17.4.1.8. RADIUS client configuration in the JSP-Loginapp

To use a 3rd party RADIUS server for token checks in the authentiation process, configure the JSP-Loginapp as follows.

Configuration for authentication

  • Go to:
    MAIN SETTINGS >> Main Authenticator
    (or alternatively Loginapp >> Authentication Settings >> Authenticator)
  • Connect a RADIUS Authenticator plugin as the second authentication step in the Main Authenticator.
  • Configure the RADIUS Authenticator with the information obtained from the 3rd party RADIUS server.
    • Set IP, port, and shared secret.
    • Define rules mapping responses of the RADIUS servers to Airlock IAM internal states.
    • Examine the pre-configured RADIUS Authenticator plugin(s) in the configuration templates to learn how to configure them.

Configuration for password change

When authenticating using a RADIUS server, the password change can only be initiated by the server, i.e., only enforced password change during the login process is possible.

There is no way for a user to initiate a password change.

  • We assume the RADIUS server responds with the following access challenges:
    • First message: Please choose a new password.
    • Second message: Please confirm the new password.
  • In the RADIUS Authenticator, configure two new Access Challenge Rules as follows:
    • First Rule:
      • Pattern: Must match the first message above. Example: Please choose a new password
      • Authentication Result: New PIN required
    • Second Rule:
      • Pattern: Must match the second message above. Example: Please confirm the new password.
      • Authentication Result: New PIN required

This will cause IAM to display the New PIN Required page (new-pin), where the user must enter and confirm the new password.

Further information and links