If you are a new customer, for optimum performance, especially for large enterprises, install the SecureAuth RADIUS server separately from the IdP or Identity Platform server. If in doubt, contact SecureAuth Support.

  • SecureAuth IdP version 9.1 or later
  • Hybrid: Authentication API (v9.1+) configured and enabled on the realm
  • Cloud: Authentication Apps (19.07+) configured and enabled on Identity Platform, plus Authentication API (v9.2+) configured and enabled on the realm
  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with SecureAuth RADIUS Server, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. SecureAuth RADIUS Server supports cookie-based persistence only.

    You don't need to enable session persistence if RADIUS Server is installed on the Identity Platform server or is targeted directly (not load-balanced).

Supported SecureAuth IdP features

See the SecureAuth compatibility guide for product and component compatibility with operating systems, Authenticate app, browsers, Java, data stores, identity types, SSO/post-authentication actions, Login for Windows, Login for Mac, and YubiKey.

SecureAuth IdP featuresSecureAuth IdP versionConfiguration notes
Adaptive Authentication


Configure threat checking for:

  • User Groups – See Adaptive Authentication for RADIUS responses with user group checking enabled.
  • End user Client IPs – Cisco, NetScaler, and Palo Alto Networks platforms only.


Attribute Mapping


Configure and enable Identity Management API (v9.1+) on the realm to grant / deny end user login access.

Group based authentication – Optionally configure Membership Connection Settings  to grant / deny login access:

  • Specify the name of the user group to be granted / denied access, or
  • Designate a Property from Profile Fields to identify the user group to be granted / denied access.
UPN Logon


Multi-Factor Authentication methods

SecureAuth IdP versionSecureAuth IdP v9.x supported server and required components
Time-based One-Time Passcode (TOTP)v9.1+

NetMotion Wireless VPN:

  • PEAP protocol support requirements:
    • Public or private certificate
    • .PFX file
    • Private Key and Private Key Password
  • Microsoft Visual C++ requirements:

NOTE: SecureAuth employees, refer to NetMotion Mobility RADIUS configuration guide.

HMAC-based One-Time Passcode (HOTP)v9.1+
SMS (OTP only)v9.1+
Email (OTP only)v9.1+
Passcode OTP (Push Notification)v9.1+
Mobile Login Requestv9.1+
Yubico OTP Tokenv9.2+
Symbol-to-Accept (Protect package and higher only)v9.3+
Fingerprint Recognition (Prevent package only)v19.07+, using 2019 theme
Face Recognition (Prevent package only)v19.07+, using 2019 theme
  • No labels