Traditional logins to resources on an organizational network involve only a username and password. However, if all the data breaches in recent years teach us anything, it is that they are not sufficient. Multi-factor authentication (MFA) has become an indispensable part of logins and implementing it is mandatory to meet regulatory standards such as the GDPR and the HIPAA. RADIUS or Remote Authentication Dial-In User Service is one of the methods that can be used for MFA.

When RADIUS is used for MFA, users first need to provide their username and password. They are then asked to enter the unique RADIUS password that is mapped to their account to authenticate themselves. If the password provided is valid, they will be allowed to access the service. Implementing MFA using RADIUS and other methods during Active Directory-based actions like domain logins, password changes, and self-service password resets and account unlocks can be extremely beneficial to domain user accounts and network security.

ADSelfService Plus, an identity management solution, offers RADIUS along with 20 other authentication methods including FIDO Passkeys, Biometric Authentication, and Zoho OneAuth TOTP, to secure users during:

• Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screens.
• Windows, macOS, and Linux logins.
• Enterprise application logins through single sign-on (SSO).
• Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.
  

Prerequisite steps:

Configure a RADIUS client in the RADIUS server for ADSelfService Plus using configuration steps specific to the RADIUS server. For example, to configure a RADIUS client in freeRADIUS:

1. Log in to the RADIUS server.
2. Log in to the RADIUS server.Navigate to the clients.conf file (default location:
   /etc/raddb/clients.conf).
3. Add the following snippet in the clients.conf file:

client <xyz> { ipaddr = <xxx.xxx.xxx.xxx> secret = <abc> nastype = other }

where,
<xyz> refers to the ADSelfService Plus server name.
<xxx.xxx.xxx.xxx> refers to the ADSelfService Plus server's IP address. and, <abc> refers to the secret key value created by the admin.

4. Restart the RADIUS server.

Configure ADSelfService Plus for RADIUS

1. Navigate to Configuration > Self Service > Multi-Factor Authentication > Authenticators.
2. From the Choose the Policy drop-down, select a policy.

   Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

3. Click RADIUS Authentication section.
4. Enter the Server Name, Server Port number, Server Protocol, Secret Key, Username Pattern, and the Request Time Out seconds.
Important: The Username Pattern is case-sensitive.
5. Click Save.

Enable RADIUS Authentication for Active Directory password resets

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select Push Notification Authentication along with the other authentication techniques to be used.
   
2. Click Save Settings.
   

Enable push notification for Active Directory domain logins

1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
   
3. In the MFA for Machine Login section, check the box to enable MFA for Machine Login and select the number of authentication factors to be prompted. Select the RADIUS Authentication and other required authenticators from the drop-down.
4. Click Save Settings.