6.6 Multi-Factor Authentication

This section describes the following Multi-Factor Authentication (MFA) options:

6.6.1 Advanced Authentication

Privileged Account Manager integrates with the Advanced Authentication application to secure and control the access to privileged endpoints using the multi-factor authentication methods.

For more information, see Section 24.0, Integrating Privileged Account Manager with Advanced Authentication.

6.6.2 RADIUS Server

You must specify the details of the Remote Authentication Dial-In User Service (RADIUS) server in Privileged Account Manager to authenticate users with a third-party RADIUS server.

Prerequisite

  • On Linux, publish and install the radiusagnt package to enable the RADIUS Server configuration.

    NOTE:The radiusagnt package cannot be installed on a Windows manager. If you have a Windows only PAM manager environment, you will need to add a backup PAM Linux manager to your deployment.

  • If Advanced Authentication is configured and you want to configure PAM for RADIUS, ensure that you delete Advanced Authentication configuration from Options page.

Configuring a RADIUS Server

To configure the RADIUS server details, perform the following:

  1. On the Home page of the Administration Console, click Framework User Manager.

  2. Select Options, and then click RADIUS Server Configuration.

  3. In the right pane, specify the RADIUS server configuration details:

    • Host: Specify the hostname or IP address of the RADIUS server.

    • Port: Specify the port where the RADIUS authentication request is sent. The default port is 1812.

    • Secret: Specify the shared secret between the RADIUS server and Privileged Account Manager where RADIUS Agent is installed.

    • Timeout: Specify the duration (in seconds) for which the RADIUS client should wait for the RADIUS server to reply. The default value is 15 seconds.

    • Retry count: Specify the number of times the RADIUS client should try to connect to the RADIUS server. The default value is set to 3. If set to 0, the RADIUS client does not try to connect after the first unsuccessful attempt.

  4. Add the RADIUS Dictionary Attributes.

    For example, "NAS ID" attribute is named "NAS-Identifier" in the RADIUS Dictionary.

    For more information, see the FreeRADIUS 'man' pages and the FreeRADIUS dictionary.

NOTE:

  • You can modify the RADIUS Dictionary Attributes using the Manage Attributes option.

  • RADIUS authentication functionality is available for logins but not for command control policy based authorization.