MFA for VPN (CyberArk Identity Connector as a RADIUS server)

This tutorial is intended to guide you through the steps for using CyberArk Identity with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. A typical work flow is when a RADIUS client (like a VPN server) uses the CyberArk Identity Connector as a RADIUS server to authenticate an incoming user connection.

Install an CyberArk Identity Connector

You need a connector for integrating Active Directory with CyberArk Identity to authenticate users using their domain user accounts.

Skip this section if you have done it as part of another tutorial.

The CyberArk Identity Connector is a multipurpose software that enables secure communication between your internal network and CyberArk Identity.

Assign domain users or groups to System Administrator role

Skip this section if you have done it as part of another tutorial.

It is always best practice to secure your default administrator account by using your own personal account to administer CyberArk Identity. Assigning domain users or groups to the System Administrator role allows you to log in to CyberArk Identity with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, G Suite, or create users in the CyberArk Directory.

To assign domain users or groups to role

  1. Log in to the Admin Portal using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Admin Portal.

    The domain user should NOT match your Active Directory user name.

  6. Click Add.
  7. The Add Members page closes.

  8. Click Save.

    You can now log in with your domain credentials to the Admin Portal.

Configure the connector as a RADIUS server

Make configuration changes in the Admin Portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirements for a secondary authentication mechanism.

To configure the Admin Portal

  1. Log in to the Admin Portal.
  2. Configure the connector to be a RADIUS server.

    1. Click Settings > Network > CyberArk Identity Connector.

    2. Select an existing connector or add a new one.

    3. Click RADIUS.

    4. Select the Enable incoming RADIUS connections checkbox.

    5. Your VPN server and the connector must be able to communicate. Confirm with your network administrator that your corporate firewall rules are not blocking this connection, for example if your VPN server is in the DMZ.

    6. Provide the port number in which the CyberArk Identity Connector talks to CyberArk Identity.

      The default port number is 1812.

    7. Click Save.

  3. Define the RADIUS client information.

    1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.

      A RADIUS client can be VPN server, wireless access point, etc.

    2. Enter the required information.

      • The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.

      • The Client Secret field is expecting a shared secret key for the RADIUS client and CyberArk Identity. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.

    3. Click Save.

  4. Enable the RADIUS client connection and define the secondary authentication requirement.
    1. Click Polices > Default Policy.
    2. Click User Security Policies > RADIUS.
    3. Select Yes in the Allow RADIUS client connections dropdown.

      This setting allows users to authenticate with the RADIUS client.

    4. Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.
    5. Select Add New Profile from the Authentication Profile dropdown.
    6. Select Password for the first challenge.
    7. Select any mechanism except for Password, 3rd Party RADIUS Authentication, and FIDO2 Authenticator(s) for the second challenge.
    8. Phone call and SMS challenges are disabled by default for trial customers. Email trial.help@idaptive.com to enable these challenges.

    9. Click Save.

Configure your VPN for RADIUS authentication

The steps for configuring a RADIUS client to work with the CyberArk Identity Connector vary for each client, model, and firmware. We have provided configuration examples for Cisco VPN, Juniper VPN, and Palo Alto VPN.

At a high level, you consistently need the following information regardless of the RADIUS client device:

  • IP address of the CyberArk Identity Connector
  • The secret key you provide to the RADIUS client and the Admin Portal must match exactly

Important: For Open VPN, the CyberArk Identity Connector only supports the PAP authentication method.