MFA for VPN (Idaptive Connector as a RADIUS server)

This tutorial is intended to guide you through the steps for using Idaptive Identity Service with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the Idaptive Connector as a RADIUS server to authenticate an incoming user connection.

Installing an Idaptive Connector

You need a connector for integrating Active Directory with Idaptive Identity Service to authenticate users using their domain user accounts.

Skip this section if you have done it as part of another tutorial.

The Idaptive Connector is a multipurpose software that enables secure communication between your internal network and Idaptive Identity Services.

Assigning domain users or groups to System Administrator role

Skip this section if you have done it as part of another tutorial.

It is always best practice to secure your default administrator account by using your own personal account to administer Idaptive Identity Service. Assigning domain users or groups to the System Administrator role allows you to log in to Idaptive Identity Service with domain credentials. This also allows you to centrally manage Idaptive administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, G Suite, or create users in the Idaptive Directory.

To assign domain users or groups to role

  1. Log in to Admin Portal using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Idaptive Admin Portal.

    The domain user should NOT match your Active Directory user name.

  6. Click Add.
  7. The Add Members page closes.

  8. Click Save.

    You can now log in with your domain credentials to the Idaptive Admin Portal.

Configuring the connector as a RADIUS server

Make configuration changes in the Admin Portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirements for a secondary authentication mechanism.

To configure the Admin Portal

  1. Log in to the Admin Portal.
  2. Configure the connector to be a RADIUS server.

    1. Click Settings > Network > Idaptive Connector.

    2. Select an existing connector or add a new one.
    3. Click RADIUS.

    4. Select the Enable incoming RADIUS connections checkbox.
    5. Your VPN server and the connector must be able to communicate. Confirm with your network administrator that your corporate firewall rules are not blocking this connection, for example if your VPN server is in the DMZ.

    6. Provide the port number in which the Idaptive Connector talks to Idaptive Identity Services.

      The default port number is 1812.

    7. Click Save.
  3. Define the RADIUS client information.

    1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.

      A RADIUS client can be VPN server, wireless access point, etc.

    2. Enter the required information.

      • The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.
      • The Client Secret field is expecting a shared secret key for the RADIUS client and Idaptive Identity Services. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.
    3. Click Save.
  4. Enable the RADIUS client connection and define the secondary authentication requirement.
    1. Click Polices > Default Policy.
    2. Click User Security Policies > RADIUS.
    3. Select Yes in the Allow RADIUS client connections dropdown.

      This setting allows users to authenticate with the RADIUS client.

    4. Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.
    5. Select Add New Profile from the Authentication Profile dropdown.
    6. Select Password for the first challenge.
    7. Select any mechanism except for Password, 3rd Party RADIUS Authentication, and FIDO2 Authenticator(s) for the second challenge.
    8. Phone call and SMS challenges are disabled by default for trial customers. Email to enable these challenges.

    9. Click Save.

Configuring your VPN for RADIUS authentication

The steps for configuring a RADIUS client to work with the Idaptive Connector vary for each client, model, and firmware. We have provided configuration examples for Cisco VPN, Juniper VPN, and Palo Alto VPN.

At a high level, you consistently need the following information regardless of the RADIUS client device:

  • IP address of the Idaptive Connector
  • The secret key you provide to the RADIUS client and Admin Portal must match exactly

Important: For Open VPN, the Idaptive Connector only supports the PAP authentication method.