Overview
CertMS supports RADIUS (Remote Authentication Dial-In User Service) authentication, allowing you to integrate with existing RADIUS servers for centralized user authentication. This enables you to leverage your organization’s existing authentication infrastructure, maintain consistent password policies, and streamline user access management.
What is RADIUS Authentication?
RADIUS authentication allows CertMS to delegate user authentication to an external RADIUS server instead of managing passwords locally. Benefits include:
- Centralized authentication: Use existing RADIUS infrastructure
- Consistent password policies: Enforce organization-wide password requirements
- Simplified user management: No need to manage passwords in multiple systems
- Enhanced security: Leverage existing security controls and monitoring
- Integration with existing systems: Works with Active Directory, FreeRADIUS, and other RADIUS-compatible systems
Prerequisites
Before configuring RADIUS authentication, ensure you have:
- Administrative access to CertMS
- Access to your RADIUS server configuration
- RADIUS server hostname or IP address
- RADIUS shared secret (pre-shared key)
- Network connectivity between CertMS and the RADIUS server
- Firewall rules allowing UDP traffic on the RADIUS port (typically 1812)
Step-by-Step Configuration
Step 1: Access Authentication Provider Settings
- In the left-hand navigation menu, click on Settings dropdown
- Select Auth Providers
- This page displays all currently configured authentication providers
- Review existing providers (Local authentication is always available)
Step 2: Create RADIUS Provider
- Click the Create Provider button
- Begin configuring your RADIUS authentication provider
Step 3: Configure Basic Provider Settings
Complete the basic authentication provider information:
Required Fields
| Field | Description | Example |
|---|---|---|
| Provider Name | Descriptive name for this auth provider (required) | “Corporate RADIUS Server” |
| Provider Type | Authentication method (required) | Select Radius from dropdown |
| Description | Optional notes about this provider | “Main corporate RADIUS for domain authentication” |
| Priority | Order in which providers are tried | 1, 2, 3, etc. (lower = higher priority) |
| Active | Enable/disable this provider | ✅ Checkbox (checked to activate) |
Provider Type Options
- Radius: RADIUS server authentication
- SAML: SAML-based Single Sign-On (covered in separate documentation)
Note: Select Radius for this configuration.
Step 4: Configure RADIUS Settings
After selecting Radius as the Provider Type, the Radius Configuration section appears with additional required fields.
RADIUS Configuration Fields
| Field | Description | Default | Example |
|---|---|---|---|
| Server Host | RADIUS server hostname or IP address (required) | None | radius.example.com or 10.0.1.50 |
| Server Port | UDP port for RADIUS authentication | 1812 | 1812 (standard authentication port) |
| Shared Secret | Pre-shared key for RADIUS communication (required) | None | your-secure-shared-secret |
| Timeout (seconds) | Time to wait for RADIUS response | 5 | 5 (recommended) |
| Retries | Number of retry attempts on failure | 3 | 3 (recommended) |
| NAS Identifier | Network Access Server identifier (optional) | None | certms-prod or certms.example.com |
Field Details
Server Host
- Enter the fully qualified domain name (FQDN) or IP address of your RADIUS server
- Ensure DNS resolution works if using hostname
- Verify network connectivity from CertMS to this address
Server Port
- 1812: Standard RADIUS authentication port (recommended)
- 1645: Legacy RADIUS authentication port (older systems)
- Use custom port if your RADIUS server is configured differently
Shared Secret
- Must match the shared secret configured on the RADIUS server
- Treat this as a password – keep it secure and complex
- Coordinate with your RADIUS administrator to obtain or set this value
Timeout
- How long CertMS waits for a response from the RADIUS server
- 5 seconds is typically sufficient for local network RADIUS servers
- Increase for RADIUS servers across WAN or with higher latency
Retries
- Number of times CertMS will retry authentication if no response received
- 3 retries provides good balance between reliability and user experience
- Adjust based on network reliability
NAS Identifier
- Optional identifier sent to RADIUS server to identify the requesting system
- Useful for RADIUS server logging and policy decisions
- Can be hostname, application name, or custom identifier
Step 5: Save RADIUS Provider
- Review all configuration settings for accuracy
- Ensure Active checkbox is checked to enable the provider
- Click Create or Save to save the RADIUS provider
- The provider will appear in your Auth Providers list
Step 6: Test RADIUS Configuration
Before assigning users, verify RADIUS connectivity:
- Check network connectivity to RADIUS server
- Verify shared secret matches on both sides
- Review RADIUS server logs for connection attempts
- Test with a known-good RADIUS account
Assigning Users to RADIUS Authentication
Once the RADIUS provider is configured, assign users to authenticate via RADIUS.
Step 1: Access User Management
- In the left-hand navigation menu, click on Settings dropdown
- Select Users
- This page displays all configured users
Step 2: Create or Edit User
You can assign RADIUS authentication to new or existing users.
For New Users:
- Click Create New User
- Fill in user information (username, first name, last name, email)
- Important: Username must match the RADIUS username
- Skip password field (RADIUS will handle authentication)
For Existing Users:
- Click on the user you want to modify
- User details will open for editing
Step 3: Change Authentication Provider
- Locate the Authentication Provider dropdown field
- Select your newly created RADIUS provider from the dropdown
- The user’s password field becomes optional (RADIUS handles authentication)
Step 4: Save User Configuration
- Review user settings
- Ensure Active Account is checked
- Verify appropriate roles are assigned
- Click Save or Update User
Step 5: Test User Login
- Log out of CertMS (or use incognito/private browsing)
- Navigate to your CertMS instance login page
- Enter the RADIUS-authenticated username and password
- Verify successful authentication
Managing Multiple Authentication Providers
Priority Order
If you have multiple authentication providers configured:
- Priority field determines the order in which providers are tried
- Lower numbers = higher priority (Priority 1 is tried before Priority 2)
- If authentication fails with one provider, the next priority provider is attempted
Example Configuration:
| Provider | Type | Priority | Use Case |
|---|---|---|---|
| Corporate RADIUS | Radius | 1 | Primary authentication for all domain users |
| Backup RADIUS | Radius | 2 | Failover if primary RADIUS unavailable |
| Local Authentication | Local | 3 | Emergency access if RADIUS servers down |
Best Practices:
- Keep Local authentication available as a fallback
- Set RADIUS as higher priority than Local for regular users
- Maintain at least one Local admin account for emergency access
User Management Best Practices
Username Consistency
- Match RADIUS usernames exactly: CertMS username must match RADIUS username
- Use standard format: Typically
usernameordomain\usernamedepending on RADIUS configuration - Document format: Ensure users know the correct username format
Password Management
- RADIUS users don’t need CertMS passwords: Authentication is handled by RADIUS
- Password changes: Users change passwords on RADIUS server, not in CertMS
- Password policies: Enforced by RADIUS server, not CertMS
Account Provisioning
- Create user in RADIUS first: Ensure account exists in RADIUS before creating in CertMS
- Create CertMS account: Add user to CertMS with matching username
- Assign RADIUS provider: Select appropriate RADIUS authentication provider
- Assign roles: Grant necessary CertMS permissions
- Test login: Verify user can authenticate successfully
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Authentication fails | Incorrect shared secret | Verify shared secret matches on both CertMS and RADIUS server |
| Connection timeout | Network connectivity or firewall | Verify network connectivity and firewall rules allow UDP 1812 |
| User not found | Username mismatch | Ensure CertMS username exactly matches RADIUS username |
| Slow authentication | Timeout too high or network latency | Adjust timeout value or investigate network performance |
| RADIUS server not responding | Server down or configuration error | Check RADIUS server status and logs |
Verification Steps
Test Network Connectivity
From the CertMS server, test connectivity to RADIUS server:
Linux/Mac: nc -u -v <radius-server> 1812
Windows: Test-NetConnection <radius-server> -Port 1812
Check RADIUS Server Logs
Review RADIUS server logs for:
- Connection attempts from CertMS
- Authentication requests
- Shared secret mismatches
- User authentication failures
Verify Firewall Rules
Ensure firewall allows:
- Protocol: UDP
- Source: CertMS server IP
- Destination: RADIUS server IP
- Port: 1812 (or configured port)
Test with Known Account
Use a RADIUS account that works with other systems to isolate CertMS-specific issues.
Debug Checklist
- RADIUS server is running and accessible
- Shared secret matches on both systems
- Network connectivity exists (ping, traceroute)
- Firewall allows UDP traffic on RADIUS port
- Username in CertMS matches RADIUS username exactly
- RADIUS provider is marked as Active
- User is assigned to correct authentication provider
- RADIUS server logs show authentication attempts
Security Considerations
Shared Secret Security
- Use strong shared secrets: Long, random, complex strings
- Rotate regularly: Change shared secrets according to security policy
- Limit access: Only authorized personnel should know shared secret
- Secure storage: Store shared secrets in password managers or secure vaults
Account Security
- Maintain emergency access: Keep at least one Local admin account
- Regular audits: Review RADIUS-authenticated user accounts
- Disable unused accounts: Remove or deactivate accounts for departed users
- Monitor failed attempts: Track and investigate authentication failures
Advanced Configuration
NAS Identifier Usage
Use NAS Identifier for:
- RADIUS server logging: Identify authentication requests from CertMS
- Policy decisions: RADIUS server can apply different policies based on NAS ID
- Multi-tenant environments: Distinguish between different CertMS instances
Integration with Active Directory
When using RADIUS with Active Directory:
- Username format: Use
usernameordomain\usernameas configured - Group membership: RADIUS can validate AD group membership
- Password policies: AD password policies are enforced automatically
Disabling or Removing RADIUS Authentication
Temporarily Disable
To temporarily disable RADIUS without deleting configuration:
- Open the RADIUS auth provider
- Uncheck the Active checkbox
- Save changes
- Users will fall back to next priority provider (typically Local)
Permanently Remove
To delete a RADIUS provider:
- First: Reassign all users to different authentication provider
- Navigate to Auth Providers
- Select the RADIUS provider
- Click Delete
- Confirm deletion
Warning: Do not delete a RADIUS provider while users are still assigned to it, or they will be unable to log in.
Need Help? Contact our support team at support@certms.com for assistance with RADIUS configuration, troubleshooting, or integration with your specific RADIUS infrastructure.
