Setting Up RADIUS Authentication¶
Overview¶
CertMS supports RADIUS (Remote Authentication Dial-In User Service) authentication, allowing you to integrate with existing RADIUS servers for centralized user authentication. This lets you leverage your organization's existing authentication infrastructure, maintain consistent password policies, and streamline user access management.
Benefits¶
- Centralized authentication — Use existing RADIUS infrastructure instead of managing passwords locally
- Consistent password policies — Enforce organization-wide password requirements automatically
- Simplified user management — No need to manage passwords across multiple systems
- Enhanced security — Leverage existing security controls and monitoring
- Broad compatibility — Works with Active Directory, FreeRADIUS, and other RADIUS-compatible systems
Prerequisites¶
Before configuring RADIUS authentication, ensure you have:
- Administrative access to CertMS
- Access to your RADIUS server configuration
- RADIUS server hostname or IP address
- RADIUS shared secret (pre-shared key)
- Network connectivity between CertMS and the RADIUS server
- Firewall rules allowing UDP traffic on the RADIUS port (typically 1812)
Part 1: Configure the RADIUS Provider¶
Step 1: Access Authentication Provider Settings¶
- In the left-hand navigation menu, click the Settings dropdown
- Select Auth Providers
- Review existing providers — Local authentication is always available as a fallback
Step 2: Create a New RADIUS Provider¶
- Click Create Provider
- Complete the basic provider configuration:
| Field | Description | Example |
|---|---|---|
| Provider Name | Descriptive name for this provider (required) | Corporate RADIUS Server |
| Provider Type | Select Radius from the dropdown (required) | Radius |
| Description | Optional notes about this provider | Main corporate RADIUS for domain authentication |
| Priority | Order in which providers are tried — lower = higher priority | 1 |
| Active | ✅ Check to enable this provider | Checked |
Note: Select Radius as the Provider Type. For SAML-based SSO, see the Setup SSO guide.
Step 3: Configure RADIUS Settings¶
After selecting Radius as the Provider Type, the Radius Configuration section appears with additional fields.
| Field | Description | Default | Example |
|---|---|---|---|
| Server Host | RADIUS server hostname or IP address (required) | — | radius.example.com or 10.0.1.50 |
| Server Port | UDP port for RADIUS authentication | 1812 |
1812 (standard), 1645 (legacy) |
| Shared Secret | Pre-shared key for RADIUS communication (required) | — | your-secure-shared-secret |
| Timeout (seconds) | Time to wait for a RADIUS response | 5 |
5 recommended for LAN; increase for WAN |
| Retries | Number of retry attempts on no response | 3 |
3 recommended |
| NAS Identifier | Optional identifier sent to RADIUS server for logging/policy | — | certms-prod |
Field notes:
- Server Host — Use FQDN or IP. If using hostname, confirm DNS resolution works from the CertMS server.
- Shared Secret — Must match exactly what is configured on the RADIUS server. Treat it as a password.
- Timeout — 5 seconds is sufficient for local network RADIUS. Increase for high-latency or WAN-connected servers.
- Retries — 3 retries balances reliability with login responsiveness.
- NAS Identifier — Useful for RADIUS logging and policy decisions. Can be a hostname, application name, or custom string.
Step 4: Save and Test¶
- Review all settings for accuracy
- Confirm the Active checkbox is checked
- Click Create to save the provider — it will appear in your Auth Providers list
- Before assigning users, verify connectivity:
- Check network access to the RADIUS server
- Confirm the shared secret matches on both sides
- Review RADIUS server logs for connection attempts
- Test with a known-good RADIUS account
Part 2: Assign Users to RADIUS Authentication¶
Step 1: Access User Management¶
- Click the Settings dropdown in the left-hand navigation
- Select Users
Step 2: Create or Edit a User¶
For new users:
- Click Create New User
- Fill in the user details (username, first name, last name, email)
- The username must match the RADIUS username exactly
- Leave the password field blank — RADIUS handles authentication
For existing users:
- Click the user you want to modify to open their details
Step 3: Assign the RADIUS Provider¶
- Locate the Authentication Provider dropdown
- Select your newly created RADIUS provider
- The password field becomes optional once a RADIUS provider is selected
Step 4: Save and Test¶
- Confirm Active Account is checked
- Verify the appropriate roles are assigned
- Click Save or Update User
- Test the login in an incognito/private window using the user's RADIUS credentials
Managing Multiple Authentication Providers¶
If you have multiple providers configured, the Priority field controls which is tried first. Lower numbers take priority.
| Provider | Type | Priority | Use Case |
|---|---|---|---|
| Corporate RADIUS | Radius | 1 | Primary authentication for all domain users |
| Backup RADIUS | Radius | 2 | Failover if primary RADIUS is unavailable |
| Local Authentication | Local | 3 | Emergency access if all RADIUS servers are down |
Best practices:
- Always keep Local authentication available as a fallback
- Set RADIUS at higher priority than Local for regular users
- Maintain at least one Local admin account for emergency access
User Management Best Practices¶
Username consistency — The CertMS username must match the RADIUS username exactly. Confirm the correct format with your RADIUS administrator — typically username or domain\username.
Password management — RADIUS users do not need a CertMS password. Password changes and policy enforcement happen on the RADIUS server, not in CertMS.
Account provisioning order:
- Create the user account in RADIUS first
- Create the matching CertMS account with the same username
- Assign the RADIUS authentication provider
- Grant the necessary CertMS roles
- Test login before handing off to the user
Troubleshooting¶
Common Issues¶
| Issue | Likely Cause | Solution |
|---|---|---|
| Authentication fails | Incorrect shared secret | Verify the shared secret matches on both CertMS and the RADIUS server |
| Connection timeout | Network or firewall blocking traffic | Confirm UDP port 1812 is open between CertMS and the RADIUS server |
| User not found | Username mismatch | Ensure CertMS username exactly matches the RADIUS username |
| Slow authentication | High latency or timeout too long | Adjust the timeout value or investigate network performance |
| RADIUS not responding | Server down or misconfigured | Check RADIUS server status and logs |
Test Network Connectivity¶
From the CertMS server:
=== "Linux / Mac"
bash
nc -u -v <radius-server> 1812
=== "Windows"
powershell
Test-NetConnection <radius-server> -Port 1812
Check RADIUS Server Logs¶
Review RADIUS server logs for:
- Connection attempts from the CertMS server IP
- Authentication requests and responses
- Shared secret mismatch errors
- User authentication failures
Verify Firewall Rules¶
Confirm the following traffic is permitted:
| Property | Value |
|---|---|
| Protocol | UDP |
| Source | CertMS server IP |
| Destination | RADIUS server IP |
| Port | 1812 (or your configured port) |
Debug Checklist¶
- [ ] RADIUS server is running and accessible
- [ ] Shared secret matches on both systems
- [ ] Network connectivity confirmed (ping, traceroute)
- [ ] Firewall allows UDP traffic on the RADIUS port
- [ ] CertMS username matches RADIUS username exactly
- [ ] RADIUS provider is marked as Active
- [ ] User is assigned to the correct authentication provider
- [ ] RADIUS server logs show authentication attempts from CertMS
Security Considerations¶
Shared secret:
- Use long, random, complex strings — not dictionary words or simple phrases
- Rotate shared secrets according to your security policy
- Store shared secrets in a password manager or secure vault
- Restrict knowledge of the shared secret to authorized personnel only
Account security:
- Always maintain at least one Local admin account for emergency access
- Regularly audit RADIUS-authenticated user accounts
- Disable or remove accounts for departed users promptly
- Monitor and investigate repeated authentication failures
Advanced Configuration¶
NAS Identifier¶
The NAS Identifier is sent to the RADIUS server with each authentication request. Use it to:
- Identify CertMS authentication requests in RADIUS server logs
- Apply different RADIUS policies based on the requesting system
- Distinguish between multiple CertMS instances in multi-tenant environments
Active Directory Integration¶
When RADIUS is backed by Active Directory:
- Username format is typically
usernameordomain\username— confirm with your AD/RADIUS administrator - RADIUS can validate AD group membership before granting access
- AD password complexity and expiration policies are enforced automatically
Disabling or Removing RADIUS Authentication¶
Temporarily Disable¶
To suspend RADIUS without losing the configuration:
- Open the RADIUS auth provider
- Uncheck the Active checkbox
- Save changes
Users assigned to this provider will fall back to the next priority provider (typically Local).
Permanently Remove¶
Warning
Reassign all users to a different authentication provider before deleting a RADIUS provider. Users still assigned to a deleted provider will be unable to log in.
- Reassign all affected users to a different authentication provider
- Navigate to Settings → Auth Providers
- Select the RADIUS provider
- Click Delete and confirm
Need help? Contact support at support@certms.com for assistance with RADIUS configuration or integration with your specific infrastructure.