Configure Two-Factor Authentication for BeyondInsight and Password Safe Using RADIUS Server

You can configure two-factor authentication to log in to the BeyondInsight management console, Analytics & Reporting, and Password Safe.

After you set up two-factor authentication, users must log in using the two-factor authentication method.

To set up two-factor authentication, you must:

  • Configure the RADIUS server.
  • Configure the two-factor authentication settings for users.

Configure the RADIUS Server

Screenshot of Radius two-factor authentication Option on Configuration page.

  1. Select Configuration > Multi-factor Authentication > Radius two-factor authentication.


Screenshot of Configuration > Multi-Factor Authentication > Raduis > Create Radius Alias.

  1. Click Create Radius Alias.


  1. In the Create RADUIS Alias pane, set the following:
    • Alias: Provide a name used to represent the RADIUS server instance. This is displayed in the RADIUS server grid and must be unique.
    • Filter: Select a filter that will be used to determine if this RADIUS server instance should be used. If you select one of the domain filters, you must enter a Value.
    • Value: If one of the domain filters is selected, enter a value that will identify the domain. Enter a domain or comma-separated list of domains, depending on the setting selected for the filter.
    • Host: Enter the DNS name or the IP address for your RADIUS server.
    • Authentication Mechanism: Select PAP, or MSCHAPv2 if applicable. MSCHAPv2 is supported only if the Duo proxy is configured to use a RADIUS client.
    • Authentication Port: Enter the listening port that is configured on your RADIUS server to receive authentication requests. The default port is 1812.
    • Authentication Request Timeout: Enter the time in seconds that you want BeyondInsight to wait for a response from the RADIUS server before the request times out. The default value is ten seconds.
    • Shared Secret: Enter the shared secret that is configured on your RADIUS server.
    • Initial Request: Provide the value passed to the RADIUS server on the first authentication request. Select from the following: Forward User Name (default), Forward User Name and Password, Forward User Name and Token.
    • Initial Prompt: Provide the first message that displays to the user when they log in to the application. This setting is available only when Forward User Name and Token is selected as the initial request value.
    • Transmit NAS Identifiers: Enable this option if it is applicable to your environment. When this option is enabled, NAS identifiers are transmitted to permit access. In some cases, a RADIUS server does not permit access if NAS identifiers are not transmitted. BeyondInsight transmits its NAS IP Address and its NAS Identifier.
  1. Click Create RADIUS Alias.

Configure RADIUS Two-Factor Authentication Using Duo

This section is a high-level overview on the configuration required for BeyondInsight and Password Safe to work with a RADIUS infrastructure using Duo.

BeyondInsight and Password Safe can work with the following Duo configurations:

  • RADIUS Auto
  • RADIUS Challenge
  • RADIUS Duo only

Screen Capture of Create RADIUS Alias Options

Follow the steps outlined above in Configure the RADIUS Server, using the following settngs:

  • For Alias, enter Duo.
  • For Authentication Mechanism, select PAP.
  • For Initial Request, select Forward User Name and Password.


Screen Capture of Create RADIUS Alias Options - Duo

Follow the steps outlined above in Configure the RADIUS Server, using the followng settings:

  • For Alias, enter Duo.
  • For Authentication Mechanism, select PAP.
  • For Initial Request, select Forward User Name and Token.
  • For Initial Prompt, enter a message to display on the BeyondInsight login page to provide guidance to users on the information to enter. In this case, the user must enter the RADIUS code.


Screen Capture of Duo Two-Factor Login Page - Enter Passcode

Duo-Only Login Page

After RADIUS two-factor authentication is configured, the login page for end user varies, depending on the configured settings.

The screenshot shows a login page configured for Duo-only authentication. The user can enter a passcode to log in or select a device to send a code to. The user then enters the code on the login page.

Configure Alternate Directory Attribute for RADIUS

To configure an alternate directory attribute for Active Directory and LDAP users for RADIUS authentication, follow the below steps.

This setting is optional.

  1. Select Configuration .
  2. Under Role Based Access, select Options.
  3. Under RADIUS Two-Factor Authentication, set the following:
    • Alternate directory attribute: Enter the Active Directory or LDAP attribute that is matched on the RADIUS server to identify the user account. This can be any attribute in Active Directory or LDAP. The default value is extensionName.
    • Enable for new directory accounts: Click the toggle to enable this attribute for new accounts when they are discovered.
  4. Click Update RADIUS Two-Factor Authentication Options.