Enable Radius Authentication for CyberArk PAS

The CyberArk PAS Vault enables users to log on through RADIUS authentication (Remote Authentication Dial-In User Service) using logon credentials that are stored in the RADIUS server. 

Lab Topology

Install Radius Server

You can install FreeRadius server as your Radius lab server based on steps in this post.

Configure your Radius Server

1. Create a client

[root@localhost ~]# cd /etc/raddb/
[root@localhost raddb]# ls
certs  clients.conf  dictionary  hints  huntgroups  mods-available  mods-config  mods-enabled  panic.gdb  policy.d  proxy.conf  radiusd.conf  README.rst  sites-available  sites-enabled  templates.conf  trigger.conf  users
[root@localhost raddb]# vi clients.conf
client test1 {
        secret = Cyberark1
        ipaddr = 192.168.2.21
}

2. Create a user bob

[root@localhost raddb]# vi users
bob     Cleartext-Password := "hello"
        Reply-Message := "Hello, %{User-Name}"

Configure CyberArk Vault

1. Stop Vault Server and from command line, cd C:\Program Files (x86)\PrivateArk\Server

2. Run following command will encrypt the secret RADIUS/Vault password, which is Cyberark1, and store it in a file called radiusauth.dat in the current folder.

CAVaultManager SecureSecretFiles /SecretType Radius /Secret Cyberark1 /SecuredFileName radiusauth.dat

3. In C:\Program Files (x86)\PrivateArk\Server\Conf\DBParm.ini, set the RadiusServersInfo parameter. All the details are specified in the same parameter, separated by semicolons.

In the following example, the IP address of the RADIUS server is 192.168.2.12, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is ‘radius1’, and the name of the file that contains the secret password is ‘radiusauth.dat’.

RadiusServersInfo=192.168.2.12;1812;radius1;radiusauth.dat

For high availability: You can specify more than one RADIUS server by separating the details of each server with a comma.

4. Start the Vault server

5. Create a test user bob
Change authentication method to Radius.

Change PVWA Configuration

Configure Access through the PVWA

1. Log onto the PVWA as the predefined Administrator user.
2. Click ADMINISTRATION to display the System Configuration page, then click Options; the main system configuration editor appears.
3. Expand Authentication Methods; a list of the supported configuration methods is displayed.
4. Select radius and make sure the Enabled property is set to Yes.
5. Click Apply to save the new configurations and apply them immediately,

References

• RADIUS authentication