One Identity Safeguard for Privileged Sessions (SPS) can authenticate its users to an external RADIUS server. Group memberships of the users must be managed either locally on SPS or in an LDAP database.


The challenge/response authentication method is currently not supported. Use other authentication methods (for example password, SecureID).

Authenticating SPS users to a RADIUS server

To authenticate SPS users to a RADIUS server, complete the following steps.

  1. Navigate to Users & Access Control > Login Options.

  2. To configure a RADIUS login method, select one of the following options:

    • Select an existing RADIUS login option and click Edit.

    • Click Create new authentication method and select RADIUS.

    The following figure shows the configuration options of the RADIUS login method.

    Figure 88: Users & Access Control > Login options — Configuring RADIUS authentication

  3. In the Name field, specify a name for the login option.

  4. (Optional) Enable the RADIUS login method.

  5. To add a new RADIUS server, click Create new RADIUS server.

    1. In the Address field, enter the IP address or domain name of the RADIUS server. Use an IPv4 address or hostname.

    2. In the Server port field, enter the port number.

    3. In the Shared secret field, enter the password that SPS can use to access the RADIUS server.

      NOTE: SPS accepts passwords that are not longer than 150 characters and supports the following characters:

      • Letters A-Z, a-z

      • Numbers 0-9

      • The space character

      • Special characters: !"#$%&'()*+,-./:;<>=?@[]\^-`{}_|

    4. Click Save.

  6. (Optional) To add more RADIUS servers, click and repeat the procedure for adding a new RADIUS server.

    If a server is unreachable, SPS tries to connect to the next server in the list in failover mode.

  7. Select the authentication protocol.

    • To use the Password Authentication Protocol, select PAP.

    • To use the Challenge-Handshake Authentication Protocol, select CHAP.

  8. Select LDAP server or Local as the Authorization Backend.

  9. (Optional) To add a new LDAP server, click New LDAP server under Authorization backend and select one of the server types:

  10. Script reference is filled out automatically when you specify the name for the login option. Special characters are automatically replaced with dashes ("-"). The Script name is a unique, human readable ID that is used by the REST API clients to select the login method.

  11. To save your modifications, click Commit.


    After you commit this configuration, the SPS web interface will be available only after successfully authenticating to the RADIUS server. Note that the default admin account of SPS will be able to login normally, even if the RADIUS server is unaccessible.