We are recommending to use the modern RadSec protocol to authentication against RADIUSaaS. However, there are many network infrastructure components still out there, which do not support RadSec.
The following diagram shows the RADIUS authentication flow:
In the first authentication sequence, the communication is secured by an MD5 based hashing algorithm (partially encrypted with the shared secret). No secrets are transported in this phase.
In the second sequence, a TLS-based EAP (e.g. EAP-TLS) encrypts the traffic. The EAP-TLS traffic it tunneled in the UDP traffic. If you use certificate based authentication, no secrets are transported in this phase.
In order to log in to the RADIUSaaS web portal ("RADIUSaas Admin Portal"), the following requirements have to be met:
- The UPN/email address you provided as technical admin has to be authenticatable against any Azure AD.
- The Azure AD user object behind the UPN/email address has to be entitled to grant the RADIUSaaS Enterprise Application the following permissions (see screenshot below):
- Read the Basic User Profile
- Maintain access to data you have given it access to (allow request of refresh token)
- In case your Azure AD user has no rights to grant the required permissions, no corresponding Enterprise Application will be auto-created in your Azure AD. To circumvent this, either ask you IT department to grant your user the needed permissions or alternatively, they may manually create the required Enterprise Application and assign your user to it.
- To manually create the Enterprise Application, please follow these steps:
- Create a new Enterprise Application
- Give it a name such as "RADIUSaaS Admin Center"
- Enable users sign-in
- Optionally, apply your Conditional Access policies
- Configure the following permissions (either an Admin or User consent level):
- Under Users and groups assign every relevant RADIUSaaS admin that shall be able to access the platform.