Skip to content

RADIUS Servers – Configure Authentication and Accounting Servers

The RADIUS Servers page manages the authentication server instances within MideyeServer. Each server listens on a unique UDP port and processes RADIUS Access-Request packets from associated clients. Server configuration includes rate limiting, spam protection, timeout thresholds, and customizable user-facing messages for various authentication scenarios.

RADIUS servers are referenced by RADIUS Clients — each client must be associated with exactly one authentication server and optionally one accounting server.

Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, or reset spam filter)

Navigation: Home → RADIUS Settings → RADIUS Servers

| Role | View | Create / Edit / Delete | Reset Spam Filter | |------|------|----------------------|-------------------| | ROOT | ✅ | ✅ | ✅ | | SUPER_ADMIN | ✅ | ✅ | ✅ | | ADMIN | ✅ | ✅ | ✅ | | OPERATOR | ✅ | ❌ | ❌ |

| Column | Description | |--------|-------------| | Server Name | Unique name identifying the RADIUS server | | Auth Port | UDP port number the server listens on (1–65535) | | Action | Edit, Delete, and Reset Spam Filter buttons (admin only) |

The Reset Spam Filter button appears only when the server has active spammers (blocked source IPs).

A RADIUS server cannot be deleted if it is currently used by any RADIUS client. Remove all client associations before deleting.


The configuration form has three tabs: General, Advanced, and User Messages.

| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Server Name | Text | Yes | Max 255, unique (async check) | — | Unique name for this server | | Auth Port | Number | Yes | Min: 1, Max: 65535, unique (async check) | 1812 | UDP port for authentication requests |

| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Max Pending Requests | Number | Yes | Min: 1, Max: 1000 | 50 | Maximum concurrent authentication requests | | Max Failed Attempts | Number | Yes | Min: 1, Max: 1000 | 5 | Failed attempts before triggering protective action | | Max User Deliveries Per Minute | Number | Yes | Min: 1, Max: 1000 | 5 | Maximum OTP deliveries per user per minute | | Max User Deliveries Per Hour | Number | Yes | Min: 1, Max: 1000 | 30 | Maximum OTP deliveries per user per hour |

| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Touch User Inactivity Timeout | Number (seconds) | Yes | Min: 20, Max: 30 | 25 | Seconds before an unanswered Touch request times out | | Touch Delivery Failure Timeout | Number (seconds) | Yes | Min: 10, Max: 20 | 17 | Seconds before a Touch delivery is considered failed |

| Field | Type | Default | Description | |-------|------|---------|-------------| | Auth Per NAS | Checkbox | Off | Track authentication attempts per NAS (Network Access Server) separately | | Identify Client By Source IP | Checkbox | On | Identify clients by source IP address rather than NAS-IP-Address attribute | | Suppress Multiple Login | Checkbox | Off | Prevent concurrent authentication sessions for the same user |

Customize the messages sent to users during authentication. All message fields support a maximum of 253 characters (per RADIUS attribute length limit). The Assisted Login Touch Title has a maximum of 100 characters.

| Field | Default Value | Description | |-------|--------------|-------------| | Authorization Failed | "User not authorized." | Shown when user is not authorized to access the resource | | Invalid Password | "Invalid user or password." | Shown for incorrect password | | User Expired | "User account has expired." | Shown when user account has expired |

| Field | Default Value | Description | |-------|--------------|-------------| | Challenge Message | "Enter OTP:" | Prompt for OTP entry | | Password Reset | "Password needs to be reset during this session." | Shown during password reset flow | | Invalid OTP | "Invalid OTP." | Shown for incorrect OTP | | OTP Not Delivered | "Phone not reachable, for help see [www.mideye.com/help]." | Shown when OTP delivery fails |

| Field | Default Value | Description | |-------|--------------|-------------| | Plus Challenge | "Please sign %s." | Mideye Plus signing prompt (%s = transaction reference) | | Plus Switch Challenge | "Phone not reachable. Please sign %s." | Fallback prompt when Touch is unavailable | | Plus Not Delivered | "Code could not be verified, please try later." | Shown when Plus code verification fails |

| Field | Default Value | Description | |-------|--------------|-------------| | Token Out of Sync | "Token card out of sync. Try again with a new one-time password." | Shown when hardware token is out of synchronization | | Number Field Not Found | "User account is incorrect." | Shown when the user's number field (phone) is not configured | | Token Code Not Delivered | "One-time password could not be verified, please try later." | Shown when token code verification fails |

| Field | Default Value | Description | |-------|--------------|-------------| | Touch Accept Title | "Mideye+ Touch Accept" | Title of the Touch notification on the user's device | | Touch Accept Display Text | "Do you want to proceed with the login?" | Body text of the Touch notification | | Touch Failed Timeout | "Touch Accept login was unsuccessful" | Shown when Touch request times out |

| Field | Default Value | Description | |-------|--------------|-------------| | Assisted Login Challenge | "Enter Approver ID:" | Prompt for the approver identifier | | Assisted Login Touch Title | "Assisted Login Request" | Title of the Touch notification sent to the approver |


When MideyeServer detects excessive failed authentication attempts from specific source IPs, it temporarily blocks them (spam filter). The Reset Spam Filter action clears all blocked sources for a server.

Steps:

  1. Click the Reset Spam Filter icon (only visible when spammers exist).
  2. Review the server name and number of currently blocked sources.
  3. Click Reset to unblock all sources.
  1. Click Add New.
  2. Enter a descriptive server name and unique port number.
  3. Configure rate limits on the Advanced tab.
  4. Customize user messages on the User Messages tab.
  5. Click Save.
  6. Associate the server with RADIUS Clients.
  1. Edit the target server.
  2. Go to the User Messages tab.
  3. Modify the Touch Accept Title and Display Text to match your organization's branding.
  4. Save.

Tuning Rate Limits for High-Traffic Environments

Section titled “Tuning Rate Limits for High-Traffic Environments”
  1. Edit the server.
  2. Go to the Advanced tab.
  3. Increase Max Pending Requests for higher concurrency.
  4. Adjust Max User Deliveries Per Minute/Hour to prevent OTP exhaustion.
  5. Save.

| Issue | Possible Cause | Resolution | |-------|---------------|------------| | Cannot delete server | Server is assigned to one or more RADIUS clients | Remove all client associations first | | Port already in use | Another server uses the same port | Choose a unique port number | | Users see generic error messages | Default messages not customized | Edit messages on the User Messages tab | | Legitimate users blocked | Spam filter triggered by failed attempts | Reset the spam filter and investigate the source | | Touch requests timing out | Timeout too short for network conditions | Increase timeouts on the Advanced tab |