RADIUS Integration: Firewall & Network Setup
This page covers what you need before connecting a RADIUS client (VPN, firewall, etc.) to Mideye Server. It assumes Mideye Server is already installed and running — see the Pre-install Checklist and Installation Guides if you still need to set up the server.
Before you start
Section titled “Before you start”Verify the following on the Mideye Server side:
- Mideye Server is installed and the Web Admin GUI is reachable.
- The database is connected and healthy — check
/management/health(see Server Monitoring). - Mideye Switch connectivity is confirmed (status UP in the health check) — unless running in Air-Gapped Mode.
- At least one authentication type is configured.
RADIUS port openings
Section titled “RADIUS port openings”Open these ports between the RADIUS client and Mideye Server:
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 1812 | UDP | Client → Mideye Server | RADIUS authentication (default; configurable per RADIUS server) |
| 1813 | UDP | Client → Mideye Server | RADIUS accounting (optional) |
| 3799 | UDP | Mideye Server → Client | RADIUS Disconnect Messages / CoA — only needed for Assisted Login with disconnect |
RADSEC (RADIUS over TLS)
Section titled “RADSEC (RADIUS over TLS)”If the RADIUS client supports RADSEC, you can use TLS-encrypted RADIUS instead of UDP:
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 2083 | TCP/TLS | Client → Mideye Server | RADSEC — disabled by default; requires CA-signed PEM certificates |
RADSEC requires additional certificate configuration on both ends. See the Application Configuration reference for radsec.* settings.
RADIUS client checklist
Section titled “RADIUS client checklist”Gather this information before configuring the integration:
| Setting | Description |
|---|---|
| Mideye Server IP / hostname | The address your RADIUS client will send authentication requests to. |
| RADIUS port | Default 1812. Must match the port configured in the RADIUS server in Mideye. |
| Shared secret | A strong, random string configured identically on both the RADIUS client and in the RADIUS client entry in Mideye Server. |
| Authentication protocol | PAP for most integrations. Use MS-CHAPv2 only when AD password changes are required (needs a Network Policy Server). |
| Timeout | 35 seconds recommended. See RADIUS Timeout for details. |
| Retries | 1 recommended. |
Configure Mideye Server to accept the client
Section titled “Configure Mideye Server to accept the client”In the Mideye Web Admin GUI, add a RADIUS client entry for the integrating device:
- Navigate to RADIUS → Clients.
- Add a new client with the device’s IP address and shared secret.
- Assign the client to a RADIUS server (listener).
For step-by-step instructions, see the RADIUS Clients reference.
DNS requirements
Section titled “DNS requirements”Mideye Server must be able to resolve DNS if any of the following are in use:
- LDAPS (TLS certificate validation)
- FQDN-based Switch Configuration
- Assisted Login with RADIUS Disconnect Messages (resolves NAS hostnames)
Next steps
Section titled “Next steps”- Pick your device from the RADIUS integration guides (Cisco, Fortinet, Palo Alto, Check Point, Citrix, etc.)
- Review Authentication Types to choose the right MFA method
- Check the Pre-install Checklist if Mideye Server is not yet deployed