Version 1.0

Table of Contents

Property	Content
Document Title	VSA Radius Integration Guide
Version	Version 1.0
Last Updated on	2026-03-30

This document contains detailed information relating to V-Key's various Products / Services, for which all copyright, trademark(s), patent(s) and/or trade secrets belong to V-Key Inc / Pte Ltd. TAKE NOTICE that this should not be circulated to competitors or disclosed to third parties (other than directors, officers, employees, and agents of the Customer).

Note: Due to low popularity of CDMA mobile devices and mobile network operators are phasing out CDMA network, V-Key does not test any V-Key software product on mobile devices that run on CDMA network. The compatibility of the V-Key software products on CDMA mobile devices is unknown.

Dismiss

Ver.	Date	Description/Changes
1.0	2026-03-30	Initial release

Introduction

V-OS Cloud provides many services that will help organizations to implement secure authentication mechanisms to protect their services easily and effortlessly.

VSA RADIUS Solution is based on the V-OS PKI Token solution hosted by the key components on V-OS Cloud, Identity Management (IDM) portal, and the V-Key Smart Authenticator (VSA) app that is available on both Android and iOS. These cloud components are used for integrating the third-party services that you wish to implement secure authentication and authorization through directory services and authentication protocol connectors.

The services that have been verified to be compatible with the VSA RADIUS Solution are:

OpenVPN
SonicWall VPN
EdgeMAX Router

Solution Architecture

VSA RADIUS Solution consumes the cloud-hosted V-OS PKI suite, VSA IDM, and V-Key Smart Authenticator app that are available to your users to connect from anywhere, anytime.

The following architecture diagram shows how VSA interacts with a RADIUS-enabled service.

VSA IDM acts as the RADIUS server and uses a RADIUS connector that enables RADIUS proxy to send the authentication requests.

VSA IDM provides directory connectors that allow you to authenticate users through existing directory credentials, both online directories, such as Microsoft Entra ID, and on-premises directories, such as Active Directory in the local network for primary authentication before raising the secondary authentication to VSA app.

VSA Components

V-OS Cloud Portal

The V-OS Cloud Portal is the web interface where you can sign up, subscribe, manage subscriptions, services, payments, and orders. The URL to the Portal is https://cloud.v-key.com

V-OS Cloud Dashboard

The V-OS Cloud Dashboard is the client area restricted by access accounts. You can log in to the Dashboard with either a root, admin, or supervisor account. You can configure (environments, services, and connectors), deploy services, and manage service users of your organization through the Dashboard. Only root and admin users have the right to do configurations and modifications in the Dashboard. Users with supervisor access right have only view access to the Dashboard. The URL to login to the Dashboard is https://cloud.v-key.com/login.

VSA IDM

The VSA Identity Management (IDM) is the access gateway that handles communication between the V-OS Cloud and various components such as directories, RADIUS server, SAML server, etc. that are available in your organization for initiating and performing the authorization and authentication of end-users.

V-Key Smart Authenticator (VSA) App

The VSA app is a mobile app developed for V-OS Cloud that can be used to do 2nd factor authentication for service accesses. It serves as a virtual token to help end-users to manage accounts and do authentication approval. The VSA app is mandatory for end-users to utilize the VSA services if your organization subscribed to the Free or Professional plan. The VSA app can be downloaded from the Apple App Store and Google Play Store. It is recommended to always upgrade your VSA app to the latest version.

Organizational/Third-party Components

Exposed Directories: A directory for user authentication. The directory must be accessible from an external network. Currently, V-OS Cloud supports the following directories:

Microsoft Active Directory: The directory that your organization installed on-premise and used to integrate with V-OS Cloud from outside of the enterprise network.
Microsoft Entra ID(formerly Azure Active Directory): Microsoft’s cloud-based identity and access management service.
Online 3^rd Party Directory Services: Other 3^rd party directory services that provide online directory services.
OpenLDAP: An open-source software for directories that enterprises can use and deploy in their environment.
V-Key LDAP: The V-Key directory service that is available to users who do not have an existing directory service in place or wish to use a separate directory service for their V-OS Cloud usage.
Other LDAPs: Other LDAP-based authentication software/services that V-OS Cloud is compatible with.

Note: You must configure your firewall settings on your directory server to allow external access to the LDAP TCP ports, i.e., 389 and/or 636. If you do not wish to open the said TCP ports publicly accessible to all, you can update your NAT configurations to only allow (whitelist) V-OS Cloud from the IP address 104.43.79.183 and 57.155.51.139 to access your directory.

Third-party Service Subscription: The application of your organization or third-party service that will be integrated with the VSA RADIUS solution.
RADIUS Server: The server which implements the network services based on RADIUS protocol in your organization. It is mandatory to expose the server for communication between VSA IDM and the RADIUS server during authentication. It receives connection requests from the RADIUS client, then triggers authentication to VSA IDM and receives the response to approve or reject the request.
RADIUS Client: The client application on end-users' devices that initiating the network service connection request. It triggers the network service connecting request to the RADIUS server, then receives the result of authentication.

Flow Diagram

The following diagram shows the communication flow in V-OS Cloud when a user tries to access the network facility with the VSA RADIUS solution integrated.

The sample flow of the VSA RADIUS solution is as follows:

Note: The primary directory is used for authenticating the user when logging in to the VSA app. The secondary directory is used for authenticating the user when trying to connect to the VPN service. The primary and secondary directories can be the same directory or different directories. When a user tries to log in to the VSA app, VSA IDM queries the primary directory to authenticate the user.

Steps 1.1 - 1.4: The user triggers the network service connection request from his/her client application from PC or mobile that needs to connect to the network service.
Steps 2.1 - 2.6: VSA IDM does 1^st factor authentication with the secondary directory, and triggers 2^nd factor authentication request to VSA app on user’s mobile device.
Steps 3.1 - 3.6: The user confirms the 2FA request on the VSA app which will trigger the confirmation to be sent back to the RADIUS server to grant network service connection.

RADIUS Integration with Third Party Service

To implement VSA RADIUS authentication for third party service, you need to execute following steps as prerequisites.

Directory Connector Configuration
RADIUS Connector Configuration
Service Instance Configuration
Token Pack Configuration

Configure Directory Connector

Currently, VSA supports the following directories:

V-Key AD
Local AD
Open AD
Microsoft Entra ID (formerly Azure Active Directory)

Refer Directories Integration Guide to configure Directory of your choice.

Note: For OKTA - RADIUS set up, refer OKTA LDAP Interface Integration.

Configure RADIUS Connector

After you have created the necessary directory connectors, you need to set up a connector for RADIUS Solution that can be used by the VSA IDM to connect to the RADIUS server.

To create the RADIUS connector, do the following steps:

Log in to the IDM Dashboard with an admin account.
Click Connectors > RADIUS on the left sidebar.

Fig 3: Create RADIUS Connector
Click + CREATE on the upper-right corner to create a new connector or click the "pencil" icon of a template RADIUS connector from the list to edit.
Select the connector Type from the list. The available types are:
- Generic RADIUS Connector
- Dedicated RADIUS Connector
- V-Key Proxy Radius
If you are creating a new RADIUS connector, assign a Name to the connector, e.g., RADIUS-VPN Connector.

Generic RADIUS Connector and V-Key Proxy Radius

If you have selected the Type as Generic RADIUS Connector or V-Key Proxy Radiusand, do the following steps to configure the connector:

After entering the Name, enter the IP address of the VPN server in the IP Address field.
Fill the Shared Secret field with the password that is used at your VPN server. You can obtain the password from your VPN server.

Note: If your VPN service does not have a fixed IP address, you need to request a static IP dedicated to your VPN service from V-OS Cloud (additional charges may apply) and fill the IP Address field with the static IP assigned.

Note: For Generic RADIUS Connector, if you use the static IP address assigned by V-OS Cloud, you must use the same IP address in the RADIUS Endpoint Information, instead of the default "RADIUS.cloud.v-key.com" indicated on the page.
The IP Address/Domain and Port information in the RADIUS Endpoint Information section are auto-generated. Make note of the RADIUS connector values to configure them at your VPN RADIUS server.
Click Save to create the RADIUS connector.

Dedicated RADIUS Connector

If you have selected the Type as Dedicated RADIUS Connector, do the following steps to configure the connector:

After entering the Name, fill the Shared Secret field with the password that is used at your VPN server.

You can obtain the password from your VPN server. The Dedicated RADIUS Connector does not required IP Address under the VPN Server Information section.

The Port information in the RADIUS Endpoint Information is auto generated, and the IP Address/Domain will be Awaiting for IP assignment and the value is generated once saved.
Click Save to create the RADIUS connector.

Note: At your VPN router, UDP port 1812 must be opened in the outbound rules/policies at your network to allow the VSA RADIUS connector to communicate to the VPN router through this port.

Configure Service Instance

After the RADIUS connector is created, you can create the third party service instance and assign the directory and RADIUS connector to the third party service instance. The assigned connector will be used for authenticating the third party service access.

Add New Service Instance

To create the service instance and add connectors to it, do the following steps:

Log in to the VSA IDM portal with an Admin account.
Click Services on the left sidebar.

Fig 4: Services
Click Create to add new service and select the service RADIUS.
Select the Subscription and Token Pack from each of the drop-downs.
Enter an Instance Name for easy identification.

Fig 5: Create New Services Instance
Select the directory connector for VPN from the Directory drop-down or click Create new, if a directory has not yet been created.
From the RADIUS drop-down, select the RADIUS connector. If a connector has not yet been created, click Create New.
Select Save to save the changes.

Edit Service Instance

To edit an existing service instance, do the following steps:

Log in to the VSA IDM portal with an Admin account
Click Services on the left sidebar.
Click the "pencil" icon of the RADIUS service instance that you want to edit.
Edit the Instance Name and Description as required.
To edit the Directory configuration
- Click on the field to expand the drop-down and select a different Directory, or
- Click the pencil icon on the right to modify the configuration of the selected Directory. You will be redirected to the configuration page to make any necessary changes.
To edit the Radius Connector configuration
- Click on the field to expand the drop-down and select a different Connector, or
- Click the pencil icon on the right to modify the configuration of the selected Connector. You will be redirected to the Edit RADIUS Connector page.
Click Save to save the changes made.

Configure Token Pack

After the service instance is set up and started, you can check token pack configurations. A token pack is a QR code that contains the primary directory connector that is used for authenticating the users while they logging in to the V-Key app. The token pack also contains the configurations of the server environment that you have set up and the service instances that you have subscribed to. Token Pack is created at the time of creation of subscription for Tenants.

To check and configure the token pack, do the following steps:

Log in to the VSA IDM portal with an admin account.
Click Token Packs on the left sidebar.
Click the "pencil" icon of the pre-generated token pack from the list.

Check Token PAck Configurations

Click the icon field and assign an icon to the token pack, if desired.
Select the Primary Directory and Theme to be assigned to the token pack from the respective dropdown.

Note: The Primary Directory is the directory used for authenticating users of the VSA app. It can be the same or different directory configured in the service instance. The Theme is the theme that you wish to apply to your V-Key app when this token pack is used. You can configure different themes for different token packs.

Pick the desired Service that you want to enable in the token pack.

Note: A token pack can contain the 2FA services for multiple services. If you are intending to have multiple services under the same token pack, select the service accordingly by toggling the "power plug" icon.

Click Save if you have made changes to token pack.

2FA for VPN/RADIUS Flow Diagram

End-user logs in to the VPN client app.
Primary authentication initiated to RADIUS service.
An authentication request triggered to the RADIUS connector.
Primary authentication using directory connector integrating with the organization's directory service.
Secondary authentication is triggered by V-Key's PKI Suite.
The end-user uses the VSA app to approve the login request.
VSA IDM receives an authentication response.
VSA IDM replies to the RADIUS server.
VPN client access is granted.

VPN Client Configurations and Authentication

After you have done with account activation on the VSA app, you can start configuring your VPN client application on your Mac, PC, or mobile device, if you have not done so. If you were using the VPN client application to access VPN previously, most likely you don't need to change any of the current configurations.

Contact your IT for the configurations on the VPN client application. The following configurations needs to be done if you are using the VPN client application for the first time.

Set the VPN Server address of your organization, e.g. vpn.domain.com.
Fill in Account name and select the User authentication type.
Enter the Shared secret for Machine authentication. Check with your IT if you are not sure.
Save your configurations. This completes the VPN configuration steps.

You can now connect to VPN with the configurations you have done in the previous steps. Upon connection, a push notification for authentication will be sent to the VSA app.

Based on the Authentication Preferences set in the VSA App, input the PIN/biometrics if applicable and select Approve to authenticate the VPN connection request.

Upon successful authentication, you should have connected to VPN successfully.