NPS Radius Extension

In the Applications section, you can add applications integrated with the NPS Radius Extension module, as well as configure additional settings, if required.

Prerequisites

Before adding an integrated application:

1. Configure the NPS Radius Extension module.
2. Register the license in Management Console.
3. Install and configure authentication providers.
4. Integrate the business application with NPS Radius Extension.

Important

If applications work through NPS (Network Policy Server) with installed RADIUS Extension, but authentication is not performed through Access Manager, configure access in Management Console in the Configuration section. Otherwise, login into these applications is not available.

Add an application

To add an application integrated with NPS RADIUS Extension:

1. In the Management Console sidebar, open the Applications section.

2. Click Add an application.

3. In the opened window, select NPS Radius Extension and enter the application name. The name must be unique.

4. Click Create.

   Note

   You cannot add another application if you have not changed the default IP address of the previously added application.

5. In the opened application window, go to the RADIUS tab.

6. Change the value of the Application server IP address field. You can specify multiple values separated by commas. The supported formats are IPv4 and IPv6. You can also use a mask or prefix to specify a subnet.

Address examples

Valid addresses

• 192.168.0.1/24
• 172.16.3.251
• 10.0.0.1
• 21:db8:58:74:1c60:2c18::4/64

Invalid addresses

• 192.168.0.300 — invalid IPv4;
• 172.16.3.251/33 — invalid network mask;
• fe80::1%eth0 — invalid IPv6;
• 21:db8:58:74:1c60:2c18:0:4/129 — invalid network mask;
• example.com — not an IP address.

Add to a policy

To apply application settings to users, add the application to a policy. You can only do this if you have a registered license for this module.

To add an application to a policy:

1. Go to the Policies section.
2. Select a policy from the list.
3. In the policy card, go to the Applications tab.
4. Click Add an application.
5. Select an application from the drop-down list.
6. Click Add.

The application appears in the list of added applications.

Configure an authenticator

For applications integrated with Radius Extension, you can select only one login method. When adding an application to a policy, the first available login method is enabled by default.

The list of available authentication methods displays providers installed on Core Server and supported by RADIUS applications.

Both one-factor and two-factor authentication are supported.

Prerequisites

Before configuring one-factor or two-factor authentication, install providers from the Axidian AM <version number>\Axidian AM Providers\Axidian AM Radius Providers<version number> directory on Core Server.

One-factor authentication

To configure one-factor authentication:

1. In the Management Console sidebar, open the Policies section.
2. Select a policy.
3. Go to the Applications tab
4. Select the application integrated with NPS Radius Extension.
5. In the Authentication method list, select a provider with the 1FA prefix.
6. Click Save.

Available login methods for one-factor authentication include:

• Secured TOTP
• Hardware OTP
• Passcode
• Software TOTP
• Hardware TOTP

Two-factor authentication

To configure two-factor authentication:

1. In the Management Console sidebar, open the Policies section.
2. Select a policy.
3. Go to the Applications tab.
4. Select the application integrated with NPS Radius Extension.
5. In the Authentication Method list, select a provider with the 2FA prefix.
6. Click Save.

Available login methods for two-factor authentication include:

• Passcode + Secured TOTP
• Passcode + SMS OTP
• Passcode + Software TOTP
• Passcode + Axidian Key (only in the push notification mode with login confirmation)
• Windows Password + Hardware HOTP
• Windows Password + Hardware TOTP
• Windows Password + Secured TOTP
• Windows Password + Software TOTP
• Windows Password + Storage SMS OTP
• Windows Password + Axidian Key (only in the push notification mode with login confirmation)
• Windows Password + Email OTP
• Windows Password + SMS OTP
• Windows Password + Telegram (only in the one-time password sending mode)
• One-string authenticator (authenticators are entered on a single line)

Optional settings

Change general information

1. In the application card, on the General Information tab, click Edit.
2. Change the application name or description.
3. Click Save.

Upload a logo

1. On the General Information tab in the Logo section, click Upload.

   The supported formats are JPG and PNG. The maximum image size is 512KB.

2. Select a file.

3. Click Upload.

Configure application access for users outside access policies

If required, you can enable or disable access to applications for users who are not included in the access policies, such as users from another domain.

1. In the application card, go to the RADIUS tab.
2. In the setting If access parameters to the application are not set for a user, enable or disable access.
3. Click Save.

Configure processing of duplicate authentication requests

If required, you can configure detection and processing of duplicate authentication requests. This option is useful if you have duplicate requests. For example, if a user does not have time to confirm login through a push notification and receives it again.

To configure processing of duplicate authentication requests:

1. In the application card on the RADIUS tab, enable the option Enable detection and processing of duplicate authentication requests.

2. In the Request attributes for duplicate search field, enter Radius attribute values.

   You can specify multiple values separated by commas. The default values are 1 (User-Name) and 264 (Request authenticator).

   Attributes can include username, password, IP address from which the authentication request is sent, and other parameters. The request is considered duplicate if the values of all specified attributes in the setting match the values in the cached request. For more information about supported RADIUS attributes, see the official Cisco documentation.

3. Select the response type for duplicate requests:

   • Discard: The RADIUS server does not send a response to a duplicate request.
   • Reject: If you have a duplicate request, the RADIUS server sends the Access-Reject response.

4. Click Save.