AUTH.AS service API description via RADIUS protocol

To enable AUTH.AS two-factor authentication, we offer to use RADIUS protocol, in order to communicate with third-party services, systems and web applications. RADIUS packets are being processed at “”. Below are the set of parameters, to be passed to the RADIUS package.


Technical description

There are 2 mandatory parameters for RADIUS package:

  • User-Name: account username in AUTH.AS system, which allows to identify the user. Syntax: letters a-z, numbers 0-9, symbols - @ and .
  • Password: there are 2 options to pass this parameter: include regular user password or not.
  1. (user-password + one-time password). Before one-time password check, the user account will be authenticated in the target system (local or Active Directory authentication using LDAP protocol), with username and user-password. In case of success, one-time password will be validated. One-time password should be typed just after the user-password.
  2. (one-time password only). System only validates one-time password, without target system authentication.

API responses

AUTH.AS API returns 2 standard responses, dependent on checks, mentioned above. In case the check was successful, API returns standard RADIUS response "Access-Accept".

In other cases, mentioned below, response will always be "Access-Reject".

  • source IP address of incoming package not found in the system access white-list;
  • mandatory parameters were not specified;
  • wrong parameters data type;
  • can’t find a user with specified username;
  • the user don’t have any token assigned;
  • the company/the domain/the user/the token (any of instances) is locked;
  • user authentication in target system failed (if this option is enabled);
  • wrong one-time password.

API test example using “radclient”

Enable the flag “RADIUS sends user-password” in the system console settings. Let’s try to check one-time password for the user “firstname.lastname@domain.tld”, specifying the wrong user-password and one-time password:

echo "User-Name=firstname.lastname@domain.tld,Password=password" | radclient -n1 -p 1 auth secret1 -x

API response:

Received Access-Reject packet from home server port 1812 with invalid Response Authenticator!  (Shared secret is incorrect.)

Now, we supply our package with correct passwords. API response:

Received response ID 153, code 2, length = 20