RADIUS Servers – Configure Authentication and Accounting Servers
Overview
Section titled “Overview”The RADIUS Servers page manages the authentication server instances within MideyeServer. Each server listens on a unique UDP port and processes RADIUS Access-Request packets from associated clients. Server configuration includes rate limiting, spam protection, timeout thresholds, and customizable user-facing messages for various authentication scenarios.
RADIUS servers are referenced by RADIUS Clients — each client must be associated with exactly one authentication server and optionally one accounting server.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, or reset spam filter)
Navigation: Home → RADIUS Settings → RADIUS Servers
| Role | View | Create / Edit / Delete | Reset Spam Filter | |------|------|----------------------|-------------------| | ROOT | ✅ | ✅ | ✅ | | SUPER_ADMIN | ✅ | ✅ | ✅ | | ADMIN | ✅ | ✅ | ✅ | | OPERATOR | ✅ | ❌ | ❌ |
Features & Configuration
Section titled “Features & Configuration”Data Grid Columns
Section titled “Data Grid Columns”| Column | Description | |--------|-------------| | Server Name | Unique name identifying the RADIUS server | | Auth Port | UDP port number the server listens on (1–65535) | | Action | Edit, Delete, and Reset Spam Filter buttons (admin only) |
The Reset Spam Filter button appears only when the server has active spammers (blocked source IPs).
Delete Restrictions
Section titled “Delete Restrictions”A RADIUS server cannot be deleted if it is currently used by any RADIUS client. Remove all client associations before deleting.
Create / Edit Form
Section titled “Create / Edit Form”The configuration form has three tabs: General, Advanced, and User Messages.
Tab 1: General
Section titled “Tab 1: General”| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Server Name | Text | Yes | Max 255, unique (async check) | — | Unique name for this server | | Auth Port | Number | Yes | Min: 1, Max: 65535, unique (async check) | 1812 | UDP port for authentication requests |
Tab 2: Advanced
Section titled “Tab 2: Advanced”Rate Limiting & Thresholds
Section titled “Rate Limiting & Thresholds”| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Max Pending Requests | Number | Yes | Min: 1, Max: 1000 | 50 | Maximum concurrent authentication requests | | Max Failed Attempts | Number | Yes | Min: 1, Max: 1000 | 5 | Failed attempts before triggering protective action | | Max User Deliveries Per Minute | Number | Yes | Min: 1, Max: 1000 | 5 | Maximum OTP deliveries per user per minute | | Max User Deliveries Per Hour | Number | Yes | Min: 1, Max: 1000 | 30 | Maximum OTP deliveries per user per hour |
Timeout Settings
Section titled “Timeout Settings”| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Touch User Inactivity Timeout | Number (seconds) | Yes | Min: 20, Max: 30 | 25 | Seconds before an unanswered Touch request times out | | Touch Delivery Failure Timeout | Number (seconds) | Yes | Min: 10, Max: 20 | 17 | Seconds before a Touch delivery is considered failed |
Server Behavior
Section titled “Server Behavior”| Field | Type | Default | Description | |-------|------|---------|-------------| | Auth Per NAS | Checkbox | Off | Track authentication attempts per NAS (Network Access Server) separately | | Identify Client By Source IP | Checkbox | On | Identify clients by source IP address rather than NAS-IP-Address attribute | | Suppress Multiple Login | Checkbox | Off | Prevent concurrent authentication sessions for the same user |
Tab 3: User Messages
Section titled “Tab 3: User Messages”Customize the messages sent to users during authentication. All message fields support a maximum of 253 characters (per RADIUS attribute length limit). The Assisted Login Touch Title has a maximum of 100 characters.
General Messages
Section titled “General Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Authorization Failed | "User not authorized." | Shown when user is not authorized to access the resource | | Invalid Password | "Invalid user or password." | Shown for incorrect password | | User Expired | "User account has expired." | Shown when user account has expired |
OTP Messages
Section titled “OTP Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Challenge Message | "Enter OTP:" | Prompt for OTP entry | | Password Reset | "Password needs to be reset during this session." | Shown during password reset flow | | Invalid OTP | "Invalid OTP." | Shown for incorrect OTP | | OTP Not Delivered | "Phone not reachable, for help see [www.mideye.com/help]." | Shown when OTP delivery fails |
Plus Messages
Section titled “Plus Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Plus Challenge | "Please sign %s." | Mideye Plus signing prompt (%s = transaction reference) | | Plus Switch Challenge | "Phone not reachable. Please sign %s." | Fallback prompt when Touch is unavailable | | Plus Not Delivered | "Code could not be verified, please try later." | Shown when Plus code verification fails |
Token Messages
Section titled “Token Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Token Out of Sync | "Token card out of sync. Try again with a new one-time password." | Shown when hardware token is out of synchronization | | Number Field Not Found | "User account is incorrect." | Shown when the user's number field (phone) is not configured | | Token Code Not Delivered | "One-time password could not be verified, please try later." | Shown when token code verification fails |
Touch Messages
Section titled “Touch Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Touch Accept Title | "Mideye+ Touch Accept" | Title of the Touch notification on the user's device | | Touch Accept Display Text | "Do you want to proceed with the login?" | Body text of the Touch notification | | Touch Failed Timeout | "Touch Accept login was unsuccessful" | Shown when Touch request times out |
Assisted Login Messages
Section titled “Assisted Login Messages”| Field | Default Value | Description | |-------|--------------|-------------| | Assisted Login Challenge | "Enter Approver ID:" | Prompt for the approver identifier | | Assisted Login Touch Title | "Assisted Login Request" | Title of the Touch notification sent to the approver |
Reset Spam Filter
Section titled “Reset Spam Filter”When MideyeServer detects excessive failed authentication attempts from specific source IPs, it temporarily blocks them (spam filter). The Reset Spam Filter action clears all blocked sources for a server.
Steps:
- Click the Reset Spam Filter icon (only visible when spammers exist).
- Review the server name and number of currently blocked sources.
- Click Reset to unblock all sources.
Common Use Cases
Section titled “Common Use Cases”Setting Up a New Authentication Server
Section titled “Setting Up a New Authentication Server”- Click Add New.
- Enter a descriptive server name and unique port number.
- Configure rate limits on the Advanced tab.
- Customize user messages on the User Messages tab.
- Click Save.
- Associate the server with RADIUS Clients.
Customizing Touch Authentication Messages
Section titled “Customizing Touch Authentication Messages”- Edit the target server.
- Go to the User Messages tab.
- Modify the Touch Accept Title and Display Text to match your organization's branding.
- Save.
Tuning Rate Limits for High-Traffic Environments
Section titled “Tuning Rate Limits for High-Traffic Environments”- Edit the server.
- Go to the Advanced tab.
- Increase Max Pending Requests for higher concurrency.
- Adjust Max User Deliveries Per Minute/Hour to prevent OTP exhaustion.
- Save.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution | |-------|---------------|------------| | Cannot delete server | Server is assigned to one or more RADIUS clients | Remove all client associations first | | Port already in use | Another server uses the same port | Choose a unique port number | | Users see generic error messages | Default messages not customized | Edit messages on the User Messages tab | | Legitimate users blocked | Spam filter triggered by failed attempts | Reset the spam filter and investigate the source | | Touch requests timing out | Timeout too short for network conditions | Increase timeouts on the Advanced tab |
Related Pages
Section titled “Related Pages”- RADIUS Clients — Associate clients with authentication servers
- RADIUS Shared Secrets — Configure shared secrets for server communication
- Network Policy Servers — Configure NPS servers for LDAP profile forwarding
- Authentication Logs — Monitor authentication events per server