RADIUS Decision node

RAPID only

The RADIUS Decision node performs authentication with the RADIUS (Remote Authentication Dial-In User Service) server, where Advanced Identity Cloud is acting as the RADIUS client.

The node performs the following actions:

Sends an Access-Request packet to the RADIUS server to initiate the authentication request.
Handles the RADIUS server’s response to determine the outcome of the authentication attempt.
Sends additional Access-Request packets if the RADIUS server responds with an Access-Challenge packet requesting more information from the user.

Learn more in RADIUS Authentication.

Example

The following example shows how you can implement RADIUS authentication with Advanced Identity Cloud acting as the client:

The Page node with the Platform Username node and Platform Password node prompt the user for their credentials.
The RADIUS Decision node sends the user’s credentials in an Access-Request packet to the configured RADIUS server.
- If the RADIUS server responds with an Access-Accept packet, the user is successfully authenticated.
- If the RADIUS server responds with an Access-Reject packet, authentication fails.
- If the RADIUS server responds with an Access-Challenge packet, the RADIUS Challenge Collector node presents the challenge message to the user and collects their response.
  
  After the user has responded, the RADIUS Decision node sends another Access-Request packet to the RADIUS server, including the user’s response.
  
  Depending on the RADIUS server’s response to the second Access-Request packet, the user is either authenticated or denied access.

Availability

Product	Available?
PingOne Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

The node reads the username and password from the shared state.

Implement a Platform Username node and a Platform Password node earlier in the journey.
The node reads the challenge response from the radiusChallenge object in the incoming node state if it exists.

Dependencies

This node has no dependencies.

Configuration

Property Usage

Property	Usage
Primary RADIUS Servers	A list of primary RADIUS servers to use for authentication. Enter the fully qualified domain name or IP address of the RADIUS server and click Add. You can optionally include the port number after the server name using a colon, for example, `radius.example.com:1812`. If the port number is omitted, the default port number `1812` is used. You can adjust the order of the servers by dragging and dropping them in the list.
Secondary RADIUS Servers	A list of secondary RADIUS servers to use for authentication if no primary servers are available. Enter the fully qualified domain name or IP address of the RADIUS server and click Add. You can optionally include the port number after the server name using a colon, for example, `radius.example.com:1812`. If the port number is omitted, the default port number `1812` is used. You can adjust the order of the servers by dragging and dropping them in the list.
RADIUS Shared Secret Label Identifier	An identifier used to create a secret label for mapping to the shared secret in the secret store. Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form `am.authentication.nodes.radius.identifier.secret`, where `identifier` is the value of RADIUS Shared Secret Label Identifier. The identifier can only contain alphanumeric characters (`a-z`, `A-Z`, `0-9`) and periods (`.`). It can’t start or end with a period.
Timeout	The number of seconds to wait for the RADIUS server to respond. Default: `5`
Health Check Interval	The number of minutes between health checks to previously unavailable RADIUS servers. Default: `5`
Stop RADIUS binds after lockout	Select this option to prevent the node from sending `Access-Request` packets to the RADIUS server if the user’s account is locked in Advanced Identity Cloud. Default: Not enabled
Require Message-Authenticator attribute	To mitigate the risk of a Blast-RADIUS attack, select this option to make the `Message-Authenticator` attribute required in all packets sent to and from the RADIUS server. You can use this attribute (defined in RFC 3579) to verify incoming RADIUS responses to prevent spoofing. When this option is enabled: Advanced Identity Cloud includes a valid `Message-Authenticator` attribute in the `Access-Request` packets it sends to the RADIUS server. Advanced Identity Cloud expects the RADIUS server to include a valid `Message-Authenticator` attribute in the `Access-Accept`, `Access-Reject` and `Access-Challenge` packets. If the attribute isn’t present or is invalid, Advanced Identity Cloud silently drops the response and continues listening for responses until the timeout period has elapsed. Default: Enabled

Primary RADIUS Servers

A list of primary RADIUS servers to use for authentication.

Enter the fully qualified domain name or IP address of the RADIUS server and click Add. You can optionally include the port number after the server name using a colon, for example, radius.example.com:1812. If the port number is omitted, the default port number 1812 is used.

You can adjust the order of the servers by dragging and dropping them in the list.

Secondary RADIUS Servers

A list of secondary RADIUS servers to use for authentication if no primary servers are available.

You can adjust the order of the servers by dragging and dropping them in the list.

RADIUS Shared Secret Label Identifier

An identifier used to create a secret label for mapping to the shared secret in the secret store. Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.radius.identifier.secret, where identifier is the value of RADIUS Shared Secret Label Identifier. The identifier can only contain alphanumeric characters (a-z, A-Z, 0-9) and periods (.). It can’t start or end with a period.

Timeout

The number of seconds to wait for the RADIUS server to respond.

Default: 5

Health Check Interval

The number of minutes between health checks to previously unavailable RADIUS servers.

Default: 5

Stop RADIUS binds after lockout

Select this option to prevent the node from sending Access-Request packets to the RADIUS server if the user’s account is locked in Advanced Identity Cloud.

Default: Not enabled

Require Message-Authenticator attribute

To mitigate the risk of a Blast-RADIUS attack, select this option to make the Message-Authenticator attribute required in all packets sent to and from the RADIUS server.

You can use this attribute (defined in RFC 3579) to verify incoming RADIUS responses to prevent spoofing.

When this option is enabled:

Advanced Identity Cloud includes a valid Message-Authenticator attribute in the Access-Request packets it sends to the RADIUS server.
Advanced Identity Cloud expects the RADIUS server to include a valid Message-Authenticator attribute in the Access-Accept, Access-Reject and Access-Challenge packets.

If the attribute isn’t present or is invalid, Advanced Identity Cloud silently drops the response and continues listening for responses until the timeout period has elapsed.

Default: Enabled

Outputs

The node adds the radiusChallenge object to transient state if the RADIUS server responds with an Access-Challenge packet.

The radiusChallenge object includes the following information:

{
  "octets": "<binary bytes received from the RADIUS server that represents the state information>",
  "replyMessage": "<challenge message from the RADIUS server>",
  "response": null
}

Include the RADIUS Challenge Collector node after this node to present the challenge message to the user and collect their response.

Outcomes

Accept: The RADIUS server responds with an Access-Accept packet and the user is successfully authenticated.
Reject: The RADIUS server responds with an Access-Reject packet and authentication fails.
Challenge: The RADIUS server responds with an Access-Challenge packet requesting additional information from the user.
Error: The node encounters an error and authentication fails.

Errors

This node can log the following:

Warnings

User account is locked: username

The user’s account in Advanced Identity Cloud is locked.
Could not find user identity for username: username

The node can’t find a user profile in Advanced Identity Cloud for the username.

Errors

Error connecting to RADIUS server

The node can’t connect to the RADIUS server.

Authentication nodes