Access Management 7.3.1

Limitations

Deploying AM’s RADIUS server lets an organization consolidate RADIUS and HTTP authentication into a single solution, facilitating reuse of existing authentication mechanisms between both types of clients. However, there are several limitations:

  • Because RADIUS authentication attempts always start with a username and password transmitted in an Access-Request packet, the first module in an authentication chain used for RADIUS clients must accept a username and a password.

  • By default, AM caches up to 5,000 RADIUS clients concurrently.

    If necessary, you can change the maximum number of RADIUS clients that can be cached concurrently on an AM server by configuring the org.forgerock.openam.radius.server.context.cache.size advanced server property.

    Refer to Configuring Servers for information about how to configure advanced server properties.

  • Some AM callback types are not applicable to RADIUS clients. For example, a RedirectCallback directs HTTP clients, such as browsers, to HTTP resources to be used for some aspect of authentication. Redirects make no sense to RADIUS clients and cannot be consumed in any meaningful way.

    A ConfirmationCallback also presents challenges for RADIUS clients.

    As a result, some AM authentication modules cannot be used with RADIUS clients. Before attempting to use an authentication module with RADIUS clients, review the module’s callbacks to determine whether the module will support RADIUS clients. You can use the REST API to determine the callbacks for an authentication module as described in Authenticate over REST.

  • Some client mechanisms leveraged by authentication modules might not be applicable to RADIUS clients. For example, suppose a customized SMS one-time password module sends a one-time password over an SMS service, and then provides a ChoiceCallback that lets the user set a cookie in their browser that expires after 30 days. Such a module might first determine whether the cookie was available, still valid, and applicable to the current user before reissuing a new one-time password and soliciting the value from the user.

    RADIUS clients are unable to process HTTP cookies. Although RADIUS clients can support a ChoiceCallback, the customized feature described in the previous paragraph would not function correctly for RADIUS clients, and therefore should not be deployed with RADIUS clients. As a result, some callback sets within an authentication module will differ depending on the type of client being authenticated.

  • The RADIUS Server service logs only to the ForgeRock common audit logger introduced in OpenAM 13. It does not log to the classic audit logs that were available prior to OpenAM 13.

When building custom authentication modules, consider their suitability for handling the types of clients that might use them, and make adjustments to callbacks as needed.