Configure the CyberArk Identity Connector for use as a RADIUS server

To enable communication between your RADIUS client and the connector (acting as a RADIUS server), do the following:

  1. Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, add the RADIUS client information, and define the requirement for a secondary authentication mechanism. See Configure the Identity Administration portal (connector as a RADIUS server).
  2. Configure the RADIUS client (for example Cisco VPN, Juniper VPN, and Palo Alto VPN). See Set up a RADIUS client for client configuration details.

Configure the Identity Administration portal (connector as a RADIUS server)

Make configuration changes in the Identity Administration portal to designate the connector as a RADIUS server, define the RADIUS client information, and define the requirement for a secondary authentication mechanism.

To configure the Identity Administration portal as a RADIUS server

Step 1: Configure the connector to be a RADIUS server.

  1. Click Settings > Network > CyberArk Identity Connector.

  2. Select an existing connector or add a new one.

  3. Click RADIUS.

  4. Select the Enable incoming RADIUS connections checkbox.

  5. Your VPN server and the connector must be able to communicate. Confirm with your network administrator that your corporate firewall rules are not blocking this connection, for example if your VPN server is in the DMZ.

  6. Provide the port number in which the CyberArk Identity Connector talks to CyberArk Identity.

    The default port number is 1812.

  7. Click Save.

Step 2: Define the RADIUS client information.

  1. Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.

    A RADIUS client can be VPN server, wireless access point, etc.

  2. Enter the required information.

    • The Client Hostname or IP Address field is expecting the hostname or IP address of the RADIUS client.

    • The Client Secret field is expecting a shared secret key for the RADIUS client and CyberArk Identity. If you have entered a secret key on your RADIUS client, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.

    • Leave the Vendor ID field blank.

  3. Click Response.

  4. (Optional) Select the language to use for RADIUS client messages and user communications (Email and SMS).

  5. (Optional) The Include new-line characters in the mechanism selection list prompt option controls how the mechanism list is displayed.

  6. Specify the Wait Timeout (a time, in seconds, the service should wait for an out-of-band response).

  7. Specify the user response option for each authentication mechanism.

    Select Push for users to respond from the mechanism (for example, click a link in the email or tap a link in the text message).

    Select Enter Code for users to manually enter the code on the RADIUS client UI.

  8. Click Save.

Step 3: Enable the RADIUS client connection and define the secondary authentication requirement.

  1. Click Polices and either select an existing policy set or add a new one.

  2. Click User Security Policies > RADIUS.

  3. Select Yes in the Allow RADIUS client connections dropdown.

    This setting allows users to authenticate with the RADIUS client.

  4. Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.

  5. Select an authentication profile from the Default Authentication Profile drop-down list to define authentication requirements for all your RADIUS clients or a profile to be used for any clients you did not specify in the previous step.

    For example, users coming in via a RADIUS client not specified will be authenticated using the authentication profile selected here.

    For most RADIUS use cases, select Password for Challenge 1 and the desired factor(s) for Challenge 2. For example:

    If your radius client supports secondary authentication and you are planning to use CyberArk for only the secondary authentication factor, select factors other than password in the Challenge 1 column of the authentication profile. For example:

    Supported factors for secondary authentication only are:

    • Email

    • Security Question

    • OathOTP

    • Mobile Authenticator

    • Phone

    • SMS

    For more information, seeCreate authentication profiles.

Step 4: (Optional) Define custom RADIUS attributes for authentication response.

You can define the RADIUS attributes sent to the RADIUS client. The RADIUS client can then interpret the attributes based on defined standards. For example, you can define a "contract employee" attribute and associate only contract/contingent workers to this CyberArk Identity policy; then you can configure the RADIUS client with a VPN access policy specifically for contract/contingent workers.

  1. Confirm that you have specified the Vendor ID when you configured your RADIUS client information previously.

  2. Click Policies and either select an existing policy set or add a new one.

  3. Click User Security Policies > RADIUS.

  4. Select the Send vendor specific attributes checkbox.

  5. Specify the necessary information.

  6. Select the relevant client from the RADIUS client dropdown list (this is the client you added previously).

  7. Enter the Attribute Number.

    This number identifies the attribute and must be a unique number. For example, if you have created an attribute with the number 2, you can not create another attribute using the same number.

  8. Select the attribute Format -- string or integer.

  9. Enter the attribute Value.

  10. Click the Add button.

    The newly created attribute is shown in the table.

  11. Click Save

Set up a RADIUS client

The steps for configuring a RADIUS client to work with the CyberArk Identity Connector vary for each client; however, you consistently need the following information regardless of the RADIUS client device:

  • IP address of the CyberArk Identity Connector

  • The secret key you provide to the RADIUS client and the Identity Administration portal must match exactly

The CyberArk Identity Connector only supports the PAP authentication method.

Refer to MFA for VPNs and VDIs for end-to-end configuration instructions on specific RADIUS clients.

Refer to your RADIUS client documentation for the configuration procedure and guidelines for other clients.