Skip to content

RADIUS Clients

The RADIUS Client Configuration in Mideye Server allows administrators to define and manage RADIUS client settings. This guide explains how to configure RADIUS clients using the four tabs in the configuration page: General Settings, User Repositories, Client Configuration, and Username Filtering. Each RADIUS server handles both authentication and accounting traffic.

Creating a New RADIUS Client

  1. Navigate to RADIUS Clients:
  2. In the Mideye Server web interface, go to RADIUS Settings > RADIUS Clients.
  3. Add New Client:
  4. Click Add New RADIUS Client.
  5. Note: Configure shared secrets separately under Shared Secret.

Configuration Tabs Overview

The RADIUS Client configuration page consists of four tabs:

  1. General Settings
  2. User Repositories
  3. Client Configuration
  4. Username Filtering

1. General Settings

Define the basic parameters of the RADIUS client:

  • Client Name: Unique identifier within Mideye Server.
  • NAS IP Address (Optional): Hostname or IP address associated with RADIUS attribute NAS-IP-Address (Attribute #18).
  • NAS Identifier: Alternative identifier (NAS-Identifier, Attribute #32), useful when multiple clients share an IP address.
  • Authentication Server: Select the server for handling authentication requests.
  • Accounting Server: Select the server for logging accounting requests.

General Settings

2. User Repositories

Specify where the RADIUS Server searches for user information:

  • Use Mideye Database: Search the internal database before external sources.
  • LDAP Profiles: Assign LDAP profiles for user searches, processed in order.
  • Azure Active Directory (Entra ID): Assign Azure AD profiles for user searches, processed in order.

User Repositories

3. Client Configuration

Customize the client’s behavior and security settings:

  • OTP Length: Set OTP length (default 6; range 4–12 characters).
  • OTP Type: Choose Numeric (default), Alphabetic, or Alphanumeric.
  • Encoding: Define character encoding (default UTF-8).
  • Allow Auth Type 1 (Password): Enable one-factor password authentication (disabled by default from release 5.2).
  • Allow YubiKeys with Custom Keys: Enable personalized YubiKeys.
  • Disallow Login with Plaintext SMS-OTP: Restrict plaintext SMS-OTP logins.
  • Enable OIDC Support: Activate OpenID Connect (OIDC) support.
  • Ignore Password: Ignore the user’s password; validate only username and authentication method. Note: Not compatible with Authentication Type 1 - Password.
  • Require Token-Coupled Plus Login: Enforce use of token-coupled Mideye+ apps or token cards.
  • Require Local Authentication: Require PIN or biometric verification with Mideye+ Touch; no fallback.
  • Support Disconnect Messages: Allow sending Disconnect-Requests to clients that support RADIUS Disconnect Messages.
  • User Suffix: Enable suffixes (e.g., @TOKEN, @MOBILE) to change authentication type.

Client Configuration

4. Username Filtering

Modify usernames sent by RADIUS clients:

  • Prefix/Suffix Filter: Remove prefixes/suffixes using a separator (e.g., strip domain from 'domain\username').
  • Character Filter: Remove unwanted characters (e.g., spaces) from usernames. Applies only to PAP.

Example: Filtering out domain prefixes and spaces turns 'domain\user name' into 'username'.

Username Filtering Example: RADIUS client configured to filter out domain names specified before '\' and accidental blank spaces (e.g., 'domain\user name' is modified to 'username').

Assisted Login Configuration

Configure settings for Assisted Login:

  • Display Name: Name displayed during Touch notifications. Defaults to client name if blank.
  • Assisted Login Profiles: Assign profiles defining scope and permissions for assisted login. See Assisted Login Documentation.

Assisted Login

Default RADIUS Client Configuration

To handle requests from unspecified clients:

  1. Create Default Client:
    • Add a new RADIUS client with IP address 0.0.0.0.
  2. Assign Shared Secret:
    • Set a shared secret under Shared Secret.

This ensures any undefined RADIUS requests are managed by the default configuration.

Authentication and Accounting Traffic

Each RADIUS Server listens for both:

  • Authentication Traffic: Manages user login attempts and credential verification.
  • Accounting Traffic: Tracks session start/stop times, duration, and usage metrics for auditing and monitoring.