RADIUS server or any RADIUS-Compliant two-factor authentication system (like Vasco Digipass) can be integrated with Access Manager Plus for two factor authentication. Remote Authentication Dial-In User Service (RADIUS) is a protocol that allows remote access servers to communicate with central server to authenticate and authorize access to the requested system.
- Provide basic details about RADIUS server.
- Enable the RADIUS-based authentication system as the second factor.
- Configuring Two-Factor Authentication in Access Manager Plus
- Enforcing Two-Factor Authentication for Required Users
- Connecting to Access Manager Plus Web Interface when TFA through RADIUS Authenticator is Enabled
1. Configuring Two-Factor Authentication in Access Manager Plus
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option RADIUS Authenticator.
- Provide the following details in the drop down form:
- Radius Server DNS Name/IP Address: Enter the host name or IP address of the host where RADIUS server is running.
- Radius Server Authentication Port: Enter the port used for RADIUS server authentication. By default, RADIUS has been assigned the UDP port 1812 for RADIUS Authentication.
- Server Protocol: Select the protocol that is used to authenticate users. Choose from four protocols - Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MSCHAP), Version 2 of Microsoft Challenge-Handshake Authentication Protocol (MSCHAP2).
- Server Secret: You have the option to enter the RADIUS server secret manually in the text box by selecting Specify Server Secret manually or you can Use an Account Stored in Access Manager Plus. In this case, you will need to select the connection name and account name from the drop-down.
- Click Save.
- Click Confirm to enforce Radius Authenticaor as the second factor of authentication.
2. Enforcing Two-Factor Authentication for Required Users
- Once Radius Authenticator is confirmed as the second factor of authentication, a new window will prompt you to select the users for whom Two-Factor Authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable Two-Factor Authentication for a single user, click on the Enable button beside their respective usernames. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-Factor Authentication.
3. Connecting to Access Manager Plus Web Interface when TFA through RADIUS Authenticator is Enabled
The users for whom Two-Factor Authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Access Manager Plus's local authentication or AD/LDAP authentication. If the administrator has chosen the TFA option RADIUS Authenticator, the Two-Factor Authentication will happen as detailed below:
- Upon launching the Access Manager Plus web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to Access Manager Plus and click Login.
- Once the first level of authentication succeeds, you will be prompted to enter the RADIUS code.