Many network appliances, like Cisco ASA, have the ability to delegate authentication of users to an external RADIUS server. For example, when a user establishes an IPsec VPN using their desktop VPN client, the network appliance can send an Access-Request to a RADIUS server, which authenticates the entered credentials against a user store.
OneLogin has a RADIUS server interface that will accept RADIUS authentication requests from devices that support the RADIUS protocol. When OneLogin receives an Access-Request message, the user is authenticated against the directory linked to the user. OneLogin's RADIUS server interface also supports second-factor authentication, such as a one-time-password (OTP), either concatenated with the user password in a one-step authentication scheme or as a response to a secondary challenge in a two-step authentication scheme.
The OneLogin RADIUS server can authenticate users based on the following:
User name: OneLogin email, OneLogin username, or SAMAccountName
Password: OneLogin password, OTP only, or OneLogin password+OTP (concatenated as a single password string)
Second-step challenge (if your RADIUS device supports it): OTP
For detailed instructions about configuring a Meraki Access Point to use OneLogin RADIUS server for authentication, see Configuring the RADIUS Server Interface with Meraki Access Points.
This article includes the following topics:
- Configuring RADIUS in OneLogin
- Configuring your NAS
- Upgrading your legacy RADIUS service
- Troubleshooting your RADIUS service
A device that speaks the RADIUS networking protocol and uses the PAP or EAP-TTLS/PAP authentication scheme.
We will refer to this endpoint device as the Network Access Server, or NAS. Some examples include the following:
- Cisco ASA
- Fortinet 200B
- Juniper SSL VPN
Note. OneLogin only supports PAP and EAP-TTLS/PAP. It does not support authentication schemes like MS-CHAP and EAP-TLS. Additional authentication schemes will be supported over time. If you would like us to add support for a particular scheme, please submit a request through the button in your OneLogin admin portal.
A basic understanding of how to configure the RADIUS protocol on your NAS.
- Access to your NAS IP address and shared secret.
Configuring RADIUS in OneLogin
Log in to OneLogin as an administrator.
Go to Settings -> RADIUS.
Click the New Configuration button.
The RADIUS configuration page appears.
Enter a name that helps you identify this configuration; for example, "My Cisco ASA"
In the Secret field, enter the string defined as the shared secret in your NAS.
Note. If you create a new shared secret, it can take up to an hour to be usable due to caching.
Enter the IP address of your NAS.
You can enter more than one, separated by spaces.
(Optional) If you want to restrict access to users in certain roles, select the role from the Role Restriction drop-down.
(Optional) If your NAS supports two-step authentication, select Require OTP verification as a 2nd step.
Use this option to require users to provide a one-time password (OTP) as a second step after entering the user name and password. If you enable this option, users must register their OTP device in their OneLogin profile before they can authenticate.
Note. Instead of this option, you can incorporate second-factor authentication as a single step by requiring a concatenated password + one-time password (OTP). To set up single-step authentication with OTP, skip this step and go to step 9, below.
When you have selected the Require OTP verification option, two additional options appear.
Select for all users to require all users to provide an OTP after they have entered their username and password. Select if user's OneLogin policy requires OTP (recommended) to require this second authentication step only for users who have been assigned a security policy that requires multifactor authentication. For more information about using policies to require multifactor authentication, see User Policies.
Important! Two-step authentication only works if you've set up your NAS to provide two-step authentication. The NAS sends the login challenge, not OneLogin. If your NAS is not configured to provide two-step authentication, consult your NAS provider for guidance. Not all NAS providers support two-step authentication.
(Optional) Turn on the Enable Password Expiration Policy Enforcement setting to have the OneLogin RADIUS server enforce users' OneLogin password expiration policies.
For OneLogin RADIUS server configurations created after July 6, 2017, this setting is turned on by default.
Confirm or modify your attribute mappings.
After you click Save, the Attributes section shows the mapping of RADIUS attributes (left) to OneLogin attributes (right).
By default, the OneLogin RADIUS service uses the OneLogin Email as the RADIUS User-Name and the OneLogin Password as the RADIUS User-Password.
Your options are:
OneLogin Email (default)
OneLogin Password only (default). Use this if are using OTP verification as a 2nd step (see step 8), or if you don't need OTP at all.
OTP only. Users don't provide their password at all.Note. This is typical of RADIUS implementations that use PAP only. With a password, it is possible, if highly unlikely, that the password could be compromised. If you use OTP only, with OTP codes that change with each authentication request, the vulnerability is removed.
OneLogin Password+OTP. Users enter both password and OTP as a concatenated string (mypassword12345, where 12345 is the OTP).
Click any row to change the attribute mapping.
If you made any changes to the attribute mappings, click Save
Proceed to your NAS configuration.
Configuring your NAS
Configure RADIUS for authentication on your device using the following settings:
Note. If you don't know whether your OneLogin account is on the US or EU database shard, contact OneLogin support.
Wherever possible, use the RADIUS server domain name rather than the IP address, since IP addresses may change.
|NAS configuration||US OneLogin DB shard||EU OneLogin DB shard|
|AAA/RADIUS primary server||radius.us.onelogin.com
|AAA/RADIUS secondary server||radius2.us.onelogin.com
|Authentication scheme||PAP or EAP-TTLS/PAP|
|Secret/key||Same as the shared secret entered on the OneLogin Radius configuration page|
Upgrading your legacy RADIUS service
If you implemented OneLogin's RADIUS service before December 2015, you may be pointing to the legacy RADIUS service that was deprecated on May 31, 2016.
To migrate to the new RADIUS service, update the RADIUS server and port settings on your NAS to point to those listed in Configuring your NAS.
Troubleshooting your RADIUS service
Why is authentication failing against the OneLogin RADIUS service?
You may have configured the RADIUS service in OneLogin to use the wrong RADIUS User-Name value. The default configuration in OneLogin uses the OneLogin Email value as the RADIUS User-Name. But your NAS may be passing SAMAccountName or the value held in the OneLogin Username field instead, in which case authentication fails.
Check to see what value is being passed by your NAS. Then go to Settings > RADIUS, select your RADIUS service, and go to the Attributes section to confirm that the OneLogin attribute is the same. If not (let's say your NAS uses SAMAccountName and it's set to OneLogin Email in the Attributes section), change the OneLogin attribute and save the page.