You can use your existing RADIUS server for user authentication into Privileged Access Service by enabling communication between your RADIUS server and the Centrify Connector (acting as a RADIUS client). The high level steps are:
- Configure the RADIUS server to recognize the connector as a valid RADIUS client. See Configuring a RADIUS server.
- Make configuration changes in Admin Portal to add RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS. See Configuring the Admin Portal (connector as a RADIUS client).
If you have multiple connectors enabled for use as RADIUS clients, Privileged Access Service prioritizes connection with the connectors in the following order:
- Connectors from the same IP address as the user
- Randomly chooses a connector if more than one is from the same IP address as the user
- Choose the best subnet match
- Randomly chooses a connector if none of the above are available
You configure the RADIUS server to recognize the connector as a valid RADIUS client. The following RADIUS server configuration procedures use the RSA Authentication Manager’s RADIUS interface as an example. Your procedure may differ slightly if you are using a different RADIUS server.
At a high level, you consistently need the following information regardless of the RADIUS server:
- IP address of the Centrify Connector
- The secret key you provide to the RADIUS server and Admin Portal must match exactly
Make configuration changes in Admin Portal to add the RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS.
- Log in to Admin Portal.
- Define the RADIUS server information:
- Click Settings > Authentication > RADIUS Connections > Servers > Add to define the RADIUS server information.
- Define the relevant information:
Field Entry (Server) Name The server name is displayed to users as one of their MFA mechanism options.
Server Hostname or IP Address + Port
The server hostname or IP address and port number.
The Server Secret field is asking for the secret that is shared between the RSA server and Privileged Access Service. If you have entered a secret key on your RADIUS server, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.
Receive Timeout (seconds)
Enter a value to specify the receive timeout for this server. The value must be no less than 5 seconds and no greater than 55 seconds.
Enable silent initial request + Silent request answer
Enable when this RADIUS server requires a fixed answer for the initial request. For example, using RSA Server with "Enable Only Additional Authentication" enabled. When this is chosen, the initial request to the server is sent with a username and whatever answer is specified in the Silent request answer.
(Optional) User Identifier Attribute
You can specify the attribute you want sent to the RADIUS client as the user name for authentication. You can select from the default list or define your own by selecting Custom.
The CanonicalName default attribute is a computed value and is computed differently for each user type. For example, for Active Directory users it is set to one of the following (in this order):
1) userPrincipalName -- If the format is usable (not empty and does not start with "@").
2) The concatenation of sAMAccountName, a "@", and the AD domain
For Privileged Access Serviceusers, it is computed as the contents of the Name field. The UUID default attribute represents the user ID stored in Privileged Access Service. When you define a Custom attribute, the named attribute must match exactly the user attribute name in the directory service. For example, you must use “sAMAccountName” instead of “sam account name” or “mail” instead of “Mail”.
Response Input Label
Set a custom label to use for the response input during login. Recommend 70 characters or less max.
- Click Save.
Configure the connector as a RADIUS client.
All relevant connectors must be configured.
Click Network > Centrify Connector > select an existing connector or add a new one to designate the connector as a RADIUS client.
The Centrify Connector Configuration page opens.
Click RADIUS and select the Enable connections to external RADIUS server checkbox.
- (Optional) Select Override server secret for this connector checkbox.
- If you do not want all your connectors to have the same shared secret, you can override the secret here and enter a different secret.
- Click Save.
Enable 3rd party RADIUS authentication.
- Click Policies and either select an existing policy set or add a new one.
- Click User Security Policies > RADIUS.
Select Yes in the Allow 3rd Party RADIUS Authentication dropdown.
This setting allows users to authenticate using the RADIUS server.
- Click Save.
Define your authentication requirements to specify when and under which conditions your users will authenticate using the RADIUS server. See How to define authentication requirements. The authentication profile you choose must have the “3rd Party RADIUS Authentication” mechanism selected. Users will not be able to authenticate using the RADIUS server until you define the authentication requirements.
Users can now log in to Privileged Access Service by selecting the RADIUS server authentication method and entering the passcode generated by the RADIUS token container application -- which mirrors a hardware token or a token container running on a mobile device.