RADIUS Authentication

The Vault enables users to log on via Remote Authentication Dial-In User Service (RADIUS) authentication, using logon credentials that are stored in the RADIUS server. The Vault also supports RADIUS challenge-response authentication, where the server sends back a challenge prompting the user for more logon information, such as additional authentication information contained on external tokens.


In order to enable users to authenticate using RADIUS authentication, you need the following:

Certificate – A Vault certificate to create an initial secured session prior to the RADIUS authentication. This certificate is optional, but recommended.
RADIUS Secret – A password known to only the RADIUS server and the CyberArk Vault. This password can contain up to 255 characters.

Configure RADIUS Authentication

To configure the RADIUS authentication, you need to prepare by collecting the required information, then configure an organization SSL certificate for the Vault server. After you configure the certificate, you need to place the RADIUS secret in a Safe.

Configure the user account

In the PrivateArk Client, configure the user account to authenticate with RADIUS authentication.

Authenticate through the PVWA

Authenticate through the PrivateArk Client