RADIUS-Compliant Two Factor Authentication
(Feature Available only in Enterprise Edition)
You can integrate RADIUS server or any RADIUS Compliant two Factor Authentication system (like Vasco Digipass) with PMP for the second factor authentication.
Following is the sequence of events involved in using RADIUS-based authentication system as the second factor:
- Provide basic details about RADIUS server
- Enable the RADIUS-based authentication system as the second factor
Steps to leverage any RADIUS based authentication as the second factor has been explained below.
Enabling RADIUS Authenticator
Summary of Steps
- Setting up two factor authentication in PMP
- EEnforcing two factor authentication for required users in PMP
Step 1: Setting up Two Factor Authentication in PMP
The first step is to enable two factor authentication. To do that,
- Go to "Admin" tab and click "Two Factor Authentication"
- Choose the option "RADIUS Authenticator"
- In the UI that opens, provide the following details:
- Server Name/IP Address - enter the host name or IP address of the host where RADIUS server is running
- Server Authentication Port - enter the port used for RADIUS server authentication. By default, RADIUS has been assigned the UDP port 1812 for RADIUS Authentication
- Server Protocol - select the protocol that is used to authenticate users. Choose from four protocols - Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MSCHAP), Version 2 of Microsoft Challenge-Handshake Authentication Protocol (MSCHAP2)
- Server Secret - You have the option to enter the RADIUS server secret either manually in the text box or you can direct PMP to use the secret already stored in the product. In that case, you need to select the resource name and account name from the drop-down. The second option - storing the RADIUS password in PMP and selecting it from drop-down is the recommended approach.
Step 2: Enforcing Two Factor Authentication for Required Users
In step 1 above, you have chosen Google Authenticator as the option for two factor authentication. After choosing this option, you need to apply two factor authentication for the required users. You can do this from the GUI that pops-up upon clicking "Save' button in step 1 above. Alternatively, you can do this as explained below:
To enforce two factor authentication for a user,
- Go to "Admin" >> "Users"
- Click the button "Set 2-factor authentication"
- In the UI that opens, select the users for whom two factor authentication is to be enforced
- Click "Save"
How to connect to PMP Web-Interface when TFA through RADIUS Authenticator is Enabled?
Connecting PMP Web-Interface
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication.
When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.
TFA using RADIUS Authenticator - Workflow
If the administrator has chosen TFA throgh RADIUS Authenticator, the two factor authentication will happen as detailed below:
- Upon launching the PMP web-interface, the user has to enter the username to login to PMP and click "Login"
In the next screen, you will be prompted to enter the RADIUS code: