...

• Behavior can be controlled fully via scripts - can be used for deciding which MFA authentication factors to offer which users based upon any attributes in the incoming AccessRequest
• Full Challenge support for prompting users in multiple steps.
• No stickiness required - all instances can take part in a regular clustered Ceptor installation.
• Full access to request/response package content, allowing scripts to manipulate full packet content, including all possible attributes.
• Supports Multifactor (MFA) Authentication Methods, allowing user to choose between multiple methods, or allowing specific users / groups access to a subset based upon any attribute/user role etc.
• Combined with Ceptor Authentication Plugins, supports advanced types of authentication, such as Azure MFA.
• Built-in radius client supporting e.g. PAP, CHAP, MSCHAPv2 protocols for proxying requests to remote radius servers.
• Shared secret configurable per client
• RadSec support, enabling TLS encrypted TCP communication which is not dependent on keeping source IP intact, so it is both more secure (better encryption) and more loadbalancer friendly.

Testing

As of Ceptor v6.4, the Tools menu in Ceptor Console now contains a Radius Client which you can use for testing various authentication scenarios.

Launcher Configuration

In order to get the RADIUS Server started the radius service should be configured in the ceptor_launch.xml. The radius server does not require its own JVM to run, so if the existing capacity can handle it, it could as an example be a service defined in the session controller classloader/JVM – for example like this:

...