Integration with RADIUS based Providers

PAM supports integration with MFA providers that utilize the RADIUS Authentication protocol.

This article will describe how to proceed with the configuration in PAM, but please note that you will need to know the specific values to use. If you do not know the specific configuration of your RADIUS based provider, please contact your Administrator or the Vendor for further assistance.

Pre-requisite: PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

 

  1. Configure PAM with the Federated Sign-In module and ensure that it is working properly.
  2. Log on to the PAM host computer.
  3. Stop the PamManagement (Windows) or the pammanager (Linux) service. PAM will be offline until this procedure is completed.
  4. Open the file $PAM_HOME/web/conf/catalina.properties and add the following lines to this file, inputting your MFA specific values (marked in red bold) where applicable:
  5. Copy
    cas.authn.mfa.globalProviderId=mfa-radius
     
    cas.authn.mfa.radius.client.sharedSecret=secret
    cas.authn.mfa.radius.client.authenticationPort=1812
    cas.authn.mfa.radius.client.accountingPort=1813
    cas.authn.mfa.radius.client.inetAddress=localhost
    cas.authn.mfa.radius.server.protocol=CHAP  (options include PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-MD5, EAP-MSCHAPv2)
    cas.authn.mfa.radius.name=XTAM-Trigger # This line should only be added if your are using a Push based RADIUS provider. For example, if a user first authenticates with their username and password and then receives a token to their device, then add this line. Otherwise, do not include this line in your configuration.

     

    Please talk with your RADIUS or Network Administrator to learn what values should be set for the PAM configuration.

     

    If you wish to enable different MFA providers for individual users or group, please read this article for additional information.

  6. When complete, save and close this file.

  7. Start the PamManagement (Windows) or the pammanager (Linux) service and try your RADIUS two-factor authentication login.