.

📄️PAM RADIUS

This technical integration guide describes how to integrate a PAM RADIUS and Identity as a Service. Although this document specifically covers the PAM RADIUS, the information provided applies to RHEL 8 and RHEL 9. The aim of this integration is to provide strong, second-factor authentication for your PAM RADIUS solution using Identity as a Service.

📄️Pulse Secure

This technical integration guide describes how to integrate a Pulse Secure and Identity as a Service. Although this document specifically covers the Pulse Secure KVM appliance (PA VM), the information provided applies to all Pulse Secure VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Pulse Secure VM Series appliance solution using Identity as a Service.

📄️SonicWall

This technical integration guide describes how to integrate SonicWall and Identity as a Service.

📄️Sophos XG Virtual Appliance

This technical integration guide describes how to integrate Sophos XG and Identity as a Service.

📄️VMware Horizon View

This technical integration guide describes how to integrate a VMware Horizon View and Identity as a Service. Although this document specifically covers the VMware View KVM appliance (v), the information provided applies to all VMware View Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your VMware View Series appliance solution using Identity as a Service.