Integration with RADIUS based Providers

PAM supports integration with MFA providers that utilize the RADIUS Authentication protocol to provide secure login to its web portal only. If you are looking for a RADIUS integrated solution that supports both the PAM web portal and proxy authentication methods, then we recommend using Imprivata Confirm ID.

This article will describe how to proceed with the configuration in PAM, but please note that you will need to know the specific values to use. If you do not know the specific configuration of your RADIUS based provider, please contact your Administrator or the Vendor for further assistance.

Pre-requisite: PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

  1. Configure PAM with the Federated Sign-In module and ensure that it is working properly.
  2. Log on to the PAM host computer.
  3. Stop the PamManagement (Windows) or the pammanager (Linux) service. PAM will be offline until this procedure is completed.
  4. Open the file $PAM_HOME/web/conf/catalina.properties and add the following lines to this file, inputting your MFA specific values (marked in red bold) where applicable:

    5. Copy
    cas.authn.mfa.globalProviderId=mfa-radius
     
    cas.authn.mfa.radius.client.sharedSecret=secret
    cas.authn.mfa.radius.client.authenticationPort=1812
    cas.authn.mfa.radius.client.accountingPort=1813
    cas.authn.mfa.radius.client.inetAddress=localhost
    cas.authn.mfa.radius.server.protocol=CHAP  (options include PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP_MD5, EAP_MSCHAPv2)
            cas.authn.mfa.radius.name=XTAM-Trigger # This line should only be added if your are using a Push based RADIUS provider. For example, if a user first authenticates with their username and password and then receives a token to their device, then add this line. Otherwise, do not include this line in your configuration.

     

    Please talk with your RADIUS or Network Administrator to learn what values should be set for the PAM configuration.

    If you wish to enable different MFA providers for individual users or group, please read this article for additional information.

  5. When complete, save and close this file.

  6. Start the PamManagement (Windows) or the pammanager (Linux) service and try your RADIUS two-factor authentication login.

If you want to be able to send a command "push" in Radius integrations,

Open the file $PAM_HOME/web/conf/catalina.properties in text editor, locate the section that begins with #CAS, add the following line:

Copy
cas.authn.mfa.radius.client.push=true

to this file and restart PamManagement (Windows) or the pammanager (Linux) service.

Instruction for update Federated Sign-In component from v5.2 to v6.5 is here.