RADIUS for User Authentication

(Included in Advanced Security Module) Remote Authentication Dial In User Service (RADIUS) is a networking client/server protocol that runs in the application layer, using UDP as transport, and provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect to and use a network service. In EFT Enterprise, the server has been extended for RADIUS support for RSA SecurID® two-factor authentication to send and receive RADIUS packets to/from a RADIUS server for user authentication. RADIUS authentication can be added to Globalscape, Active Directory, LDAP, and ODBC-authenticated Sites in EFT Enterprise's administration interface. The RADIUS settings allow you to configure EFT Enterprise as a Network Access Server (NAS).

RADIUS and RSA SecurID cannot run together on the same Site. EFT does not support password reset and aging policies for RADIUS or RSA-enabled Sites.

How does RADIUS work with EFT Enterprise?

The user or device sends a request to EFT Enterprise to gain access to a particular network resource, then EFT Enterprise sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The request may contain username, password, security certificate, network address, and IP/Port used to connect to EFT Enterprise. RADIUS servers vary, but most can look up client information in text files, AD/LDAP servers, or databases. The RADIUS server can respond with an Access Reject, Access Challenge, or Access Accept. If the RADIUS server responds with an Access Challenge, additional information is requested from the user or device, such as a secondary password.

In the Web Transfer Client, after the user authenticates with their EFT, AD, or LDAP credentials, they are asked for their RADIUS/RSA SecurID authentication. The account configured in EFT must match the user account on the RSA server. Whatever the user provides to log in to EFT is sent to the RSA server. For LDAP authentication, sAMAccountName should be configured.

The diagram below provides a general overview of EFT Enterprise configured in a network with RADIUS.

 

How do I configure RADIUS in EFT Enterprise?

You configure RADIUS in EFT Enterprise's administration interface. EFT Enterprise's Authentication Manager, Settings Templates, User Settings, New Site wizard, and New User Wizard each allow RADIUS configuration.

In Globalscape, LDAP, AD, and ODBC-authenticated Sites, the RADIUS Authenticated Settings dialog box, accessed from the New Site wizard and/or the Site's General tab allows you to enable RADIUS or RSA SecurID authentication and to configure the RADIUS/RSA server's IP address, port, NAS Identifier, shared secret, connection retries, and timeout. On the Settings Template and user account General tabs, and in the New User wizard, a simple enable check box is provided for those instances where you might want the Site to have RADIUS enabled, but want to disable it for a Settings Template or specific user.

Supported Protocols

EFT Enterprise supports RADIUS and RSA SecurID authentication for FTP, FTPS, SFTP, HTTP and HTTPS.

  • AS2 does not support interactive authentication.

  • EFT does not perform inline checking for PCI DSS compliance for various password controls. In PCI DSS reports, a Status value labeled "Compensating Control" and the following Compensating Control text appears: "Compensating Control: User authentication and password controls for %WHO% are being managed by a remote system, such as RSA SecurID®. (The %WHO% variable contains the name of the Site, Settings Template, or user account.)

Related Topics