Limitations of RADIUS support in OneSpan Authentication Server

RADIUS support of OneSpan Authentication Server has some caveats and limitations.

Limitations of RADIUS password protocols

Some OneSpan Authentication Server features are not supported with CHAP or MS-CHAP, because these protocols hash logon data together. This prevents separation of various entries.

The following features are unsupported:

  • You cannot perform self-assignment.
  • You cannot change the server PIN.
  • You cannot use Challenge/Response.
  • Windows back-end authentication is not supported, unless the user ID and Windows password are manually stored and stored password proxy is enabled.
  • You cannot use password autolearning, because clear text passwords cannot be identified.
  • Virtual Mobile Authenticator OTP requests are not supported.

These limitations apply also to the following protocols:

  • EAP-TTLSv0/CHAP
  • EAP-TTLSv0/MSCHAP
  • EAP-TTLSv0/MSCHAP2
  • EAP-TTLSv0/EAP-MSCHAP2
  • PEAPv0/EAP-MSCHAP2
  • PEAPv1/EAP-MSCHAP2

Using OneSpan User Websites can circumvent many of these problems by allowing users to manage their account and authenticators. Users can:

  • Perform self-assignment.
  • Change their server PINs.
  • Change their own stored static password.

Unsupported RADIUS password protocols

The following RADIUS password protocols are unsupported:

  • MSCHAP with LM Hash.
  • The password change mechanism for MS-CHAP and MS-CHAP v2.

Limitations of international character support

A number of OneSpan Authentication Server components provide international character support, but some limitations apply:

Database

International character support in the database is dependent on the individual database driver. For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "Encoding and case sensitivity".

RADIUS

International character support in OneSpan Authentication Server using the RADIUS protocol depends on the RADIUS client(s) used. If a RADIUS client uses UTF-8 encoding, international characters will be fully supported. If a RADIUS client uses a localized encoding (eg. ISO-8859-13), the same locale setting must be configured on each computer.

If OneSpan Authentication Server is used as an intermediary between a RADIUS client and RADIUS server, verify the encoding expected/required by the RADIUS server. If the RADIUS server requires any encoding format other than UTF-8, you need to configure OneSpan Authentication Server accordingly.

Web

Digipass Authentication for OWA Basic and Digipass Authentication for OWA Forms limit international character support to a single configured encoding.

Tcl Command-Line Administration tool

The Tcl Command-Line Administration tool command-line program (dpadmincmd) supports international characters, but your console window must be able to support the characters or they will not display correctly.

Limitations of web basic authentication

In OneSpan Authentication Server, the HTTP basic authentication mechanism does not support a 2-step logon process. In addition, Challenge/Response is also unsupported.

Limitations for score-based authenticator applications

Score-based authenticator applications do not support CHAP-based RADIUS authentications.