RADIUS Integration Guide for VPN & Firewall Access
Mideye Server acts as a RADIUS server. Your VPN, firewall, or network device acts as a RADIUS client. When a user authenticates, Mideye validates the password against the configured user repository and adds a second factor.
Mideye supports two RADIUS authentication flows depending on the authentication type and the capabilities of the RADIUS client.
Key RADIUS settings
Section titled “Key RADIUS settings”Every RADIUS integration requires three settings on the RADIUS client (your VPN or firewall). Getting these right is essential — incorrect values are the most common cause of authentication failures.
Timeout
Section titled “Timeout”The RADIUS timeout controls how long the RADIUS client waits for Mideye Server to respond before giving up. Mideye needs time to deliver the OTP or push notification and wait for the user to respond.
Recommended: 35 seconds
| Setting | Recommended value |
|---|---|
| Timeout | 35 seconds |
| Retries | 1 |
A timeout below 30 seconds risks the session expiring before the user has time to read and enter an OTP — especially if SMS delivery is delayed or push falls back to an alternative method.
For a deeper explanation of how timeouts interact, see RADIUS Timeout.
Authentication protocol (PAP vs MS-CHAPv2)
Section titled “Authentication protocol (PAP vs MS-CHAPv2)”The RADIUS authentication protocol determines how the user’s password is transmitted between the RADIUS client and Mideye Server.
| Protocol | When to use | Notes |
|---|---|---|
| PAP | Most integrations | Password is encrypted using the RADIUS shared secret. Simple, widely supported, and works with all Mideye authentication types. Use this unless you have a specific reason not to. |
| MS-CHAPv2 | Active Directory password changes | Required when users need to change expired AD passwords during VPN login. Requires a Network Policy Server (NPS) integrated with Mideye. |
Shared secret
Section titled “Shared secret”The RADIUS shared secret is a password shared between the RADIUS client and Mideye Server. It is used to encrypt passwords in RADIUS packets and to authenticate that requests come from a trusted source.
- Must be identical on both the RADIUS client and in Mideye Server
- Use a strong, randomly generated secret (minimum 16 characters)
- Configure in Mideye under RADIUS Clients
Challenge-Response support
Section titled “Challenge-Response support”Challenge-Response is a RADIUS capability where the server sends an intermediate Access-Challenge message to prompt the user for additional input (such as an OTP). Not all RADIUS clients support this.
If your RADIUS client supports Challenge-Response, you can use authentication types that prompt for an OTP (Mobile, Token, Plus, On-Prem). If it does not, use authentication types that complete without a challenge (Touch, Concatenated).
See Choosing the right flow below for details.
Vendor-Specific Attributes (VSA)
Section titled “Vendor-Specific Attributes (VSA)”Mideye can include custom attributes in RADIUS responses using Vendor-Specific Attributes. These can pass user information (such as group membership or email) to the RADIUS client for use in access policies, logging, or session metadata.
VSAs are optional and only needed when your RADIUS client requires additional user attributes beyond Accept/Reject.
Quick reference
Section titled “Quick reference”These are the recommended RADIUS settings for most integrations:
| Setting | Value |
|---|---|
| Authentication protocol | PAP |
| Timeout | 35 seconds |
| Retries | 1 |
| Port | UDP 1812 |
| Shared secret | Strong, minimum 16 characters |
Flow 1 — Challenge-Response
Section titled “Flow 1 — Challenge-Response”The RADIUS client sends an Access-Request. Mideye validates the password, then returns an Access-Challenge prompting the user to enter a one-time password (OTP) or wait for approver confirmation. The user responds, and Mideye sends the final Access-Accept or Access-Reject.
Authentication types using Challenge-Response
Section titled “Authentication types using Challenge-Response”| Type | Name | How it works |
|---|---|---|
| 2 | Mobile | OTP sent via SMS or Mideye+ push. User enters the OTP. |
| 3 | Token | User enters OTP from a hardware token (YubiKey, HID). |
| 5 | Plus | User manually signs an access challenge in the Mideye+ app. |
| 9 | Assisted Login | User waits while an authorized approver accepts the login via Mideye+. |
| 10 | Shared Account | User is prompted to enter a phone number or token serial, then completes a second factor. |
| 11 | On-Prem | User enters a TOTP code from an authenticator app or TOTP/HOTP hardware token. |
Flow 2 — Direct Accept (no challenge)
Section titled “Flow 2 — Direct Accept (no challenge)”The RADIUS client sends an Access-Request. Mideye validates the password, performs the second factor synchronously (e.g., sends a push notification and waits for the user to accept), then returns Access-Accept or Access-Reject directly — without an intermediate Access-Challenge.
Authentication types using Direct Accept
Section titled “Authentication types using Direct Accept”| Type | Name | How it works | Fallback |
|---|---|---|---|
| 1 | Password | Password only (no second factor). | — |
| 4 | Concatenated | Password + OTP entered in one field (e.g. MyPass123456). No challenge needed. | — |
| 6 | Touch | Push notification to Mideye+ app. User taps Accept. If Mideye+ is not activated, a magic link is sent via SMS. | — |
| 7 | Touch-Plus | Tries Touch first. If phone is not reachable, falls back to Plus (Challenge-Response). | Plus (5) |
| 8 | Touch-Mobile | Tries Touch first. If unreachable, falls back to Mobile OTP (Challenge-Response). | Mobile (2) |
Choosing the right flow
Section titled “Choosing the right flow”| Your system supports… | Recommended authentication type |
|---|---|
| Challenge-Response ✓ | Mobile (2), Token (3), Plus (5), Touch-Plus (7), Touch-Mobile (8), On-Prem (11) |
| Direct Accept only | Touch (6), Concatenated (4) |
| No MFA needed | Password (1) |
Most VPNs and firewalls support Challenge-Response. Key exceptions:
- Microsoft RRAS VPN — does not support Access-Challenge → use Touch (6)
- Remote Desktop Services (RDS) — depends on NPS configuration → use Touch (6) for simplest setup
- Windows Hello with Mideye — uses Touch (6)
Supported platforms
Section titled “Supported platforms”| Platform | Guide |
|---|---|
| FortiGate (Fortinet SSL/IPsec VPN) | FortiGate |
| Palo Alto GlobalProtect | GlobalProtect |
| Cisco AnyConnect | AnyConnect |
| Cisco AnyConnect (via FMC) | AnyConnect FMC |
| Check Point VPN | Check Point |
| Pulse Connect Secure | Pulse Secure |
| Citrix ADC (NetScaler) | Citrix ADC |
| Linux PAM / SSH | PAM |
Mideye follows the RADIUS standard (RFC 2865) and works with any system that supports RADIUS authentication. The guides above cover the most common platforms — if your system supports RADIUS, it can integrate with Mideye.
Windows RADIUS integrations
Section titled “Windows RADIUS integrations”Windows infrastructure components that use RADIUS under the hood have their own section:
- ADFS — custom Mideye module for AD FS
- NPS — Network Policy Server as RADIUS proxy
- RDS — Remote Desktop Services
- Windows VPN (RRAS) — built-in Windows VPN
See Windows Integrations for the full list.
Prerequisites
Section titled “Prerequisites”- Network access from the RADIUS client to Mideye Server on UDP 1812
- A RADIUS client configured in Mideye Server
- A user repository configured (AD, LDAP, Entra ID, or local database)
- Review the port requirements for full details
Related
Section titled “Related”- RADIUS Timeout — how the timeout affects authentication and recommended values
- RADIUS Servers — configure listeners, rate limits, push timeouts, and user messages
- RADIUS Clients — add VPNs and firewalls as RADIUS clients in Mideye
- Authentication Types — detailed reference for all 11 authentication types
- Vendor-Specific Attributes — pass custom user attributes in RADIUS responses
- Network Policy Servers — NPS integration for MS-CHAPv2 and password changes
- Support Center — contact Mideye support for integration assistance