Many network appliances, like Cisco ASA, have the ability to delegate authentication of users to an external RADIUS server. For example, when a user establishes an IPsec VPN using their desktop VPN client, the network appliance can send an Access-Request to a RADIUS server, which authenticates the entered credentials against a user store.
OneLogin has a RADIUS server interface that will accept RADIUS authentication requests from devices that support the RADIUS protocol. When OneLogin receives an Access-Request message, the user is authenticated against the directory linked to the user. OneLogin's RADIUS server interface also supports second-factor authentication, such as a one-time-password (OTP), either concatenated with the user password in a one-step authentication scheme or as a response to a secondary challenge in a two-step authentication scheme.
The OneLogin RADIUS server can authenticate users based on the following:
User name: OneLogin email, OneLogin username, or SAMAccountName
Password: OneLogin password, OTP, or OneLogin password+OTP (concatenated as a single password string)
Second-step challenge (if your RADIUS device supports it): OTP
For detailed instructions about configuring a Meraki Access Point to use OneLogin RADIUS server for authentication, see Configuring the RADIUS Server Interface with Meraki Access Points.
This article includes the following topics:
- Configuring RADIUS in OneLogin
- Configuring your NAS
- Upgrading your legacy RADIUS service
- Troubleshooting your RADIUS service
A device that speaks the RADIUS networking protocol and uses the PAP or EAP-TTLS/PAP authentication scheme.
We will refer to this endpoint device as the Network Access Server, or NAS. Some examples include the following:
- Cisco ASA
- Fortinet 200B
- Juniper SSL VPN
Note. OneLogin only supports PAP and EAP-TTLS/PAP. It does not support authentication schemes like MS-CHAP and EAP-TLS. Additional authentication schemes will be supported over time. If you would like us to add support for a particular scheme, please submit a request through the button in your OneLogin admin portal.
A basic understanding of how to configure the RADIUS protocol on your NAS.
- Access to your NAS IP address and shared secret.
Configuring RADIUS in OneLogin
- Log in to OneLogin as an administrator.
Go to Settings -> RADIUS.
Click the New Configuration button.
The RADIUS configuration page appears.
- Enter a name that helps you identify this configuration; for example, "My Cisco ASA"
In the Secret field, enter the string defined as the shared secret in your NAS.
Note. If you create a new shared secret, it can take up to an hour to be usable due to caching.
Enter the IP address of your NAS.
You can enter more than one, separated by spaces.
- If you want to restrict access to users in certain roles, select the role from the Role Restriction drop-down.
(Optional) If your NAS supports two-step authentication, select Require OTP verification as a 2nd step.
Use this option to require users to provide a one-time password (OTP) as a second step after entering the user name and password. If you enable this option, users must register their OTP device in their OneLogin profile before they can authenticate.
Note. Instead of this option, you can incorporate second-factor authentication as a single step by requiring a concatenated password + one-time password (OTP). To set up single-step authentication with OTP, skip this step and go to step 9, below.
When you have selected the Require OTP verification option, two additional options appear.
Select for all users to require all users to provide an OTP after they have entered their username and password. Select if user's OneLogin policy requires OTP (recommended) to require this second authentication step only for users who have been assigned a security policy that requires multifactor authentication. For more information about using policies to require multifactor authentication, see User Policies.
Important! Two-step authentication only works if you've set up your NAS to provide two-step authentication. The NAS sends the login challenge, not OneLogin. If your NAS is not configured to provide two-step authentication, consult your NAS provider for guidance. Not all NAS providers support two-step authentication.
- Click Save.
Confirm or modify your attribute mappings.
After you click Save, the Attributes section shows the mapping of RADIUS attributes (left) to OneLogin attributes (right).
By default, the OneLogin RADIUS service uses the OneLogin Email as the RADIUS User-Name and the OneLogin Password as the RADIUS User-Password.
Whether you accept the defaults or edit the mappings depends on your needs:
Accept the defaults and skip to Configuring your NAS, below, if:
You selected Require OTP verification as a 2nd step, above, and you will use the OneLogin Email as your RADIUS User-Name.
- You are not using OTP verification at all, and your RADIUS device uses Email as your RADIUS User-Name.
Edit the mappings if:
You require OTP authentication but do not have a NAS that supports second-step OTP verification (or prefer not to use second-step OTP verification).
Click the User-Password row to open the Edit RADIUS Attribute Mapping dialog and select OTP or Password + OTP in the OneLogin User Field dropdown. Click Update to save your changes. If you select Password + OTP, your users will provide their password plus the OTP value as a single concatenated string in the Password field when they are prompted for their credentials by your NAS. If you select this option, your users must register their OTP device in their OneLogin profile before they can authenticate.
Your RADIUS device uses SAMAccountName or the value held by OneLogin Username as the RADIUS User-Name.
Click the User-Name row to open the Edit RADIUS Attribute Mapping dialog and select Username or SAMAccountName from the OneLogin User Field dropdown. Click Update to save your changes.
Click Save and proceed to your NAS configuration.
Configuring your NAS
Configure RADIUS for authentication on your device using the following settings:
Note. If you don't know whether your OneLogin account is on the US or EU database shard, contact OneLogin support.
|NAS configuration||US OneLogin DB shard||EU OneLogin DB shard|
|AAA/RADIUS primary server||radius.us.onelogin.com||radius.eu.onelogin.com|
|AAA/RADIUS secondary server||radius2.us.onelogin.com||radius2.eu.onelogin.com|
|Authentication scheme||PAP or EAP-TTLS/PAP|
|Secret/key||Same as the shared secret entered on the OneLogin Radius configuration page|
Upgrading your legacy RADIUS service
If you implemented OneLogin's RADIUS service before December 2015, you may be pointing to the legacy RADIUS service that was deprecated on May 31, 2016.
To migrate to the new RADIUS service, update the RADIUS server and port settings on your NAS to point to those listed in Configuring your NAS.
Troubleshooting your RADIUS service
Why is authentication failing against the OneLogin RADIUS service?
You may have configured the RADIUS service in OneLogin to use the wrong RADIUS User-Name value. The default configuration in OneLogin uses the OneLogin Email value as the RADIUS User-Name. But your NAS may be passing SAMAccountName or the value held in the OneLogin Username field instead, in which case authentication fails.
Check to see what value is being passed by your NAS. Then go to Settings > RADIUS, select your RADIUS service, and go to the Attributes section to confirm that the OneLogin attribute is the same. If not (let's say your NAS uses SAMAccountName and it's set to OneLogin Email in the Attributes section), change the OneLogin attribute and save the page.