Configure the Identity Connector for use as a RADIUS server

To enable communication between your RADIUS client and the connector (acting as a RADIUS server), do the following:

  1. Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, add the RADIUS client information, and define the requirement for a secondary authentication mechanism. See Configure the Identity Administration portal (connector as a RADIUS server).
  2. Configure the RADIUS client (for example Cisco VPN, Juniper VPN, and Palo Alto VPN). See Set up a RADIUS client for client configuration details.

Configure the Identity Administration portal (connector as a RADIUS server)

Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirement for a secondary authentication mechanism.

To configure the Identity Administration portal as a RADIUS server

Step 1: Configure the connector to be a RADIUS server.

  1. Click Settings > Network > Identity Connector.

  2. Select an existing connector or add a new one.

  3. Click RADIUS.

  4. Select the Enable incoming RADIUS connections checkbox.

    5. Your VPN server and the connector must be able to communicate. Confirm with your network administrator that your corporate firewall rules are not blocking this connection, for example if your VPN server is in the DMZ.

  5. Provide the port number in which the Identity Connector talks to Identity Administration.

    The default port number is 1812.

  6. Click Save.

Step 2: Define the RADIUS client information.

  1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.

    A RADIUS client can be VPN server, wireless access point, etc.

  2. Enter the required information.

    • The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.

    • The Client Secret field is expecting a shared secret key for the RADIUS client and Identity Administration. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.

    • Leave the Vendor ID field blank.

  3. Click Response.

  4. (Optional) Select the language to use for RADIUS client messages and user communications (Email and SMS).

  5. (Optional) The Include new-line characters in the mechanism selection list prompt option controls how the mechanism list is displayed.

  6. Specify the Wait Timeout (a time, in seconds, the service should wait for an out-of-band response).

  7. Specify the user response option for each authentication mechanism.

    Select Push for users to respond from the mechanism (for example, click a link in the email or tap a link in the text message).

    Select Enter Code for users to manually enter the code on the RADIUS client UI.

  8. Click Save.

Step 3: Enable the RADIUS client connection and define the secondary authentication requirement.

  1. Click Polices and either select an existing policy set or add a new one.

  2. Click User Security Policies > RADIUS.

  3. Select Yes in the Allow RADIUS client connections dropdown.

    This setting allows users to authenticate with the RADIUS client.

  4. Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.

  5. RADIUS client.

    1. Click Add Rule.

      The Authentication Rules window appears.

    2. Select the RADIUS client from the drop-down menu.

      This is the client you defined in the previous steps.

    3. Select a filter from the Filter drop-down menu, then click Add.

      Time-base authentication filters for RADIUS always use UTC.

      For example, you can create a rule that requires a specific authentication method when users access Identity Administration from an IP address that is outside of your corporate IP range.

      For more information on defining the filters and conditions, see Create authentication rules.

    4. Select an Authentication Profile from the drop-down menu or Add New Profile.

      Select Password as the first challenge in the profile because the user prompt from the RADIUS client typically defaults to Username/Password, regardless of the authentication mechanism(s) you choose for the first challenge.

      If your first challenge is not Password (for example, it is Mobile Authenticator), then users may not successfully authenticate with the RADIUS client because CyberArk expects a mobile authenticator code; however, users enter their username/password based on the UI prompt.

      Verify that your RADIUS client allows for the selection of an authentication mechanism when multiple mechanisms are available. Some RADIUS clients do not support the selection of an authentication mechanism when more than one mechanism is available. If your authentication profile has more than one mechanism in the second challenge, users will not be authenticated with some RADIUS clients.

      5. See Creating authentication profiles for more information.

      The pass-through option for authentication profiles does not apply to RADIUS connections.

      RADIUS does not support FIDO2 authentication mechanisms.

    5. Click OK.

  6. Select an authentication profile from the Default Authentication Profile drop-down menu to define authentication requirements for all your RADIUS clients or a profile to be used for any clients you did not specify in the previous step.

    For example, users coming in via a RADIUS client not specified will be authenticated using the authentication profile selected here.

    For most RADIUS use cases, select Password for Challenge 1 and the desired factor(s) for Challenge 2. For example:

    If your radius client supports secondary authentication and you are planning to use CyberArk for only the secondary authentication factor, select factors other than password in the Challenge 1 column of the authentication profile. For example:

    Supported factors for secondary authentication only are:

    • Email

    • Security Question

    • OathOTP

    • Mobile Authenticator

    • Phone

    • SMS

    • YubiKey OTP

    For more information, see Create authentication profiles.

Step 4: (Optional) Define custom RADIUS attributes for authentication response.

You can define the RADIUS attributes sent to the RADIUS client. The RADIUS client can then interpret the attributes based on defined standards. For example, you can define a "contract employee" attribute and associate only contract/contingent workers to this Identity Administration policy; then you can configure the RADIUS client with a VPN access policy specifically for contract/contingent workers.

  1. Confirm that you have specified the Vendor ID when you configured your RADIUS client information previously.

  2. Click Policies and either select an existing policy set or add a new one.

  3. Click User Security Policies > RADIUS.

  4. Select the Send vendor specific attributes checkbox.

  5. Specify the necessary information.

  6. Select the relevant client from the RADIUS client drop-down menu (this is the client you added previously).

  7. Enter the Attribute Number.

    This number identifies the attribute and must be a unique number. For example, if you have created an attribute with the number 2, you can not create another attribute using the same number.

  8. Select the attribute Format -- string or integer.

  9. Enter the attribute Value.

  10. Click Add .

    The newly created attribute is shown in the table.

  11. Click Save

Set up a RADIUS client

The steps for configuring a RADIUS client to work with the Identity Connector vary for each client; however, you consistently need the following information regardless of the RADIUS client device:

  • IP address of the Identity Connector

  • The secret key you provide to the RADIUS client and the Identity Administration portal must match exactly

The Identity Connector only supports the PAP authentication method.

Refer to MFA for VPNs and VDIs MFA for VPNs and VDIs for end-to-end configuration instructions on specific RADIUS clients.

See your RADIUS client documentation for the configuration procedure and guidelines for other clients.