Enable Radius Authentication for CyberArk PAS - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, April 29, 2020

Enable Radius Authentication for CyberArk PAS

The CyberArk PAS Vault enables users to log on through RADIUS authentication (Remote Authentication Dial-In User Service) using logon credentials that are stored in the RADIUS server. 

Lab Topology






Install Radius Server

You can install FreeRadius server as your Radius lab server based on steps in this post.

Configure your Radius Server

1. Create a client

[root@localhost ~]# cd /etc/raddb/
[root@localhost raddb]# ls
certs  clients.conf  dictionary  hints  huntgroups  mods-available  mods-config  mods-enabled  panic.gdb  policy.d  proxy.conf  radiusd.conf  README.rst  sites-available  sites-enabled  templates.conf  trigger.conf  users
[root@localhost raddb]# vi clients.conf
client test1 {
        secret = Cyberark1
        ipaddr = 192.168.2.21
}


2. Create a user bob

[root@localhost raddb]# vi users
bob     Cleartext-Password := "hello"
        Reply-Message := "Hello, %{User-Name}"



Configure CyberArk Vault


1. Stop Vault Server and from command line, cd C:\Program Files (x86)\PrivateArk\Server

2. Run following command will encrypt the secret RADIUS/Vault password, which is Cyberark1, and store it in a file called radiusauth.dat in the current folder.
CAVaultManager SecureSecretFiles /SecretType Radius /Secret Cyberark1 /SecuredFileName radiusauth.dat

3. In C:\Program Files (x86)\PrivateArk\Server\Conf\DBParm.ini, set the RadiusServersInfo parameter. All the details are specified in the same parameter, separated by semicolons.
In the following example, the IP address of the RADIUS server is 192.168.2.12, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is ‘radius1’, and the name of the file that contains the secret password is ‘radiusauth.dat’.
RadiusServersInfo=192.168.2.12;1812;radius1;radiusauth.dat
For high availability: You can specify more than one RADIUS server by separating the details of each server with a comma.

4. Start the Vault server

5. Create a test user bob
Change authentication method to Radius.

Change PVWA Configuration


Configure Access through the PVWA



References



1 comment:

  1. Hello, if you had to use Radius for 25 users, how would you set that up in the Vault? Txs

    ReplyDelete