RADIUS Clients – Configure Client Authentication Settings
Overview
Section titled “Overview”The RADIUS Clients page manages the client devices and applications that send authentication requests to MideyeServer. Each RADIUS client defines how incoming authentication requests are processed, including which user repositories are queried, what OTP format is used, how usernames are filtered, and which Assisted Login profiles are available.
MideyeServer includes two built-in clients — webUiClient (for the admin web interface) and selfServicePortal — which cannot be deleted or renamed. All other clients can be fully configured, cloned, tested, and removed.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, clone, or test clients)
Navigation: Home → RADIUS Settings → RADIUS Clients
| Role | View | Create / Edit / Delete | Clone | Test Auth |
|---|---|---|---|---|
| ROOT | ✅ | ✅ | ✅ | ✅ |
| SUPER_ADMIN | ✅ | ✅ | ✅ | ✅ |
| ADMIN | ✅ | ✅ | ✅ | ✅ |
| OPERATOR | ✅ | ❌ | ❌ | ❌ |
Features & Configuration
Section titled “Features & Configuration”Data Grid Columns
Section titled “Data Grid Columns”| Column | Description | Visibility |
|---|---|---|
| Client Name | Unique name identifying the RADIUS client | Always |
| IP | IP address or CIDR range of the client | Always |
| NAS ID | Network Access Server identifier | Always |
| RADIUS Server | Linked authentication RADIUS server (clickable link) | Always |
| Accounting RADIUS Server | Linked accounting server (clickable link), if configured | Always |
| LDAP Profiles | Linked LDAP directory profiles (clickable links) | Hidden below XL breakpoint |
| Assisted Login Profiles | Linked assisted login profiles (clickable links) | Hidden below XL breakpoint |
| Action | Edit, Delete, Clone, Test buttons (admin only) | Always |
Action Buttons
Section titled “Action Buttons”| Action | Icon | Description | Restrictions |
|---|---|---|---|
| Edit | Pencil | Open the multi-tab edit form | Admin only |
| Delete | Trash | Delete the client after confirmation | Admin only; hidden for webUiClient and selfServicePortal |
| Clone | Copy | Create a duplicate client with a new name | Admin only; hidden for webUiClient and selfServicePortal |
| Test | Play | Open the test authentication dialog | Admin only |
Create / Edit Form
Section titled “Create / Edit Form”The configuration form has five tabs covering all aspects of client behavior.
Tab 1: General
Section titled “Tab 1: General”Core identification fields for the RADIUS client.
| Field | Type | Required | Validation | Description |
|---|---|---|---|---|
| Client Name | Text | Yes | Unique (async check) | Unique name for this client. Disabled for built-in clients |
| IP | Text | Conditional | Either IP or NAS ID must be provided | IPv4 address or CIDR notation of the client device |
| NAS ID | Text | Conditional | Either IP or NAS ID must be provided | Network Access Server identifier |
| RADIUS Server | Select | Yes | — | Authentication server that processes requests from this client |
| Accounting RADIUS Server | Select | No | — | Server for accounting records. Select “No Accounting” to disable |
Tab 2: User Repositories
Section titled “Tab 2: User Repositories”Defines where MideyeServer looks up users for authentication requests from this client.
| Field | Type | Default | Description |
|---|---|---|---|
| Use Mideye Database | Checkbox | Enabled | Query the local Mideye user database |
| LDAP Profiles | Multi-select | — | LDAP directory profiles to search for user accounts |
| Entra ID Profiles | Multi-select | — | Microsoft Entra ID (Azure AD) profiles to search |
Tab 3: Client Configuration
Section titled “Tab 3: Client Configuration”Controls how authentication requests are processed.
OTP Settings
Section titled “OTP Settings”| Field | Type | Default | Validation | Description |
|---|---|---|---|---|
| Max OTP Length | Number | 6 | Min: 4, Max: 12 | Maximum length of one-time passwords |
| OTP Type | Select | NUMERIC_OTP | — | Character set for OTP generation |
OTP Type Values:
| Value | Description |
|---|---|
| NUMERIC_OTP | Digits only (0–9) |
| ALPHABETIC_OTP | Letters only (a–z, A–Z) |
| ALPHANUMERIC_OTP | Digits and letters |
Encoding
Section titled “Encoding”| Field | Type | Default | Description |
|---|---|---|---|
| Encoding | Select | UTF_8 | Character encoding for RADIUS attribute values |
Encoding Values: UTF_8, ISO_8859_1, US_ASCII, UTF_16
Authentication Options
Section titled “Authentication Options”| Field | Type | Default | Description |
|---|---|---|---|
| Auth Type 1 Enabled | Checkbox | Off | Enable single-factor (password-only) authentication |
| Allow Personalized Token | Checkbox | Off | Allow users to use personalized software tokens |
| Require Mideye Plus | Checkbox | Off | Require Mideye Plus app for authentication |
| Ignore Password | Checkbox | Off | Skip password verification (OTP/token only) |
| Enable Local Auth | Checkbox | Off | Enable local authentication fallback |
| Require Token Coupled Plus | Checkbox | Off | Require token-coupled Mideye Plus authentication |
| Support DM | Checkbox | Off | Enable Disconnect Messages (CoA) for active sessions |
| Use Suffix | Checkbox | Off | Enable domain suffix processing for usernames |
| Require Message Authenticator | Checkbox | Off | Require Message-Authenticator attribute in requests |
| Respond With Message Authenticator | Checkbox | On | Include Message-Authenticator in responses |
Tab 4: User Name Filtering
Section titled “Tab 4: User Name Filtering”Controls how usernames are processed before authentication.
Filter Separator
Section titled “Filter Separator”| Field | Type | Default | Description |
|---|---|---|---|
| Filter Method | Select | NONE | How to extract the username from a domain-qualified identity |
| Filter Separator | Text | \ | The character that separates domain from username |
Filter Method Values:
| Value | Example Input | Result |
|---|---|---|
| NONE | DOMAIN\user | DOMAIN\user (unchanged) |
| PREFIX | DOMAIN\user | user (domain prefix removed) |
| SUFFIX | user@domain.com | user (domain suffix removed) |
User Name Character Filter
Section titled “User Name Character Filter”| Field | Type | Default | Validation | Description |
|---|---|---|---|---|
| Filter Spaces | Checkbox | Off | — | Remove space characters from usernames |
| Additional Characters | Text | (empty) | Max 30 characters, no spaces | Additional characters to remove from usernames |
Tab 5: Assisted Login
Section titled “Tab 5: Assisted Login”Configuration for assisted (approver-based) authentication.
| Field | Type | Description |
|---|---|---|
| Display Name | Text | Name displayed to approvers when this client requests Assisted Login |
| Assisted Login Profiles | Multi-select | Profiles defining the Assisted Login workflow for this client |
Test Authentication
Section titled “Test Authentication”The Test Authentication dialog provides a multi-step interface to simulate RADIUS authentication against a client configuration.
Step 1: First Factor (Password)
Section titled “Step 1: First Factor (Password)”| Field | Type | Required | Description |
|---|---|---|---|
| User Name | Text | Yes | Username to authenticate |
| Password | Password | Yes | User’s password |
| Use MS-CHAPv2 | Checkbox | No | Use MS-CHAPv2 protocol for password verification |
Click Login to submit the authentication request.
Step 2: Multi-Factor Challenge
Section titled “Step 2: Multi-Factor Challenge”If MFA is required, the server returns a challenge message (e.g., “Enter OTP:”). Enter the OTP or approve via Mideye Plus.
| Field | Type | Required | Description |
|---|---|---|---|
| Challenge Response | Password | Yes | The OTP, token code, or challenge response |
Step 3: Result
Section titled “Step 3: Result”Success: Displays the authenticated username, assigned role, and a table of all RADIUS response attributes (name and value).
Failure: Displays the error message from the authentication server.
Common Use Cases
Section titled “Common Use Cases”Setting Up a VPN Client
Section titled “Setting Up a VPN Client”- Click Add New.
- On the General tab, enter the VPN concentrator’s name, IP address, and select the RADIUS server.
- On the User Repositories tab, enable the Mideye database and/or select LDAP profiles.
- On the Client Configuration tab, set OTP length and type as required by the VPN.
- Click Save.
- Configure a matching RADIUS Shared Secret for the VPN’s source IP.
Cloning a Client for a Similar Device
Section titled “Cloning a Client for a Similar Device”- Find the source client in the data grid.
- Click the Clone icon.
- A duplicate is created with a modified name.
- Edit the clone to update the name, IP, and any settings that differ.
Testing Authentication Before Deployment
Section titled “Testing Authentication Before Deployment”- Click the Test icon for the target client.
- Enter a valid username and password.
- Complete the MFA challenge if prompted.
- Verify the response attributes match expectations.
Configuring Domain Prefix Stripping
Section titled “Configuring Domain Prefix Stripping”For environments where users authenticate as DOMAIN\username:
- Edit the client.
- Go to the User Name Filtering tab.
- Set Filter Method to PREFIX and Filter Separator to
\. - Save.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| Cannot delete client | It is a built-in client (webUiClient or selfServicePortal) | Built-in clients cannot be deleted |
| Save fails with “IP or NAS ID required” | Both IP and NAS ID are empty | Provide at least one identifier |
| Client name validation error | Name already in use | Choose a unique client name |
| Test authentication fails | Incorrect password, user not in configured repositories, or shared secret mismatch | Verify password, check User Repositories tab, verify shared secret |
| LDAP users not found | LDAP profile not assigned to client | Add the LDAP profile on the User Repositories tab |
Related Pages
Section titled “Related Pages”- RADIUS Servers — Configure the servers that process authentication requests
- RADIUS Shared Secrets — Manage shared secrets for client-server communication
- LDAP Profiles — Configure LDAP directory connections
- Assisted Login Profiles — Set up approver-based authentication workflows
- Authentication Logs — Review authentication attempts from RADIUS clients