Configure the CyberArk Identity Connector for use as a RADIUS client

You can use your existing RADIUS server for user authentication into CyberArk Identity by enabling communication between your RADIUS server and the CyberArk Identity Connector (acting as a RADIUS client). The high level steps are:

  1. Configure the RADIUS server to recognize the connector as a valid RADIUS client. See Configure a RADIUS server.

  2. Make configuration changes in the Identity Administration portal to add RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS. See Configure the Identity Administration portal (connector as a RADIUS client).

If you have multiple connectors enabled for use as RADIUS clients, CyberArk Identity prioritizes connection with the connectors in the following order:

  1. Connectors from the same IP address as the user

  2. Randomly chooses a connector if more than one is from the same IP address as the user

  3. Choose the best subnet match

  4. Randomly chooses a connector if none of the above are available

Configure a RADIUS server

You configure the RADIUS server to recognize the connector as a valid RADIUS client. The following RADIUS server configuration procedures use the RSA Authentication Manager’s RADIUS interface as an example. Your procedure may differ slightly if you are using a different RADIUS server.

At a high level, you consistently need the following information regardless of the RADIUS server:

  • IP address of the CyberArk Identity Connector

  • The secret key you provide to the RADIUS server and the Identity Administration portal must match exactly

  1. Log in to the Authentication Manager Security Console with “SuperAdmin” or “Auth Mgr Radius Admin” rights.
  2. Click RADIUS Clients > Add New in the RADIUS area.

  3. Provide the required information.

  4. Click Save and Create Associated RSA Agent.

Configure the Identity Administration portal (connector as a RADIUS client)

Make configuration changes in the Identity Administration portal to add the RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS.

  1. Log in to the Identity Administration portal.

  2. Define the RADIUS server information.

    1. Click Settings > Authentication > RADIUS Connections > Servers > Add to define the RADIUS server information.

    2. Define the relevant information.

      The server name displays to users as one of their MFA mechanism options.

      The Server Secret field is asking for the secret that is shared between the RSA server and CyberArk Identity. If you have entered a secret key on your RADIUS server, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.

    3. (Optional) In the User Identifier Attribute field, you can specify the attribute you want sent to the RADIUS client as the user name for authentication. You can select from the default list or define your own by selecting Custom. Note the following:

    4. The CanonicalName default attribute is a computed value and is computed differently for each user type. For example, for Active Directory users it is set to one of the following (in this order):

      1. userPrincipalName -- If the format is usable (not empty and does not start with "@").

      2. The concatenation of sAMAccountName, a "@", and the AD domain

    5. For CyberArk Identity users, it is computed as the contents of the "Name" field.

    6. The UUID default attribute represents the user ID stored in CyberArk Identity.

    7. When you define a Custom attribute, the named attribute must match exactly the user attribute name in the directory service. For example, you must use “sAMAccountName” instead of “sam account name” or “mail” instead of “Mail”.

    8. Enter the text you want users to during log-in into the Response Input Label text field.

    9. Click Save.

  3. Configure the connector as a RADIUS client.

    All relevant connectors must be configured.

    1. Click Network > CyberArk Identity Connector > select an existing connector or add a new one to designate the connector as a RADIUS client.

      The CyberArk Identity Connector Configuration page opens.

    2. Click RADIUS and select the Enable connections to external RADIUS server checkbox.

    3. (Optional) Select Override server secret for this connector checkbox.

    4. If you do not want all your connectors to have the same shared secret, you can override the secret here and enter a different secret.

    5. Click Save.

  4. Enable 3rd party RADIUS authentication.

    1. Click Policies and either select an existing policy set or add a new one.

    2. Click User Security Policies > RADIUS.

    3. Select Yes in the Allow 3rd Party RADIUS Authentication drop-down menu.

      This setting allows users to authenticate using the RADIUS server.

    4. You can click Add RADIUS servers to add any 3rd party RADIUS servers that you want users to access or you can delete any that you don't want users to access.

    5. Click Save.

  5. Define your authentication requirements to specify when and under which conditions your users will authenticate using the RADIUS server. See Authentication mechanisms for more information. The authentication profile you choose must have the 3rd Party RADIUS Authentication mechanism selected. Users will not be able to authenticate using the RADIUS server until you define the authentication requirements.

Users can now log in to CyberArk Identity by selecting the RADIUS server authentication method and entering the passcode generated by the RADIUS token container application which mirrors a hardware token or a token container running on a mobile device.