Configure CyberArk Identity for RADIUS

Support type	Use case	Description
CyberArk Identity Connector as a RADIUS server	Provide MFA for RADIUS clients, such as VPNs	Integrate CyberArk Identity with your RADIUS client to provide a second authentication layer for added security. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the CyberArk Identity Connector as a RADIUS server to authenticate an incoming user connection. Depending on the user type, the connector authenticates the credentials either through Active Directory or CyberArk Identity and returns the authentication result to the RADIUS client. This diagram shows the work flow. See Configure the CyberArk Identity Connector for use as a RADIUS server for general configuration steps.
CyberArk Identity Connector as a RADIUS server	Provide only the second authentication factor for RADIUS clients	Keep your existing primary authentication (for example, Active Directory) and configure the CyberArk Identity Connector as a RADIUS server to provide only the second authentication factor for RADIUS clients that support secondary authentication factors. See Configure the CyberArk Identity Connector for use as a RADIUS server for general configuration steps.
CyberArk Identity Connector as a RADIUS client	Provide MFA for CyberArk Identity using an external RADIUS server	When users attempt to log in to CyberArk Identity and select an external RADIUS server as a multi-factor authentication (MFA) mechanism, we send the user credentials (username and passcode) to the connector, which validates them against the configured RADIUS server, and returns the result of that validation to CyberArk Identity. This diagram shows the work flow. See Configure the CyberArk Identity Connector for use as a RADIUS client for configuration details.

CyberArk Identity Connector as a RADIUS server

Provide MFA for RADIUS clients, such as VPNs

Integrate CyberArk Identity with your RADIUS client to provide a second authentication layer for added security. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the CyberArk Identity Connector as a RADIUS server to authenticate an incoming user connection. Depending on the user type, the connector authenticates the credentials either through Active Directory or CyberArk Identity and returns the authentication result to the RADIUS client. This diagram shows the work flow.

Radius Client

See Configure the CyberArk Identity Connector for use as a RADIUS server for general configuration steps.

CyberArk Identity Connector as a RADIUS server

Provide only the second authentication factor for RADIUS clients

Keep your existing primary authentication (for example, Active Directory) and configure the CyberArk Identity Connector as a RADIUS server to provide only the second authentication factor for RADIUS clients that support secondary authentication factors.

See Configure the CyberArk Identity Connector for use as a RADIUS server for general configuration steps.

CyberArk Identity Connector as a RADIUS client

Provide MFA for CyberArk Identity using an external RADIUS server

When users attempt to log in to CyberArk Identity and select an external RADIUS server as a multi-factor authentication (MFA) mechanism, we send the user credentials (username and passcode) to the connector, which validates them against the configured RADIUS server, and returns the result of that validation to CyberArk Identity. This diagram shows the work flow.

Radius server

See Configure the CyberArk Identity Connector for use as a RADIUS client for configuration details.