Provides configuration of Multi-Factor Authentication for allowing or restricting access to resources. You may wish to review the Before you start.
Default Providers
Default time-based OTP provider
Refer to MFA Providers for more details of the OTP implementation in Appgate SDP.
Pin Entry Type
Masked
This affects pin entry operation. This will hide the entry as it is entered.
Numeric (6 digits)
This affects pin entry operation. This will use a numeric keypad and validate the entry.
Text
This affects pin entry operation. This will allow any type of alphanumeric entry.
Default FIDO2 provider
Refer to MFA Providers for more details of the FIDO2 implementation in Appgate SDP.
New providers
Server Settings
Hostnames or IP Addresses
Hostnames or IP addresses of the RADIUS server. You can enter more than one host in this field. When you do this, each time Appgate SDP needs to speak to a RADIUS MFA server it will choose one at random. And remember, Controllers are stateless transactional devices which are normally DNS load-balanced; so if Controller A sends a message to RADIUS A and RADIUS A replies to Controller B then the message will be lost. Equally if Controller A starts a process of with RADIUS A but later tries to finish it but this time with RADIUS B then the message will again be lost.
To provide the possibility of load balancing and fail-over, Appgate SDP will make the RADIUS server is chooses sticky, so any process started with RADIUS A will finish with RADIUS A. The Appgate SDP Client behaves in the same way with the Controllers for precisely the same reason. Taken together this should make load balancing and fail-over work as expected in most situations. However there remains the possibility that the RADIUS server that received a message from Controller A will reply to Controller B - and this would still be lost. The RADIUS server settings should be used to try to mitigate this last failure scenario.
Port
Port number of the RADIUS server, e.g., 1812.
Timeout (seconds)
The time in seconds for which the Appgate SDP system waits for a response.
Authentication
Authentication Protocol
Authentication protocol used to login to the RADIUS server, such as CHAP or PAP. Use CHAP if you have a choice. Depending on the option chosen then you can send a fixed text string or the user's password back to the RADIUS server in the access-request user-password field. Refer to Multi-factor authentication for more information.
Shared Secret
The shared secret for the specific RADIUS server.
Authentication mode
The external RADIUS support includes preemptive, RADIUS based and challenge-response modes.
Appgate SDP Pre-emptive MFA
The user is asked for an OTP and then the RADIUS server validates it.
RADIUS server MFA
Often referred to as Push OTP. Appgate SDP requests that the RADIUS server validate the user, and the RADIUS server asks the user for an OTP.
Appgate SDP Challenge-Response MFA
Appgate SDP requests that the RADIUS server validate the user, then the RADIUS server requests that Appgate SDP ask the user for an OTP.
User Password
If checked, the User-Password field of the RADIUS request will contain the user's password.
User Shared Secret
Will be used as the User-Password field of the RADIUS request.
Pin Entry Type
Masked
This affects pin entry operation. This will hide the entry as it is entered.
Numeric (6 digits)
This affects pin entry operation. This will use a numeric keypad and validate the entry.
Text
This affects pin entry operation. This will allow any type of alphanumeric entry.