Configuring the Delinea Connector for Use as a RADIUS Client

You can use your existing RADIUS server for user authentication into Privileged Access Service by enabling communication between your RADIUS server and the Delinea Connector (acting as a RADIUS client). The high level steps are:

  1. Configure the RADIUS server to recognize the connector as a valid RADIUS client. See Configuring a RADIUS Server.

  2. Make configuration changes in Admin Portal to add RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS. See Configuring the Admin Portal (connector as a RADIUS client).

If you have multiple connectors enabled for use as RADIUS clients, Privileged Access Service prioritizes connection with the connectors in the following order:

  1. Connectors from the same IP address as the user

  2. Randomly chooses a connector if more than one is from the same IP address as the user

  3. Choose the best subnet match

  4. Randomly chooses a connector if none of the above are available

Configuring a RADIUS Server

You configure the RADIUS server to recognize the connector as a valid RADIUS client. The following RADIUS server configuration procedures use the RSA Authentication Manager’s RADIUS interface as an example. Your procedure may differ slightly if you are using a different RADIUS server.

At a high level, you consistently need the following information regardless of the RADIUS server:

  • IP address of the Delinea Connector

  • The secret key you provide to the RADIUS server and Admin Portal must match exactly

To configure the RADIUS server (using the RSA Authentication Manager’s RADIUS interface):

  1. Log in to the Authentication Manager Security Console with “SuperAdmin” or “Auth Mgr Radius Admin” rights.

  2. Click RADIUS Clients > Add New in the RADIUS area.

  3. Provide the required information.

  4. Click Save and Create Associated RSA Agent.

Configuring the Admin Portal (connector as a RADIUS client)

Make configuration changes in Admin Portal to add the RADIUS server information, designate the connector as a RADIUS client, and define your authentication requirements to include RADIUS.

To configure the connector and other Admin Portal settings:

  1. Log in to Admin Portal.

  2. Define the RADIUS server information:

    1. Click Settings > Authentication > RADIUS Connections > Servers > Add to define the RADIUS server information.

    2. Define the relevant information:

Field Entry
(Server) Name The server name is displayed to users as one of their MFA mechanism options.
Server Hostname or IP Address + Port The server hostname or IP address and port number.
Server Secret The Server Secret field is asking for the secret that is shared between the RSA server and Privileged Access Service. If you have entered a secret key on your RADIUS server, then enter that same key here. The keys must match to enable authentication. If you are creating a new secret key, best practices recommend 22 or more characters in length.
Receive Timeout (seconds) Enter a value to specify the receive timeout for this server. The value must be no less than 5 seconds and no greater than 55 seconds.
Enable silent initial request + Silent request answer Enable when this RADIUS server requires a fixed answer for the initial request. For example, using RSA Server with "Enable Only Additional Authentication" enabled. When this is chosen, the initial request to the server is sent with a username and whatever answer is specified in the Silent request answer.
(Optional) User Identifier Attribute You can specify the attribute you want sent to the RADIUS client as the user name for authentication. You can select from the default list or define your own by selecting Custom. The CanonicalName default attribute is a computed value and is computed differently for each user type. For example, for Active Directory users it is set to one of the following (in this order): 1) userPrincipalName -- If the format is usable (not empty and does not start with "@"). 2) The concatenation of sAMAccountName, a "@", and the AD domain For Privileged Access Service users, it is computed as the contents of the Name field. The UUID default attribute represents the user ID stored in Privileged Access Service. When you define a Custom attribute, the named attribute must match exactly the user attribute name in the directory service. For example, you must use sAMAccountName instead of “sam account name” or “mail” instead of “Mail”.
Response Input Label Set a custom label to use for the response input during login. Recommend 70 characters or less max.

  1. Click Save.

  2. Configure the connector as a RADIUS client.

    All relevant connectors must be configured.

    1. Click Network > Delinea Connector > select an existing connector or add a new one to designate the connector as a RADIUS client.

      The Delinea Connector Configuration page opens.

    2. Click RADIUS and select the Enable connections to external RADIUS server checkbox.

    3. (Optional) Select Override server secret for this connector checkbox.

    4. If you do not want all your connectors to have the same shared secret, you can override the secret here and enter a different secret.

    5. Click Save.

  3. Enable 3rd party RADIUS authentication.

    1. Click Policies and either select an existing policy set or add a new one.

    2. Click User Security Policies > RADIUS.

    3. Select Yes in the Allow 3rd Party RADIUS Authentication dropdown.

      This setting allows users to authenticate using the RADIUS server.

    4. Click Save.

  4. Define your authentication requirements to specify when and under which conditions your users will authenticate using the RADIUS server. See How to Define Authentication Requirements. The authentication profile you choose must have the “3rd Party RADIUS Authentication” mechanismselected. Users will not be able to authenticate using the RADIUS server until you define the authentication requirements.

Users can now log in to Privileged Access Service by selecting the RADIUS server authentication method and entering the passcode generated by the RADIUS token container application -- which mirrors a hardware token or a token container running on a mobile device.