How to Improve User Login Experience when Using a RADIUS Server as a Multi-factor Authentication Provider

Multi-factor authentication (MFA) providers usually offer different alternatives to manage how second-level passcodes are sent to users completing the authentication process. This article introduces the way in which Parallels® Remote Application Server (RAS) allows organizations to customize the one-time password (OTP) experience for those users connecting to a Parallels RAS Farm when working with Remote Authentication Dial-In User Service (RADIUS) servers.

Learn about RADIUS Authentication

The RADIUS is a network protocol that enables centralized authentication and authorization for dial-in users. Many organizations enable multi-factor authentication through RADIUS-based solutions in order to secure access to their network resources.

Multi-factor authentication is often enabled for the following use cases:

Virtual private networks
Wi-Fi access
External access to application and desktop delivery solutions
Enterprise services published on the internet (e.g., Office 365)
Access to cloud providers (e.g., Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform)
Any other applications that depend on the RADIUS protocol to authenticate users attempting to access them

Configure Custom Verification Methods with RADIUS Server

When working with RADIUS providers, administrators configuring MFA to provide an additional layer of security for user validation can often choose from a predefined and configurable list of verification methods supported by the manufacturer. These methods define how the second-level passcode is sent to users, typically in the form of push notifications, phone callback authentication, email or SMS, although custom actions can also be defined.

Parallels RAS allows administrators to customize the OTP experience by providing the capability to define custom commands sent to RADIUS servers or personalize messages and icons shown over the Parallels Client. Additionally, administrators can order more defined verification methods based on their particular priorities, configuring any one of these options to be used automatically.

Configure Push Notifications for Client Authentication

Parallels RAS provides the capability to configure custom actions when using RADIUS as an MFA provider. To configure these actions, follow the steps shown below:

Open the Parallels RAS Console.

Navigate to Connection > Multi-factor authentication > Provider. Select a RADIUS provider; in this example, we will choose RADIUS.

Figure 1 - Configure Push Notifications for Client Authentication

Click on the Settings button, and switch to the Automation tab. Click on the [+] icon to display the Add Action menu. Verification methods are referred as “actions” in the Parallels RAS Console.

Figure 2 - Configure Push Notifications for Client Authentication

Configure up to five actions according to your requirements:

Enable Action: Enables or disables an action.
Title: The text that will appear on the clickable icon in Parallels Client (e.g., Push).
Command: The OTP command to be used when an action icon is clicked on Parallels Client. Consult your MFA provider for command specifications.
Description: A description balloon will appear on the user’s screen when the mouse pointer hovers over an action icon.
Action message: A message to show to the user in the connection progress box.
Select an image: Select an image from the provided gallery. The image is used as the action icon in the OTP dialog in Parallels Client.

You can move the listed actions in the Automation tab up or down to dictate in which order the action icons will be displayed in the Parallels Client.

Click OK to save the action. Repeat the previous step to add other actions.

Once all desired actions have been added to the list, you can enable the Autosend option for one action only, making it the default to be used automatically without any user interaction. To enable the Autosend option, select an action from the Automation tab, and click Tasks > Autosend.

Figure 3 - Configure Push Notifications for Client Authentication

When users connect to the Parallels RAS Farm after completing the configuration process, all action icons in Parallels Client will be positioned above the OTP field. Upon clicking an icon, authentication will be carried out according to the designations of the predefined action.

Figure 4 - Configure Push Notifications for Client Authentication

There are two possible ways to make an action execute automatically in Parallels Client:

The action icon configuration is received by the client for the first time, and one of the actions has Autosend enabled.
The Remember last method used option is enabled in Policies > Session > Connection > Multifactor authentication.

Figure 5 - Configure Push Notifications for Client Authentication

When the option is enabled and Parallel Client receives the policy, the last method successfully used will become the default automatic method.

Secure Your Business with Parallels RAS Multi-factor Authentication

Many companies are enabling multi-factor authentication as an extra security requirement to complement the use of usernames and passwords which, on their own, do not provide an adequate level of security.

Parallels RAS provides multi-factor authentication capabilities for access control. When multi-factor authentication is enabled, the user authentication process is carried out in two successive levels. The first level always employs native authentication based on Active Directory or Lightweight Directory Access Protocol (LDAP), whereas the second is able to offer multiple solutions in the form of Azure MFA (RADIUS), Duo (RADIUS), FortiAuthenticator (RADIUS), TekRADIUS, Deepnet, Gemalto (formerly SafeNet) and Google Authenticator.

Any questions or need further information? Please contact us.