RADIUS Authentication

The Vault enables users to log on via Remote Authentication Dial-In User Service (RADIUS) authentication, using logon credentials that are stored in the RADIUS server. The Vault also supports RADIUS challenge-response authentication, where the server sends back a challenge prompting the user for more logon information, such as additional authentication information contained on external tokens.

Requirements

In order to enable users to authenticate using RADIUS authentication, you need the following:

RADIUS Server
Certificate – A Vault certificate to create an initial secured session prior to the RADIUS authentication. This certificate is optional, but recommended.
RADIUS Secret – A password known to only the RADIUS server and the CyberArk Vault. This password can contain up to 255 characters.

Configure RADIUS Authentication

To configure the RADIUS authentication, you need to prepare by collecting the required information, then configure an organization SSL certificate for the Vault server. After you configure the certificate, you need to place the RADIUS secret in a Safe.

  1. In the RADIUS server, define the CyberArk Vault as a RADIUS client/agent. For more information, refer to your vendor's RADIUS server documentation.

  2. Gather the following information from the RADIUS server:

    • RADIUS server hostname, FQDN, or IP address

    • RADIUS server Port

    • Host name of the RADIUS client (Vault machine). This name must be identical to the name you entered for the RADIUS client/agent.

    • Password secret

Follow the process described in CACert to configure an organization SSL certificate.

  1. Stop the Vault server.

  2. In the Vault installation folder, run CAVaultManager as administrator with the SecureSecretFiles command, as shown below, to create a file that contains an encrypted version of the RADIUS secret.

    You can specify the full path of the file that will contain the encrypted secret, and the secret itself. This file may be in DAT, INI, or TXT format. The following example will encrypt the secret RADIUS/Vault password, which is VaultSecret, and store it in a file called radiusauth.dat in the current folder.

      
    CAVaultManager SecureSecretFiles /SecretType Radius /Secret VaultSecret /SecuredFileName radiusauth.dat
     

    For more information, refer to CAVaultManager.

  3. (Optional) To configure the RADIUS integration to work with a DNS resolution instead of an IP address, do the following:

    Enable and Configure DNS on the Vault Server.

     

    • The procedure must be done on all the Vault Servers.

    • Use DNS only if you have a business or operational justification. Make sure that you follow the Vault security standards. For more information, see Avoid using DNS on the Digital Vault Server.

    1. Configure the DNS Server on the Vault server:

      1. Navigate to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings.
      2. Right-click Network card > Properties.
      3. Select Internet Protocol Version 4 (TCP/IPv4), and then select Properties.

      4. Select Use the following DNS server addresses, and enter the organization DNS server.

         
        • Add at least two DNS servers for high availability.
        • Add the DNS Server with the best latency to the configured Vault, for best performance.
        • The DNS Servers of all the Vaults must be identical with the resolved assets, otherwise some services may be affected if resolution fails.

        • DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names. For more information, see the Microsoft support topic.

      5. Save the configuration.

    2. Enable DNS resolution:

      1. Navigate to /Server/Conf/ and open DBParm.ini.

      2. Add the following parameter: EnableDNSDynamicResolution=yes

      3. Save the file.

    3. Allow DNS in the firewall:

      1. Navigate to /Server/Conf/ and open DBParm.ini.

      2. Add the following parameter: AllowNonStandardFWAddresses=[DNSServerIP1,DNSServerIP2],Yes,53:outbound/udp

      3. Save the file.

  4. Navigate to /Server/Conf and open DBParm.ini.

  5. Set the RadiusServersInfo parameter.

    • All the details are specified in the same parameter, separated by semicolons.

        
      RadiusServersInfo=1.1.1.250;1812;vaulthostname;radiusauth.dat

      In the above example, the IP address of the RADIUS server is 1.1.1.250, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is vaulthostname, and the name of the file that contains the secret password is radiusauth.dat. The file is stored in the current folder, and therefore the full path is not specified.

    • For RADIUS high availability: You can specify more than one RADIUS server by separating the details of each server with a comma.

      
    RadiusServersInfo=radius1.mycompany.com;1812;vaulthostname;RadiusSecret_Radius1.dat,radius2.mycompany.com;1812;vaulthostname;RadiusSecret_Radius2.dat

    At startup, the Vault tries to connect using the first address that is configured in the list. If there is a failure, the Vault tries the next address in the list until it successfully connects. If the Vault reaches the end of the list, it goes back to the beginning of the list. When the Vault successfully connects, it tries to connect to the RADIUS server that was used in the last connection.

  6. (Optional) Set the DefaultTimeout parameter.

     

    This parameter affects the entire the Vault communication. For more information, see DBParm.ini.

  7. Start the Vault server.

     

    Add at least one RADIUS IP address, so that if there are problems with DNS Server availability, the Vault can still use the RADIUS IP address.

  1. Ensure that the Vault starts successfully and that there are no errors in the log.

     

    If you have errors in the log, see RADIUS Authentication Messages for troubleshooting information.
  2. Perform this procedure on all the Vaults (cluster nodes, DR Vaults, and Satellite Vaults) using the same configuration files.

Store the file that contains the RADIUS secret for in a Safe for safekeeping. This is the file that was created with the CAVaultManager SecureSecretFiles command.

Configure the user account

In the PrivateArk Client, configure the user account to authenticate with RADIUS authentication.

  1. Log on to the PrivateArk Client as the predefined Administrator user.

  2. Display the User properties of the user to configure, and display the Authentication tab.

  3. From the Authentication method drop-down list, select Radius authentication, then click OK.

  4. Log off the Vault.

Authenticate through the PVWA

  1. Log onto the PVWA as the predefined Administrator user.

  2. Click ADMINISTRATION to display the System Configuration page, then click Options; the main system configuration editor appears.

  3. Expand Authentication Methods; a list of the supported configuration methods is displayed.

  4. Select radius and make sure the Enabled property is set to Yes.

  5. Click Apply to save the new configurations and apply them immediately,

    or,

    Click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.

  1. In the PVWA, in the list of available authentication methods, click RADIUS.

  2. Type the administrative user’s Username and logon information in the appropriate edit boxes, then click Sign in; a secure channel is created between the client and the Vault through which this logon information is sent.

  3. If the RADIUS server requires more information to authenticate the user to the Vault, a RADIUS Challenge window appears, prompting you for it.

  4. Specify the additional logon details, then click OK; the RADIUS server authenticates you to the Vault.

Authenticate through the PrivateArk Client

  1. In the PrivateArk Client, right-click the Vault to configure then, in the pop-up menu, select Properties; the Vault Server Properties window appears.

  2. Click Advanced; the Advanced Server Properties window appears.

  3. Select RADIUS authentication; in the Secured session properties, the Trust self-signed certificates option is selected. This enables users to log onto the Vault with self-signed certificates.

    For testing, do not select Allow third party authentication with self-signed certificate.

  4. Click OK.

  1. In the PrivateArk Client, double-click the Vault to enter; the Logon to Vault window appears.

  2. Type the administrative user’s Username and logon information in the appropriate edit boxes, then click OK; a secure channel is created between the client and the Vault through which this logon information is sent.

  3. If the RADIUS server requires more information to authenticate the user to the Vault, a RADIUS Challenge window appears, prompting you for it.

  4. Specify the additional logon details, then click OK; the RADIUS server authenticates you to the Vault.