Skip to content

RADIUS Clients – Configure Client Authentication Settings

The RADIUS Clients page manages the client devices and applications that send authentication requests to MideyeServer. Each RADIUS client defines how incoming authentication requests are processed, including which user repositories are queried, what OTP format is used, how usernames are filtered, and which Assisted Login profiles are available.

MideyeServer includes two built-in clients — webUiClient (for the admin web interface) and selfServicePortal — which cannot be deleted or renamed. All other clients can be fully configured, cloned, tested, and removed.

Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, clone, or test clients)

Navigation: Home → RADIUS Settings → RADIUS Clients

| Role | View | Create / Edit / Delete | Clone | Test Auth | |------|------|----------------------|-------|-----------| | ROOT | ✅ | ✅ | ✅ | ✅ | | SUPER_ADMIN | ✅ | ✅ | ✅ | ✅ | | ADMIN | ✅ | ✅ | ✅ | ✅ | | OPERATOR | ✅ | ❌ | ❌ | ❌ |

| Column | Description | Visibility | |--------|-------------|------------| | Client Name | Unique name identifying the RADIUS client | Always | | IP | IP address or CIDR range of the client | Always | | NAS ID | Network Access Server identifier | Always | | RADIUS Server | Linked authentication RADIUS server (clickable link) | Always | | Accounting RADIUS Server | Linked accounting server (clickable link), if configured | Always | | LDAP Profiles | Linked LDAP directory profiles (clickable links) | Hidden below XL breakpoint | | Assisted Login Profiles | Linked assisted login profiles (clickable links) | Hidden below XL breakpoint | | Action | Edit, Delete, Clone, Test buttons (admin only) | Always |

| Action | Icon | Description | Restrictions | |--------|------|-------------|--------------| | Edit | Pencil | Open the multi-tab edit form | Admin only | | Delete | Trash | Delete the client after confirmation | Admin only; hidden for webUiClient and selfServicePortal | | Clone | Copy | Create a duplicate client with a new name | Admin only; hidden for webUiClient and selfServicePortal | | Test | Play | Open the test authentication dialog | Admin only |


The configuration form has five tabs covering all aspects of client behavior.

Core identification fields for the RADIUS client.

| Field | Type | Required | Validation | Description | |-------|------|----------|------------|-------------| | Client Name | Text | Yes | Unique (async check) | Unique name for this client. Disabled for built-in clients | | IP | Text | Conditional | Either IP or NAS ID must be provided | IPv4 address or CIDR notation of the client device | | NAS ID | Text | Conditional | Either IP or NAS ID must be provided | Network Access Server identifier | | RADIUS Server | Select | Yes | — | Authentication server that processes requests from this client | | Accounting RADIUS Server | Select | No | — | Server for accounting records. Select "No Accounting" to disable |

Defines where MideyeServer looks up users for authentication requests from this client.

| Field | Type | Default | Description | |-------|------|---------|-------------| | Use Mideye Database | Checkbox | Enabled | Query the local Mideye user database | | LDAP Profiles | Multi-select | — | LDAP directory profiles to search for user accounts | | Entra ID Profiles | Multi-select | — | Microsoft Entra ID (Azure AD) profiles to search |

Controls how authentication requests are processed.

| Field | Type | Default | Validation | Description | |-------|------|---------|------------|-------------| | Max OTP Length | Number | 6 | Min: 4, Max: 12 | Maximum length of one-time passwords | | OTP Type | Select | NUMERIC_OTP | — | Character set for OTP generation |

OTP Type Values:

| Value | Description | |-------|-------------| | NUMERIC_OTP | Digits only (0–9) | | ALPHABETIC_OTP | Letters only (a–z, A–Z) | | ALPHANUMERIC_OTP | Digits and letters |

| Field | Type | Default | Description | |-------|------|---------|-------------| | Encoding | Select | UTF_8 | Character encoding for RADIUS attribute values |

Encoding Values: UTF_8, ISO_8859_1, US_ASCII, UTF_16

| Field | Type | Default | Description | |-------|------|---------|-------------| | Auth Type 1 Enabled | Checkbox | Off | Enable single-factor (password-only) authentication | | Allow Personalized Token | Checkbox | Off | Allow users to use personalized software tokens | | Require Mideye Plus | Checkbox | Off | Require Mideye Plus app for authentication | | Ignore Password | Checkbox | Off | Skip password verification (OTP/token only) | | Enable Local Auth | Checkbox | Off | Enable local authentication fallback | | Require Token Coupled Plus | Checkbox | Off | Require token-coupled Mideye Plus authentication | | Support DM | Checkbox | Off | Enable Disconnect Messages (CoA) for active sessions | | Use Suffix | Checkbox | Off | Enable domain suffix processing for usernames | | Require Message Authenticator | Checkbox | Off | Require Message-Authenticator attribute in requests | | Respond With Message Authenticator | Checkbox | On | Include Message-Authenticator in responses |

Controls how usernames are processed before authentication.

| Field | Type | Default | Description | |-------|------|---------|-------------| | Filter Method | Select | NONE | How to extract the username from a domain-qualified identity | | Filter Separator | Text | \ | The character that separates domain from username |

Filter Method Values:

| Value | Example Input | Result | |-------|--------------|--------| | NONE | DOMAIN\user | DOMAIN\user (unchanged) | | PREFIX | DOMAIN\user | user (domain prefix removed) | | SUFFIX | user@domain.com | user (domain suffix removed) |

| Field | Type | Default | Validation | Description | |-------|------|---------|------------|-------------| | Filter Spaces | Checkbox | Off | — | Remove space characters from usernames | | Additional Characters | Text | (empty) | Max 30 characters, no spaces | Additional characters to remove from usernames |

Configuration for assisted (approver-based) authentication.

| Field | Type | Description | |-------|------|-------------| | Display Name | Text | Name displayed to approvers when this client requests Assisted Login | | Assisted Login Profiles | Multi-select | Profiles defining the Assisted Login workflow for this client |


The Test Authentication dialog provides a multi-step interface to simulate RADIUS authentication against a client configuration.

| Field | Type | Required | Description | |-------|------|----------|-------------| | User Name | Text | Yes | Username to authenticate | | Password | Password | Yes | User's password | | Use MS-CHAPv2 | Checkbox | No | Use MS-CHAPv2 protocol for password verification |

Click Login to submit the authentication request.

If MFA is required, the server returns a challenge message (e.g., "Enter OTP:"). Enter the OTP or approve via Mideye Plus.

| Field | Type | Required | Description | |-------|------|----------|-------------| | Challenge Response | Password | Yes | The OTP, token code, or challenge response |

Success: Displays the authenticated username, assigned role, and a table of all RADIUS response attributes (name and value).

Failure: Displays the error message from the authentication server.

  1. Click Add New.
  2. On the General tab, enter the VPN concentrator's name, IP address, and select the RADIUS server.
  3. On the User Repositories tab, enable the Mideye database and/or select LDAP profiles.
  4. On the Client Configuration tab, set OTP length and type as required by the VPN.
  5. Click Save.
  6. Configure a matching RADIUS Shared Secret for the VPN's source IP.
  1. Find the source client in the data grid.
  2. Click the Clone icon.
  3. A duplicate is created with a modified name.
  4. Edit the clone to update the name, IP, and any settings that differ.
  1. Click the Test icon for the target client.
  2. Enter a valid username and password.
  3. Complete the MFA challenge if prompted.
  4. Verify the response attributes match expectations.

For environments where users authenticate as DOMAIN\username:

  1. Edit the client.
  2. Go to the User Name Filtering tab.
  3. Set Filter Method to PREFIX and Filter Separator to \.
  4. Save.

| Issue | Possible Cause | Resolution | |-------|---------------|------------| | Cannot delete client | It is a built-in client (webUiClient or selfServicePortal) | Built-in clients cannot be deleted | | Save fails with "IP or NAS ID required" | Both IP and NAS ID are empty | Provide at least one identifier | | Client name validation error | Name already in use | Choose a unique client name | | Test authentication fails | Incorrect password, user not in configured repositories, or shared secret mismatch | Verify password, check User Repositories tab, verify shared secret | | LDAP users not found | LDAP profile not assigned to client | Add the LDAP profile on the User Repositories tab |