Your browser does not allow storing cookies. We recommend enabling them.


RADIUS Submethod

RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It was originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In Tectia, RADIUS is implemented as a submethod of keyboard-interactive authentication.

When using RADIUS authentication, Tectia Server first asks the user's password and then sends it along with the user name to the RADIUS server (PAP authentication). Multiple RADIUS servers can be configured, and these will be queried in turn in case some of them are unreachable.

The supported RADIUS servers are Microsoft IAS (Internet Authentication Service) and FreeRADIUS.

The following example shows settings for keyboard-interactive authentication using the RADIUS submethod in the ssh-server-config.xml file:

  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
        <radius-server address="" 
          <radius-shared-secret file="&configdir;/radius-secret-file" />

Using the Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.

Notice that enforcing password changing does not work with RADIUS.

A common cause of problems in RADIUS authentication is that the shared secret is corrupted. For example, extra newline characters or spaces in the shared secret file can cause the authentication to fail. Make sure the same shared secret is configured on Tectia Server and the network access server (NAS).


SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers Tectia applications.

For information on configuring FreeRADIUS, see for example, For information on configuring Microsoft IAS, see its documentation.

Special Considerations on Windows

When using RADIUS authentication to log on to a Windows server that belongs to a domain, you have to give the user name prefixed with the machine name, for example MACHINE\user (instead of user). This is because RADIUS authentication uses local accounts, and Tectia Server that is installed on a Windows domain machine assumes that user accounts given without a prefix are domain accounts.

If Tectia Server is installed on a stand-alone machine, you can use both notations with RADIUS authentication (MACHINE\user and user).

For more information about user accounts on Windows, see User Logon Rights on Windows.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now