MFA for VPN (CyberArk Identity Connector as a RADIUS server)

This tutorial is intended to guide you through the steps for using CyberArk Identity with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the CyberArk Identity Connector as a RADIUS server to authenticate an incoming user connection.

Step 1: Install an CyberArk Identity Connector

You need a connector for integrating Active Directory with CyberArk Identity to authenticate users using their domain user accounts.

Skip this section if you have done it as part of another tutorial.

The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.

You must have at least one connector for the following use cases.

Use case	Description
Use Active Directory or LDAP as a directory service	This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between CyberArk Identity and your AD domain. The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. It also monitors Active Directory for group policy changes, which it sends to CyberArk Identity to update enrolled devices. AD changes are synced to CyberArk Identity every 10 minutes by default.
Manage application access with App Gateway	With App Gateway, you can configure on-premise applications for off-site access without requiring a VPN connection. For more information, see App Gateway.
Enforce MFA on VPN clients that support RADIUS	Configure the connector as a RADIUS server to enforce MFA on RADIUS clients. Refer to MFA for VPNs and VDIs for more information.

Use case

Description

Use Active Directory or LDAP as a directory service

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between CyberArk Identity and your AD domain.

The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. It also monitors Active Directory for group policy changes, which it sends to CyberArk Identity to update enrolled devices. AD changes are synced to CyberArk Identity every 10 minutes by default.

Manage application access with App Gateway

With App Gateway, you can configure on-premise applications for off-site access without requiring a VPN connection.

For more information, see App Gateway.

Enforce MFA on VPN clients that support RADIUS

Configure the connector as a RADIUS server to enforce MFA on RADIUS clients.

Refer to MFA for VPNs and VDIs for more information.

Requirements

The machine you are installing the connector on should meet the following requirements:

Windows Server 2012 or later
8 GB of memory, of which 4 GB should be available for connector cache functions
2 core CPU
Has Internet access so that it can access the CyberArk cloud services.
Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail.
Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.
Be a server that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

To install a connector on a host computer

Log in using the domain administrator account that has sufficient permissions to install the connector.
Download the CyberArk Identity Connector package.
1. Open the Identity Administration portal.
2. Click Settings >Network > CyberArk Identity Connectors > Add CyberArk Identity Connector.
3. Click 64-bit in the Download pane.
  
  The download begins.
Extract the files.
Double-click the installation program: CyberArk Installer.

In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).
Click Yes to continue if the User Account Control warning displays.
Click Next on the Welcome page.
Review the End User Software License and Services Agreement, accept the terms of agreement, then click Next.
Select the components to install, then click Next.

The default is to install all components. Use the description on the installation UI determine what you want to install.
Click Install > Finish to open a second installation wizard.

This second installation wizard initiates the connection between Active Directory and your CyberArk Identity tenant.
Click Next on the Welcome page.
Type the administrative user name and password for your CyberArk Identity account, then click Next.
Click Next unless you are using a proxy to connect to the internet.
(Optional) Specify your domain if you want to synchronize deleted objects in Active Directory/LDAP with CyberArk Identity, then click Next.

If you want to synchronize deleted objects, make sure you are logged in as a domain administrator.
Click Next if all of the tests are successful.

As the final step, the connector registers your customer identifier with your tenant, then runs in the background as a Windows service.
Click Finish to complete the configuration and open the connector configuration panel, which displays the status of the connection and your customer ID.
Click CyberArk Identity Connector to view or change any of the default settings.
Click Close.

Step 2: Assign domain users or groups to System Administrator role

Skip this section if you have done it as part of another tutorial.

It is a best practice to secure your default administrator account by using your own personal account to administer CyberArk Identity. Assigning domain users or groups to the System Administrator role allows you to log in to CyberArk Identity with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, Google Workspace, or create users in the CyberArk Directory.

To assign domain users or groups to role

Log in to the Identity Administration portal using the credentials provided in your welcome email.
Click Core Services > Roles.
Click the System Administrator role.
Click Members > Add button.

Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Identity Administration portal.

The domain user should NOT match your Active Directory user name.

Distribution groups and local groups display in the filter; however, only security groups are supported.
Click Add.

The Add Members page closes.
Click Save.

You can now log in with your domain credentials to the Identity Administration portal.

Step 3: Configure the connector as a RADIUS server

Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirements for a secondary authentication mechanism.

To configure the Identity Administration portal

Log in to the Identity Administration portal.
Configure the connector to be a RADIUS server.
1. Click Settings > Network > CyberArk Identity Connector.
2. Select an existing connector or add a new one.
3. Click RADIUS.
4. Select the Enable incoming RADIUS connections checkbox.
5. Provide the port number in which the CyberArk Identity Connector talks to CyberArk Identity.
  
  The default port number is 1812.
6. Click Save.
Define the RADIUS client information.
1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.
  
  A RADIUS client can be VPN server, wireless access point, etc.
2. Enter the required information.
  - The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.
  - The Client Secret field is expecting a shared secret key for the RADIUS client and CyberArk Identity. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.
3. Click Save.
Enable the RADIUS client connection and define the secondary authentication requirement.

Click Polices > Default Policy.
Click User Security Policies > RADIUS.
Select Yes in the Allow RADIUS client connections dropdown.

This setting allows users to authenticate with the RADIUS client.
Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.
Select Add New Profile from the Authentication Profile dropdown.
Select Password for the first challenge.
Select any mechanism except for Password, 3rd Party RADIUS Authentication, and FIDO2 Authenticator(s) for the second challenge.

Phone call and SMS challenges are disabled by default for trial customers. Email trial.help@idaptive.com to enable these challenges.

Click Save.

Step 4: Configure your VPN for RADIUS authentication

The steps for configuring a RADIUS client to work with the CyberArk Identity Connector vary for each client, model, and firmware. We have provided configuration examples for Cisco VPN, Juniper VPN, and Palo Alto VPN.

At a high level, you consistently need the following information regardless of the RADIUS client device:

IP address of the CyberArk Identity Connector
The secret key you provide to the RADIUS client and the Identity Administration portal must match exactly

The CyberArk Identity Connector only supports the PAP authentication method.

Configuring Cisco VPN

On the Cisco ASDM for ASA interface, create an IP Name object for the target.
1. Navigate to Firewall, expand Objects, and select IP Names.
2. Click Add and enter a descriptive name (for example, CyberArk IdentityRADIUS), the IP address of the CyberArk Identity Connector, and a description (for example, CyberArk Identity RADIUS Bridge).
3. Click OK then Apply.
Create a AAA server group.
1. Go to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Group, then click Add.
2. Enter a server group name.
3. Confirm that the RADIUS protocol is selected.
4. Accept the default for the other settings and click OK.
Add the RADIUS server to the server group.
1. Select the newly created server group, then click Add.
2. Under the Interface Name, select the interface on the ASA that will have access to the RADIUS server.
3. Enter the following values for the fields below.
  - Server Name or IP Address Enter the hostname or IP address of the connector.
  - Timeout: 30 seconds
  - Server Authentication Port: 1812
  - Server Accounting Port: 1813
  - Retry Interval: 10 seconds
  - Server Secret Key Eenter the secret key that you entered in CyberArk Identity the Identity Administration portal interface.
  - Common Password Re-enter the pass phrase/secret key.
  - Microsoft CHAPv2 Capable: Unselected
4. Accept the default for the other settings, then click OK.

(Optional) Configure Cisco to use CyberArk for only the secondary authentication factor.

Go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles, then select your connection profile and click Edit.
Select Advanced > Authentication and verify that the appropriate server group is selected for your primary authentication.

Since the purpose of this step is to continue with your existing primary authentication and only use CyberArk for secondary factors, you shouldn't have to make any changes.
Select Advanced > Secondary Authentication and select the server group created previously.

Select Secondary for the following options, then click OK.

Attributes Server
Session Username Server

This configuration changes the user login experience; the login UI presents additional fields for secondary authentication:

In the Second Username field, users enter a username that exists in CyberArk Identity.

In the Second Password field, users enter either a factor type to trigger the challenge, or a factor value, depending on the mechanisms enabled in the authentication profile.

Mechanism	What users enter	Result
Email	`Email`	The user receives an email to advance authentication.
Security question	`SQ/<The answer to the security question>`	Successful authentication.
Oath OTP	`OathOTP/<The value of the OTP>`	Successful authentication.
Mobile	`Mobile`	The user receives a push notification on their mobile device to advance authentication.
Phone	`Phone`	The user receives a phone call to advance authentication.
SMS	`SMS`	The user receives a text message to advance authentication.

Configure the AnyConnect client profile.
1. Go to Configuration > Remote Access VPN > Network (client) Access > AnyConnect Client Profiles.
2. Select an existing profile (or add a new one), then click Edit.
3. Go to Preferences (Part 2), then scroll to the bottom and change the value for Authentication Timeout (seconds) to 60.
4. Click OK to return to the list of AnyConnect Client Profiles, then click Apply to apply your changes.

Configure Citrix VPN

Log into the Citrix Gateway (NetScaler Virtual Appliance 450010) with admin rights.

The following procedures were tested on a Citrix ADC VPX Virtual Appliance 450010 running Citrix Gateway 13.0. The UI might vary depending on your hardware and software version.
Navigate to the Configuration tab.
Expand Citrix Gateway > Policies > Authentication > RADIUS.

You might have to click continue at the bottom of the wizard to expose the menu.
Add and configure a RADIUS server.
1. In the main body configuration for RADIUS select the Servers tab, then click Add.
2. Provide the following information for the Server settings
  - Server: The hostname or IP address of the connector.
  - Secret: The Client Secret that you entered in the RADIUS client settings in the Identity Administration portal.
  - Port: 1812
  - Time-out(seconds): 30
3. Click the Details (or More) drop-down menu and verify that Password Encoding is set to pap.
4. Click OK to save the Server definition
Add and configure a RADIUS policy.
1. Click on the Policies tab, then click Add.
2. Give the policy a name.
3. Click the Server* drop-down menu, then select the Server Entry you created.
4. In the Expression window, enter ns_true for the value.
  
  This setting sets this policy to be active whenever it is bound to a VIP. You can create a more restrictive expression to allow for more control over when this RADIUS policy is used.
5. Click OK to save the policy.
(Use CyberArk for primary and secondary authentication) Bind the RADIUS policy to the virtual server.
1. Go to Citrix Gateway > Virtual Servers, then click the virtual server that you want to bind to your RADIUS policy.
2. Scroll to the Authentication section and unbind any existing policies, then close the Authentication sub-window.
3. Back in the Virtual Server configuration screen, in the Basic Authentication section, select + (plus) on the right hand side of the section title.
4. Select RADIUS in the Choose Policy option .
5. Select Primary in the Choose Type option, then click Continue.
6. In the Policy Binding section, click > to select the RADIUS policy that you created previously.
  
  Click the radio button to the left of the policy, then click OK (or Select).
7. Set the Priority to 10, then click Bind.
8. In the VPN Virtual Server configuration screen scroll to the end, then click Done.

(Use CyberArk for only secondary authentication) Bind the RADIUS policy to the virtual server.

To use CyberArk for secondary authentication, the same user account as your primary authentication must also exist in CyberArk Identity.

Go to Citrix Gateway > Virtual Servers, then click the virtual server that you want to bind to your RADIUS policy.
Scroll to the Authentication section and unbind any existing policies for Secondary Authentication, then close the Authentication sub-window.
Back in the Virtual Server configuration screen, in the Basic Authentication section, select + (plus) on the right hand side of the section title.
Select RADIUS in the Choose Policy option .
Select Secondary in the Choose Type option, then click Continue.
In the Policy Binding section, click > to select the RADIUS policy that you created previously.

Click the radio button to the left of the policy, then click OK (or Select).
Set the Priority to 10, then click Bind.

In the VPN Virtual Server configuration screen scroll to the end, then click Done.

This configuration changes the user login experience; the login UI presents an additional field for secondary authentication:

In the Secondary Password field, users enter either a factor type to trigger the challenge, or a factor value, depending on the mechanisms enabled in the authentication profile.

Mechanism	What users enter	Result
Email	`Email`	The user receives an email to advance authentication.
Security question	`SQ/<The answer to the security question>`	Successful authentication.
Oath OTP	`OathOTP/<The value of the OTP>`	Successful authentication.
Mobile	`Mobile`	The user receives a push notification on their mobile device to advance authentication.
Phone	`Phone`	The user receives a phone call to advance authentication.
SMS	`SMS`	The user receives a text message to advance authentication.

Install the Citrix gateway plugin on the user's computer.
1. Open a browser and connect to vpn server.
2. Enter user name, password, and second challenge.
3. Select Network Access after authentication.
4. Download the Citrix gateway plugin.
5. Install the .dmg file (Mac) or .msi file (Windows).
6. Install the server certificate to Keychain Access (Mac) or the Trusted Root Certification Authorities store (Windows).

Configure Juniper VPN

Open the Juniper Secure Networks Secure Access SSL-VPN Central Manager.
Navigate to Authentication > Authentication Servers > New Server.
Provide the following information:
- Name: Descriptive name such as CyberArk RADIUS.
- NAS-Identifier: Descriptive name such as Juniper.
- Radius Server: IP address of the CyberArk Identity Connector.
- Authentication port: 1812
- Shared Secret: The secret key that you entered in the Identity Administration portal interface.
- NAS-IP-Address: IP address of the Juniper device.
- Timeout: 30 seconds
- Retries: 0
- Users authenticate using tokens or one-time password: leave unchecked.
Click Save Changes.
Click New Radius Rule to add a new custom rule and provide the following information:
- Name: A descriptive name
- Response Packet Type: Access-Challenge
- Reply-Message -- matches the expression: (.*)
- Show GENERIC LOGIN page: Enable the checkbox
Click Save Changes.
Create another rule for the Access Reject packet type by clicking Radius New Rule and providing the following information:
- Name: Enter a descriptive name
- Response Packet Type: Access-Reject
- Reply-Message - matches the expression: (.*)
- Show GENERIC LOGIN page: Enable the checkbox
Click Save Changes.

When you are done configuring the authentication rules, they should look similar to the following:
- rule_1 - Access Challenge - (Reply-Message matches the expression "(.*)")
- rule_2 - Access Reject - (Reply-Message matches the expression "(.*)")
Add the newly created CyberArk RADIUS realm to the authentication realm.
1. Click Authentication > Signing In > the relevant User URL.
2. Move the newly created realm from the "Available realms" area to the "Selected realms" area.
Click Save Changes.

Configure Palo Alto Networks VPN

Log in to the Palo Alto Networks device administration interface.
Add a server profile.
1. Navigate to Device, Server Profiles, RADIUS, then click Add.
2. Enter a name for the profile.
3. Provide the following information for the Server settings:
  - Timeout (Sec): 60
  - Authentication Protocol: PAP
  - Retries: 1
4. Navigate to Servers and click Add to add a RADIUS server profile.
5. Provide the following information:
  - Name: Enter a descriptive name to identify this RADIUS server, such as CyberArk RADIUS.
  - RADIUS Server: The hostname or IP address of the CyberArk Identity Connector.
  - Secret: The Client Secret that you entered in the RADIUS client settings in the Identity Administration portal.
  - Port: 1812
6. Click OK to save the profile.
Create an authentication profile.
1. Navigate to Device, Authentication Profile, click Add to enter a Name for the profile.
2. In the Authentication tab, select RADIUS from the Type drop-down menu.
3. Select the Server Profile you created for accessing your RADIUS server (for example, CyberArk RADIUS).
4. Click OK to save the authentication profile.
Configure the gateway(s).
1. Click the Network tab and select GlobalProtect > Gateways and select a configuration to open GlobalProtect Gateway Configuration.
2. Click the Authentication tab, and then select a configuration.
3. Click the Authentication Profile field and from the drop-down menu select the authentication profile you created.
4. Enter an Authentication Message to let users know what authentication credentials to use.
5. Go to Agent > Client Settings, then select a configuration.
6. Go to the Authentication Override tab, then select the following options.
  - Generate cookie for authentication override
  - Accept cookie for authentication override
7. Click OK to save the configuration.
Configure the portal(s).
1. Click Network > GlobalProtect > Portals, then select a configuration (or add a new one) to open GlobalProtect Portal Configuration.
2. Click the Authentication tab, then select a Client Authentication configuration or add a new one.
3. Enter a Name if this is a new Client Authentication configuration.
4. Click the Authentication Profile field and from the drop-down menu select the authentication profile you created , then click OK.
5. Click the Agent tab, then select a configuration, or add a new one.
6. Enter a Name if this is a new Agent configuration.
7. On the Authentication tab, then select the following options, then click OK.
  - Generate cookie for authentication override
  - Accept cookie for authentication override
Set the global-protect timeout on the firewall device to 60 seconds.
1. Connect to the firewall device via SSH.
2. Enter the following commands:
```
> configure

# set deviceconfig setting global-protect timeout 60
# commit
# exit
```
Commit changes.