Skip to main content
Version: Axidian Privilege 3.2

RADIUS Configuring

caution

Please specify all URLs in lowercase.

The JSON format does not allow comments in the file, so you need to remove lines starting with "//" characters.

caution

After changing the configuration file restart application pool IdP in IIS Manager.

Go to C:\inetpub\wwwroot\idp and edit file appsettings.json.

Section IdentitySettings

  • DirectoryMechanism — Mechanism of authentication.

  • Authentication —  Authentication provider.

    IdentitySettings section in appsettings.json configuration file
    "IdentitySettings": {
    ...
    "DirectoryMechanism": "Radius",
    "Authentication": "Local",
    ...
    }

Section Radius

  • Timeout — timeout waiting for a RADIUS server response.

RemoteEndpoints:

  • Address — RADIUS server address for connection.
  • Port — RADIUS server port for connection (default port: 1812).
  • Secret — secret for the additional authentication of the component.
  • AuthenticationScheme — authentication scheme in RADIUS. Possible parameters: PAPCHAPMSCHAPV2. The PAP scheme is insecure.
  • AuthenticationUserName — name format for authentication. Possible values:
    • NameWithoutDomain — name without domain (for authentication in FreeRadius).
    • SamCompatibleName — name in the format AXIDIAN\\user.
    • PrincipalName — name in the format user@axidian.domain.
  • CheckMessageAuthenticator — enables or disables checking of the Message-Authenticator attribute in IDP. It is not recommended to disable it, as it reduces security.
Radius section in appsettings.json configuration file (one RADIUS server)
"Radius": {
    "Timeout": 60,
    "RemoteEndpoints": [
      {
        "Address": "PAM_RADIUS_SERVER_ADDRESS",
        "Port": 1812,
        "Secret": "PAM_RADIUS_SERVER_SECRET",
        "AuthenticationScheme": "MSCHAPV2",
        "AuthenticationUserName": "PrincipalName",
        "CheckMessageAuthenticator": true
      }
    ]
  },

You can specify multiple RADIUS servers to provide system fault tolerance. In this case, PAM sends the request to the RADIUS servers sequentially, in the orthe servers are specified in the configuration file. In other words, if it was unable to connect to the first RADIUS server, then PAM will try to connect to next o

Radius section in appsettings.json configuration file (two RADIUS servers)
 "Radius": {
    "Timeout": 10,
    "RemoteEndpoints": [
      {
        "Address": "10.11.4.28",
        "Port": 1812,
        "Secret": "123",
        "AuthenticationScheme": "MSCHAPV2",
        "AuthenticationUserName": "PrincipalName",
        "CheckMessageAuthenticator": true
      },
      {
        "Address": "10.11.4.128",
        "Port": 1812,
        "Secret": "123",
        "AuthenticationScheme": "MSCHAPV2",
        "AuthenticationUserName": "PrincipalName",
        "CheckMessageAuthenticator": true
      }
    ]
  },