Setting up Two-Factor Authentication (TFA) - RADIUS Authenticator
You can integrate RADIUS server or any RADIUS-compliant TFA system (like Vasco Digipass) with PAM360 for the second factor authentication.
Sequence of Events
- Provide basic details about RADIUS server.
- Enable the RADIUS-based authentication system as the second factor.
Setting up RADIUS Authenticator involves the following steps:
- Setting up TFA in PAM360
- Enforcing TFA for Required Users
- Connecting to PAM360 Web Interface when TFA through RADIUS Authenticator is Enabled
1. Setting up TFA in PAM360
- Navigate to Admin >> Authentication >> Two-Factor Authentication.
- Choose the option RADIUS Authenticator.
- In the new dropdown form that opens, provide the following details:
i. Server Name/IP Address - Enter the host name or IP address of the host where RADIUS server is running.
ii. Server Authentication Port - Enter the port used for RADIUS server authentication. By default, RADIUS has been assigned the UDP port 1812 for RADIUS Authentication.
iii. Server Protocol - Select the protocol that is used to authenticate users. Choose from four protocols - Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MSCHAP), Version 2 of Microsoft Challenge-Handshake Authentication Protocol (MSCHAP2).
iv. Server Secret - You have the option to enter the RADIUS server secret either manually in the text box or you can direct PAM360 to use the secret already stored in the product. In that case, you need to select the resource name and account name from the drop-down. The second option - storing the RADIUS password in PAM360 and selecting it from drop-down is the recommended approach.
- Once you have entered the required details, click Save.
- Then, click on Confirm to enforce Radius Authenticator as the second factor of authentication.
2. Enforcing TFA for Required Users
- Once you confirm Radius Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom TFA should be enforced.
- You can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable TFA from here.
- You can select the users later by navigating to Users >> More Actions >> Two-Factor Authentication.
3. Connecting to PAM360 Web Interface when TFA through RADIUS Authenticator is Enabled
The users for whom TFA is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PAM360's local authentication or AD/LDAP authentication. If the administrator has chosen the TFA option RADIUS Authenticator, the TFA will happen as detailed below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to PAM360 and click Login.
- Once the first level of authentication succeeds, you will be prompted to enter the RADIUS code.
If You have Configured High Availability:
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the PAM360, secondary server once.