![SurePassID_CMYK_600.png]](https://support.surepassid.com/hs-fs/hubfs/SurePassID_CMYK_600.png?height=40&name=SurePassID_CMYK_600.png){kind=small}
SurePassID RADIUS Server Service – Initial Troubleshooting
This checklist focuses on the most common configuration and startup issues.
Before continuing, confirm:
-
The SurePassID Authentication Server (SPAS) is installed and accessible
-
The SurePassID RADIUS Server Service is installed on Windows
-
You have administrator access to both systems
1. Configure API Key Pair in SPAS
The RADIUS Server Service must authenticate to SPAS using an API key pair.
Confirm the following in SPAS:
- An **Application (API) Key** is created
Confirm the following in the RADIUS Server Service configuration:
- Correct **API Key ID**
- Correct **API Secret**
Security requirements:
- Do not store API keys in plain‑text files or emails
- Store keys in a secure password vault or secrets manager
If the API key information is incorrect, the RADIUS service will not be able to validate users.
2. Verify Network Port Access (Firewall)
RADIUS authentication uses UDP and will fail silently if blocked.
Default requirements:
**UDP port 1812** allowed
- Traffic allowed **from each RADIUS client** (firewalls, VPNs, network devices)
- Traffic allowed **to the Windows server** running the SurePassID RADIUS Server Service
Additional checks:
- No upstream firewall, IPS, or security device is blocking or rate‑limiting UDP traffic
If a custom RADIUS port is used, all systems must be updated to match.
3. Confirm RADIUS Listening Port
In the RADIUS Server Service configuration:
- The service is set to **listen on UDP 1812** (default)
- If a custom port is configured:
- The same port is configured on all RADIUS clients
Ensure:
- No other service is bound to the same UDP port
4. Verify RADIUS Client IPs and Shared Secrets
For each RADIUS client:
- The **source IP address** is defined in the RADIUS Server Service
- The **shared secret** matches exactly
Important notes:
- Shared secrets are **case‑sensitive**
- Trailing spaces will cause failures
- NAT, HA pairs, or load balancers may change the source IP
The IP defined in the RADIUS configuration must match the actual source IP of the request.
5. Verify SurePassID Authentication Server (SPAS) Server URL
Confirm the RADIUS Server Service is configured with the correct SPAS URL.
For Support
Need additional help? SurePassID offers several means of support:
- SurePassID Knowledgebase: https://support.surepassid.com
- Open a support ticket: helpdesk@surepassid.com
- Call for support: 1-800-200-8144