RADIUS for User Authentication
(Included in Advanced Authentication Modes Module) Remote Authentication Dial In User Service (RADIUS) is a networking client/server protocol that runs in the application layer, using UDP as transport, and provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect to and use a network service. EFT has been extended for RADIUS support for RSA SecurID® two-factor authentication to send and receive RADIUS packets to/from a RADIUS server for user authentication. RADIUS authentication can be added to Globalscape, Active Directory, LDAP, and ODBC-authenticated Sites in the EFT administration interface. The RADIUS settings allow you to configure EFT as a Network Access Server (NAS).
RADIUS and RSA SecurID cannot run together on the same Site. EFT does not support password reset and aging policies for RADIUS or RSA-enabled Sites.
How does RADIUS work with EFT?
The user or device sends a request to EFT to gain access to a particular network resource, then EFT sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The request may contain username, password, security certificate, network address, and IP/Port used to connect to EFT. RADIUS servers vary, but most can look up client information in text files, AD/LDAP servers, or databases. The RADIUS server can respond with an Access Reject, Access Challenge, or Access Accept. If the RADIUS server responds with an Access Challenge, additional information is requested from the user or device, such as a secondary password.
In the Web Transfer Client, after the user authenticates with their EFT, AD, or LDAP credentials, they are asked for their RADIUS/RSA SecurID authentication. The account configured in EFT must match the user account on the RSA server. Whatever the user provides to log in to EFT is sent to the RSA server. For LDAP authentication, sAMAccountName should be configured.
The diagram below provides a general overview of EFT configured in a network with RADIUS.
How do I configure RADIUS in EFT?
You configure RADIUS in the EFT administration interface. The EFT Authentication Manager, Settings Templates, User Settings, New Site wizard, and New User Wizard each allow RADIUS configuration.
In Globalscape, LDAP, AD, and ODBC-authenticated Sites, the RADIUS Authenticated Settings dialog box, accessed from the New Site wizard and/or the Site's General tab allows you to enable RADIUS or RSA SecurID authentication and to configure the RADIUS/RSA server's IP address, port, NAS Identifier, shared secret, connection retries, and timeout. On the Settings Template and user account General tabs, and in the New User wizard, a simple enable check box is provided for those instances where you might want the Site to have RADIUS enabled, but want to disable it for a Settings Template or specific user.
Supported Protocols
EFT supports RADIUS and RSA SecurID authentication for FTP, FTPS, SFTP, HTTP and HTTPS.
-
AS2 does not support interactive authentication.
-
EFT does not perform inline checking for PCI DSS compliance for various password controls. In PCI DSS reports, a Status value labeled "Compensating Control" and the following Compensating Control text appears: "Compensating Control: User authentication and password controls for %WHO% are being managed by a remote system, such as RSA SecurID®. (The %WHO% variable contains the name of the Site, Settings Template, or user account.)
Related Topics
-
For details of configuring RADIUS on a new Site, refer to Defining Connections (Sites).
-
For details of COM API methods for RADIUS, refer to "Creating a User" (CreateUser and CreateUserEx) in the COM API ReferenceCOM API Reference.