Configuring MFA with RADIUS for Centrify Privilege Elevation Service for Windows checklist
This document provides a configuration checklist for 3rd party multi-factor authentcation providers such as Duo, Okta, SecurID (or any other vendor that provides a RADIUS service) to provide identity validation with the Centrify Privilege Elevation Service in the Microsoft Windows platform.
If you have an identity service provider (such as Duo, Okta, SecureID, and so forth) that you use for MFA logins, you can integrate authentication and privilege elevation with your identity provider and the RADIUS protocol to require MFA for privilege elevation tasks, such as Run with Privilege and New Desktop.
Make sure that you work with your RADIUS expert along with your network and directory services lead administrators during the design and configuration tasks.
The checklist below includes links to documented procedures.
Note: If you use Privileged Access Service, although you can enable MFA with RADIUS, the recommended practice is that you use the native integration.
Step# |
RADIUS Configuration Step |
Notes |
---|---|---|
|
RADIUS requirements |
|
1 |
Gather the following settings for your RADIUS service:
|
|
2 |
Verify that you can generate a RADIUS one-time password successfully. |
|
3 |
Verify that identity authentication is working correctly with your RADIUS system. |
|
4 |
Have access to someone who is knowledgeable about your RADIUS system and can answer questions or help troubleshoot issues, if needed. |
|
|
Windows and Active Directory requirements for RADIUS configuration |
|
5 |
A Windows computer to use as a RADIUS client for initial testing, including:
|
|
6 |
Make sure that client systems can reach the RADIUS server over the network (check your firewall settings). You may need help also from your network team if your RADIUS cluster has a load-balancer in the front end. |
|
7 |
You have administrative access to the designated Windows computer so that you can install software and do configurations. | |
8 |
You have Active Directory account access so that you can modify group policies that apply to the target computer. |
|
9 |
You have access to the Group Policy Management Console. | |
10 |
Your Active Directory expert must decide how the group policy layout and scope will be designed so that the group policies are applied to the clients based on their RADIUS service availability. |
|
|
Centrify Authentication and Privilege Elevation Services Requirements for RADIUS configuration |
|
11 |
Access Manager console is installed on the client computer. |
For details, see Running the setup program on a Windows computer.
|
12 |
The Centrify Agent for Windows is installed on the client system, you've configured the system to work with Centrify Privilege Elevation Service, including joining the computer to a zone. |
For details, see Installing the Centrify Agent for Windows. |
13 |
You have administrative access to Access Manager so that you can manage roles and rights. |
|
14 |
The Centrify group policy templates from release 19.6 or later are installed. For RADIUS configuration, you need at least the Centrify Windows settings group policies. |
For details, see Installing group policy extensions separately from Access Manager. |
15 |
If you want to capture the RADIUS events in your SIEM system, make sure the Audit trail is configured to go to the local log file. |
In GPME, go to computer Configuration > Policies > Centrify Audit Trail Settings > Centrify Global Settings > Send audit trail to log file (this is not configured by default). For details, see Send audit trail to log file. |
16 |
You have a role and user to test with. Make sure the role has rights for privilege elevation, such as New Desktop rights or Run as Role. |
Make sure that you can elevate privileges successfully for that user and role before you try to configure RADIUS authentication. |
|
Configure a system to use RADIUS for privilege elevation (using group policies) |
|
17 |
Enable and configure the RADIUS group policies. |
Configure the following group policies: Windows > MFA Settings > Specify the authentication source for privilege elevation : set this policy to RADIUS Authentication. Windows > MFA Settings > Remote Authentication Dial-In User Service (RADIUS) Settings >
For details, see Remote Authentication Dial-In User Service (RADIUS) Service Settings. After you update the policies, do a group policy update on the Windows client computer. |
18 |
Configure the role to require re-authentication using multi-factor authentication. |
For example:
|
19 |
Run dzflush to make sure that the agent has the changes from Access Manager. |
For details, see Using dzflush. |
20 |
Set the RADIUS shared secret. |
The RADIUS secret is unique to each system and will match the secret that the RADIUS server has. You can set the pre-shared secret by either of the following methods on the client computer:
|
|
TEST AND VERIFY |
|
21 |
Verify that a user can elevate privileges by entering the RADIUS one-time password. |
For example, if your role has New Desktop rights:
|
22 |
Verify that a user cannot elevate privileges after entering an incorrect RADIUS one-time password. |