FTP and SFTP servers with RADIUS Authentication
There are cases in which you need to combine modern cloud identity systems with legacy infrastructure. While cloud-based identity providers like Google and Microsoft Entra ID are becoming the standard, many organizations still rely on legacy infrastructure like Windows Active Directory (AD) and RADIUS servers.
SFTPPlus MFT allows for user authentication via the Remote Authentication Dial-In User Service (RADIUS) protocol.
This enables secure file transfers over SFTP, FTPS, and HTTPS for users managed by a RADIUS server, and supports combining this legacy authentication with users authenticated via modern methods.
Hybrid Authentication
One of the capabilities of SFTPPlus MFT is its ability to handle diverse authentication sources simultaneously. This means you can configure a single server to authenticate users from:
- Embedded users: SFTPPlus MFT comes with a fully functional user management system.
- Modern Single Sign-On (SSO): Google, Microsoft Entra ID, and other SAML or OpenID Connect providers.
- Legacy Directories: LDAP and, of course, RADIUS.
This hybrid approach provides flexibility, allowing you to modernize your security posture without disrupting established workflows that depend on legacy systems.
With SFTPPlus MFT, you can use RADIUS authentication to secure file transfers over:
- FTPS
- SFTP
- HTTPS
To support a wide range of network devices and security policies, SFTPPlus MFT is compatible with several RADIUS authentication protocols, including:
- PAP (Password Authentication Protocol): A simple authentication method that sends credentials in cleartext. While less secure, it is sometimes required for older systems.
- CHAP (Challenge-Handshake Authentication Protocol): A more secure method that uses a challenge-response mechanism to avoid transmitting the password directly.
- MS-CHAP-v1 and MS-CHAP-v2: Microsoft's proprietary versions of CHAP, commonly used in Windows environments.
These options ensure compatibility with a wide range of RADIUS servers and configurations, including those required for MFA setups.
You can check our technical documentation for RADIUS listing all the configuration options.
Use Case: Multi-Factor Authentication (MFA) for Legacy Active Directory
Native Active Directory only supports username and password authentication.
The main reason our customers use SFTPPlus MFT with RADIUS is to implement Multi-Factor Authentication (MFA) for users in a legacy Windows Active Directory environment.
Many organizations use a RADIUS server (like Microsoft's Network Policy Server - NPS) as a proxy to their Active Directory. By integrating an MFA provider with the RADIUS server, you can enforce a second factor of authentication. When a user attempts to log in to the SFTPPlus MFT server, the authentication request is sent to the RADIUS server, which then triggers the MFA prompt.
This is a streamlined way to add a critical layer of security to your file transfer infrastructure without needing to overhaul your entire AD setup.
Dynamic Group Association
SFTPPlus MFT can dynamically assign users to specific groups based on the attributes returned by the RADIUS server.
When a user successfully authenticates, the RADIUS server can include attributes in its response, such as Filter-Id or Class. SFTPPlus MFT can be configured to read these attributes and map the user to a predefined group within the MFT server.
For example, a user from the "Finance" department could be automatically placed in the "finance-users" group in SFTPPlus MFT, inheriting the specific file and folder permissions associated with that group.
This automates user provisioning and ensures that access rights are always aligned with the user's role, as defined in your central directory.
Conclusion
By supporting RADIUS, SFTPPlus MFT provides a link to legacy authentication systems, enabling enhanced security through MFA and streamlined administration through dynamic group mapping.
This helps any organization looking to secure their file transfers while navigating the complexities of a hybrid IT world, including integrating with Microsoft's Network Policy Server (NPS).
Need help getting started? Contact the SFTPPlus MFT Support Team for guidance from specialists in managed file transfer systems.
🫴 We'll help you design and implement a solution that's tailored to your security and operational needs.