Configuring MFA with RADIUS for Centrify Privilege Elevation Service for Windows checklist

This document provides a configuration checklist for 3rd party multi-factor authentcation providers such as Duo, Okta, SecurID (or any other vendor that provides a RADIUS service) to provide identity validation with the Centrify Privilege Elevation Service in the Microsoft Windows platform.

If you have an identity service provider (such as Duo, Okta, SecureID, and so forth) that you use for MFA logins, you can integrate authentication and privilege elevation with your identity provider and the RADIUS protocol to require MFA for privilege elevation tasks, such as Run with Privilege and New Desktop.

Make sure that you work with your RADIUS expert along with your network and directory services lead administrators during the design and configuration tasks.

The checklist below includes links to documented procedures.

Note:    If you use Privileged Access Service, although you can enable MFA with RADIUS, the recommended practice is that you use the native integration.


RADIUS Configuration Step



RADIUS requirements



Gather the following settings for your RADIUS service:

  • IP address or fully qualified domain name
  • Port
  • Timeout settings
  • Pre-shared secret



Verify that you can generate a RADIUS one-time password successfully.



Verify that identity authentication is working correctly with your RADIUS system.



Have access to someone who is knowledgeable about your RADIUS system and can answer questions or help troubleshoot issues, if needed.



Windows and Active Directory requirements for RADIUS configuration



A Windows computer to use as a RADIUS client for initial testing, including:

  • Client name
  • Client IP address



Make sure that client systems can reach the RADIUS server over the network (check your firewall settings).

You may need help also from your network team if your RADIUS cluster has a load-balancer in the front end.



You have administrative access to the designated Windows computer so that you can install software and do configurations.  


You have Active Directory account access so that you can modify group policies that apply to the target computer.



You have access to the Group Policy Management Console.  


Your Active Directory expert must decide how the group policy layout and scope will be designed so that the group policies are applied to the clients based on their RADIUS service availability.



Centrify Authentication and Privilege Elevation Services Requirements for RADIUS configuration



Access Manager console is installed on the client computer.

For details, see Running the setup program on a Windows computer.



The Centrify Agent for Windows is installed on the client system, you've configured the system to work with Centrify Privilege Elevation Service, including joining the computer to a zone.

For details, see Installing the Centrify Agent for Windows.


You have administrative access to Access Manager so that you can manage roles and rights.



The Centrify group policy templates from release 19.6 or later are installed.

For RADIUS configuration, you need at least the Centrify Windows settings group policies.

For details, see Installing group policy extensions separately from Access Manager.


If you want to capture the RADIUS events in your SIEM system, make sure the Audit trail is configured to go to the local log file.

In GPME, go to computer Configuration > Policies > Centrify Audit Trail Settings > Centrify Global Settings > Send audit trail to log file (this is not configured by default).

For details, see Send audit trail to log file.


You have a role and user to test with. Make sure the role has rights for privilege elevation, such as New Desktop rights or Run as Role.

Make sure that you can elevate privileges successfully for that user and role before you try to configure RADIUS authentication.


Configure a system to use RADIUS for privilege elevation (using group policies)



Enable and configure the RADIUS group policies.

Configure the following group policies:

Windows > MFA Settings > Specify the authentication source for privilege elevation : set this policy to RADIUS Authentication.

Windows > MFA Settings > Remote Authentication Dial-In User Service (RADIUS) Settings >

  • Enable Remote Authentication Dial-In User Service (RADIUS): enable this policy.
  • Specify the RADIUS connection timeout: Configure to match your RADIUS timeout setting.
  • Specify the RADIUS server IP address: enter your RADIUS IP address.
  • Specify the RADIUS server port number: enter your RADIUS port number (the default is 1812).

For details, see Remote Authentication Dial-In User Service (RADIUS) Service Settings.

After you update the policies, do a group policy update on the Windows client computer.


Configure the role to require re-authentication using multi-factor authentication.

For example:

  1. Right-click your test role and choose Properties. The Role Properties dialog box opens.
  2. Click the Run As tab.
  3. Select Re-authenticate current user and then select Require multi-factor authentication.
  4. Click OK to apply the changes.


Run dzflush to make sure that the agent has the changes from Access Manager.

For details, see Using dzflush.


Set the RADIUS shared secret.

The RADIUS secret is unique to each system and will match the secret that the RADIUS server has. You can set the pre-shared secret by either of the following methods on the client computer:

  • Run the Set-CdmRadiusSecret cmdlet to set the RADIUS shared client secret. For details, see the DirectAuthorize PowerShell cmdlet help.
  • Use the Agent Configuration settings dialog box to configure the RADIUS server, including the pre-shared secret.

    For details, see Configuring agent settings for the Centrify Identity Platform.





Verify that a user can elevate privileges by entering the RADIUS one-time password.

For example, if your role has New Desktop rights:

  1. Right-click the System Tray and select New Desktop.
  2. In the dialog box that appears, select your test role and click OK.
  3. If the RADIUS authentication has been configured successfully, you are prompted to enter a password for RADIUS authentication.
    Enter the password and click Next to continue.
  4. You can also view the audit trails for the successful authentication in the system's event log.


Verify that a user cannot elevate privileges after entering an incorrect RADIUS one-time password.