SSH Tectia

RADIUS Submethod

RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It was originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In SSH Tectia, RADIUS is implemented as a submethod of keyboard-interactive authentication.

When using RADIUS authentication, SSH Tectia Server first asks the user's password and then sends it along with the username to the RADIUS server (PAP authentication). Multiple RADIUS servers can be configured, and these will be queried in turn in case some of them are unreachable.

The supported RADIUS servers are Microsoft IAS (Internet Authentication Service) and FreeRADIUS.

The following example shows settings for keyboard-interactive authentication using the RADIUS submethod in the ssh-server-config.xml file:

  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
        <radius-server address="" 
         port="1812" client-nas-identifier="nasid">
          <radius-shared-secret file="&configdir;/radius-secret-file" />

On Windows, using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.

Notice that enforcing password changing does not work with RADIUS.

A common cause of problems in RADIUS authentication is that the shared secret is corrupted. For example, extra newline characters or spaces in the shared secret file can cause the authentication to fail. Make sure the same shared secret is configured on SSH Tectia Server and the network access server (NAS).


SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers SSH Tectia applications. For information on configuring FreeRADIUS, see for example, For information on configuring Microsoft IAS, see its documentation.

Special Considerations on Windows

When using RADIUS authentication to log on to a Windows server that belongs to a domain, you have to give the username prefixed with the machine name, for example MACHINE\user (instead of user). This is because RADIUS authentication uses local accounts, and SSH Tectia Server 5.2 (and later) that is installed on a Windows domain machine assumes that user accounts given without a prefix are domain accounts.

If SSH Tectia Server is installed on a stand-alone machine, you can use both notations with RADIUS authentication (MACHINE\user and user).

For more information about user accounts on Windows, see Special Considerations on Windows.