Documentation

RADIUS

Introduction

The radius authentication method can be used to authenticate application type accounts by delegating the authentication to a remote RADIUS UDP server.

When an authentication request is made for a file transfer session, SFTPPlus will use the provided credentials (username and password) and forward them to the configured RADIUS server for validation.

Check the RADIUS integration documentation, to find out more about how to configure RADIUS authentication for various scenarios.

name

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable short text used to identify this method.

description

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable text that describes the purpose of this authentication method.

type

Default value:

''

Optional:

No

From version:

2.10.0

Values:

  • application - Application accounts.

  • os - Accounts authenticated by the OS.

  • http - HTTP (unsecured).

  • ip-time-ban - Ban an IP address for a time interval.

  • deny-username - Deny authentication based on usernames.

  • anonymous - Anonymous account authentication.

  • ldap - Authenticate against an LDAP server.

  • local-file - Authenticate the accounts from a separate local file.

  • radius - Authenticate via a RADIUS server.

  • entra-id - Microsoft Entra ID

  • google-identity - Google Identity

Description:

This option specifies the type of the method. Each type has a set of specific configuration options

address

Default value:

''

Optional:

No

Values:

  • Host name.

  • Fully qualified domain name resolving an IPv4 or IPv6 address.

  • IPv4 address.

  • IPv6 address.

From version:

4.10.0

Description:

Host name, domain name or IP address used to connect to the remote RADIUS server.

port

Default value:

1812

Optional:

Yes

Values:

  • Port number.

From version:

4.10.0

Description:

Port number used by the remote RADIUS server.

password

Default value:

''

Optional:

No

Values:

  • Clear text

From version:

4.10.0

Description:

This is the shared secret defined between the RADIUS server and the SFTPPlus application used to secure the communication.

Before version 4.24.0 this configuration was named shared_secret. It was renamed to password` to help make it easier to audit sensitive information.

authentication_type

Default value:

'ms-chap-v2'

Optional:

Yes

Values:

  • pap

  • chap

  • ms-chap-v1

  • ms-chap-v2

From version:

4.13.0

Description:

The authentication type to use when sending the credentials to the RADIUS server.

Use pap for Password Authentication Protocol as specified in the main RADIUS documentation. Uses MD5.

Use chap for Challenge-Handshake Authentication Protocol as specified in the main RADIUS documentation. Uses MD5.

Use ms-chap for the Microsoft version of the Challenge-Handshake Authentication Protocol as specified in RFC 2548.

Use ms-chap-v2 for the Microsoft Challenge-Handshake Authentication Protocol Version 2 as specified in RFC 2759.

Warning

The current security standards no longer consider MS-CHAP-v2 as a secure authentication method. MS-CHAP-v2 is still in used as there are many legacy products using it.

With any authentication method, only use RADIUS over secure networks.

extract_mfa_from_password

Default value:

No

Optional:

Yes

Values:

  • Yes

  • No

From version:

5.23.0

Description:

Whether to extract the RADIUS access-challenge response value from the password provided in the initial request.

RADIUS servers that implement multi-factor authentications (MFA) will require an initial password and once the password is validated requires the client to send another value/password which usually consists of the single time use code or token.

Some file transfer clients might not support entering multiple password values and this 2 step RADIUS authentication process might break the login process.

SFTPPlus supports sending the password together with the MFA value as part of the initial password value. This is done by concatenating the actual password with the value required by the RADIUS challenge response. The values are separated by a single comma, without extra spaces. The format is PASSWORD,SECOND_CODE

In this way, the file transfer client only sends a single authentication request that includes the username and both the password and the RADIUS challenge value.

on_access_accept

Default value:

succeed

Optional:

Yes

Values:

  • succeed

  • continue-to-authorization

From version:

5.24.0

Description:

What to do when the RADIUS server has accepted our request.

With the default value of on_access_accept = succeed, the authentication process is finalized and the user is authenticated and authenticated using only information provided by the RADIUS server.

The RADIUS can accept the user credentials but for SFTPPlus to authorize the user extra information is required, such as user group membership. This is when the on_access_accept = continue-to-authorization option is used. For this case, SFTPPlus will continue the autentication and authorization process by try the next configured authentication methods.

continue_on_access_reject

Default value:

No

Optional:

Yes

Values:

  • Yes

  • No

From version:

4.10.0

Description:

Whether to continue and try other authentication methods when RADIUS server has rejected the authentication request for the current user.

If the connection to the RADIUS server fails without receiving any response from the server, the authentication fails right away.

In version 5.23.0 this option was renamed from continue_authentication.

timeout

Default value:

60

Optional:

Yes

Values:

  • Number of seconds.

From version:

4.13.0

Description:

Duration, in seconds, to wait for a response from the RADIUS server.

If a response is not received during this period, the authentication fails.

Note

If the idle_connection_timeout value of a service is lower than the RADIUS timeout, then the login attempt may fail before the RADIUS server responds.

nas_port

Default value:

'0'

Optional:

Yes

Values:

  • Integer number

From version:

4.13.0

Description:

Value of the RADIUS NAS-Port used for the access request.

For most configurations, this can be set to 0 (zero).

debug

Default value:

'no'

Optional:

Yes

Values:

  • yes

  • no

From version:

4.13.0

Description:

When enabled, emit low-level protocol debug messages.

base_groups

Default value:

Empty

Optional:

yes

Values:

  • Empty

  • Group UUID.

  • Comma-separated list of group UUIDs.

From version:

5.23.0

Description:

Defines the SFTPPlus groups that are associated with any authenticated RADIUS user.

Leave empty to not have any default group, and only use the groups associated via dynamic group association or via the group_mapping configuration.

This configuration option is ignored when group_mapping is defined and there is a match for the authenticated RADIUS user. The matched group mapping will be used to determine the groups associated with an authenticated RADIUS user.

When a single group UUID is defined, all authenticated RADIUS users will be associated to that group.

When multiple group UUIDs are defined, all authenticated RADIUS users will be associated to all the groups defined in this configuration option.

The first configured base group is also the primary group.

group_mapping

Default value:

''

Optional:

Yes

Values:

  • Comma separated RADIUS attribute name, matching value, and single group UUID.

  • Comma separated RADIUS attribute name, matching value, and multiple groups UUID (Since 4.20.0).

  • Empty value.

From version:

4.10.0

Description:

The group mapping configuration can be used to associate a successfully authenticated user with an SFTPPlus group, based on the RADIUS attributes found in the Access-Accept message.

You can create complex group mapping by specifying multiple groups which are selected based on RADIUS attribute names and values. Define group mappings, one rule per line.

Lines will contain at least 3 comma separated values. The first value is the name of the RADIUS attribute, which is a case insensitive value. The second value is a matching expression used to match the value of the RADIUS attribute. The remaining values are the SFTPPlus groups UUID associate to the user. The first group in this list is the primary group.

You can use the ${CONTINUE} value instead of the group UUID to instruct SFTPPlus to continue authenticating using the next methods from the authentication chain.

Leave this configuration option empty to only use the groups define via the base_groups.

second_factor_authentication

Default value:

Empty

Optional:

Yes

From version:

5.24.0

Values:

  • UUID of another authentication method.

Description:

The UUID of another authentication method to use as the second factor authentication.

Leave it empty if you don't want to use a second factor or the current authentication method already supports multi-factor authentication.

use_as_second_factor

Default value:

No

Optional:

Yes

From version:

5.24.0

Values:

  • No

  • Yes

Description:

Whether to allow this authentication method to be used as a second factor authentication in combination with another method.

When this is set to Yes, it will fail to authenticate when used as a standalone method or when configured with a second_factor_authentication itself. It will only accept authentication when used in combination with another authentication method.

Okta OpenID Connect
RADIUS integration