MFA for VPN (CyberArk Identity Connector as a RADIUS server)

This tutorial is intended to guide you through the steps for using CyberArk Identity with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the CyberArk Identity Connector as a RADIUS server to authenticate an incoming user connection.

Step 1: Install an CyberArk Identity Connector

You need a connector for integrating Active Directory with CyberArk Identity to authenticate users using their domain user accounts.

Skip this section if you have done it as part of another tutorial.

The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.

You must have at least one connector for the following use cases.

Use case Description

Use Active Directory or LDAP as a directory service

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between CyberArk Identity and your AD domain.

The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. It also monitors Active Directory for group policy changes, which it sends to CyberArk Identity to update enrolled devices. AD changes are synced to CyberArk Identity every 10 minutes by default.

Manage application access with App Gateway

With App Gateway, you can configure on-premise applications for off-site access without requiring a VPN connection.

For more information, see App Gateway.

Enforce MFA on VPN clients that support RADIUS

Configure the connector as a RADIUS server to enforce MFA on RADIUS clients.

Refer to MFA for VPNs and VDIs for more information.

Step 2: Assign domain users or groups to System Administrator role

Skip this section if you have done it as part of another tutorial.

It is a best practice to secure your default administrator account by using your own personal account to administer CyberArk Identity. Assigning domain users or groups to the System Administrator role allows you to log in to CyberArk Identity with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, Google Workspace, or create users in the CyberArk Directory.

To assign domain users or groups to role

  1. Log in to the Identity Administration portal using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Identity Administration portal.

    The domain user should NOT match your Active Directory user name.

    Distribution groups and local groups display in the filter; however, only security groups are supported.

  6. Click Add.

    The Add Members page closes.

  7. Click Save.

    You can now log in with your domain credentials to the Identity Administration portal.

Step 3: Configure the connector as a RADIUS server

Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirements for a secondary authentication mechanism.

To configure the Identity Administration portal

  1. Log in to the Identity Administration portal.
  2. Configure the connector to be a RADIUS server.

    1. Click Settings > Network > CyberArk Identity Connector.

    2. Select an existing connector or add a new one.

    3. Click RADIUS.

    4. Select the Enable incoming RADIUS connections checkbox.

    5. Your VPN server and the connector must be able to communicate. Confirm with your network administrator that your corporate firewall rules are not blocking this connection, for example if your VPN server is in the DMZ.

    6. Provide the port number in which the CyberArk Identity Connector talks to CyberArk Identity.

      The default port number is 1812.

    7. Click Save.

  3. Define the RADIUS client information.

    1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.

      A RADIUS client can be VPN server, wireless access point, etc.

    2. Enter the required information.

      • The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.

      • The Client Secret field is expecting a shared secret key for the RADIUS client and CyberArk Identity. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.

    3. Click Save.

  4. Enable the RADIUS client connection and define the secondary authentication requirement.
    1. Click Polices > Default Policy.
    2. Click User Security Policies > RADIUS.
    3. Select Yes in the Allow RADIUS client connections dropdown.

      This setting allows users to authenticate with the RADIUS client.

    4. Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.
    5. Select Add New Profile from the Authentication Profile dropdown.
    6. Select Password for the first challenge.
    7. Select any mechanism except for Password, 3rd Party RADIUS Authentication, and FIDO2 Authenticator(s) for the second challenge.
    8. Phone call and SMS challenges are disabled by default for trial customers. Email to enable these challenges.

    9. Click Save.

Step 4: Configure your VPN for RADIUS authentication

The steps for configuring a RADIUS client to work with the CyberArk Identity Connector vary for each client, model, and firmware. We have provided configuration examples for Cisco VPN, Juniper VPN, and Palo Alto VPN.

At a high level, you consistently need the following information regardless of the RADIUS client device:

  • IP address of the CyberArk Identity Connector
  • The secret key you provide to the RADIUS client and the Identity Administration portal must match exactly
The CyberArk Identity Connector only supports the PAP authentication method.