This document provides instructions to implement multi-factor authentication to Cyberark with the UPSSO RADIUS service.
To integrate UPSSO with the Cyberark, below are the pre-requisites we need.
Administrator access to UPSSO Portal.
CyberArk Vault 10. X and higher
PVWA, PSM, PSMP
CYBERARK MULTI-FACTOR AUTHENTICATION NETWORK DIAGRAM
User authenticated to the firewall using PVWA, PSM, or PSMP components.
CyberArk Components sends an authentication request to the CyberArk Vault.
CyberArk Vault sends an authentication request to the UPSSO Radius Server.
UPSSO Radius server forwards the authentication request to the IDP server.
IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
Radius receives authorization accept or reject method from the IDP server.
UPSSO Radius server confirms the Authentication request to the target device.
ADD RADIUS CLIENT IN UPSSO PORTAL
Login to the UPSSO portal.
Once login, go to the Radius client’s section.
3. Click on the new record to add a new client.
4. Enter the device name and IP address and secret for the device to authenticate with the RADIUS server—this secret is used during the device radius configuration
INTEGRATING VAULT WITH UPSSO
Connect to the CyberArk vault server and open the dbparm.ini in the installed location. By default, it is installed in the following location “C:\Program Files (x86)\PrivateArk\Server\Conf”.
Open the “DBparm.ini” and add the following entry in the end without quotes. Enter the UPSSO Radius server IP address, port number (1812), vault hostname.
3. Open the command prompt and navigate to the folder “C:\Program Files (x86)\PrivateArk\Server”.
4. Execute the following command to generate the encrypted secret file. This secret is used to authenticate UPSSO RADIUS Server.
CAVaultManager SecureSecretFiles /SecretType Radius /Secret <<replace with UPSSO secret>> /SecuredFileName radiusauth.dat
5. Please make sure the radiusauth.dat file is present in the folder “C:\Program Files (x86)\PrivateArk\Server
6. Restart the vault using the PrivateArk server UI for the changes to take effect.
7. Login to the PVWA portal as an Administrator user.
8. Navigate to Configuration Options > Options
9. On the left side, menu Navigate to Authentication methods > Radius
10. Change the value enabled = Yes. Click OK to save the changes.
CYBERARK RADIUS USER PROVISIONING
There are following two ways we can provision the RADIUS users in the vault.
Provisioning via LDAP
Individual User Provisioning.
LDAP DIRECTORY INTEGRATION
In this method, we integrate with the LDAP directory for user provisioning. When new user login via RADIUS authentication, CyberArk looks for the user in LDAP and processes the request to RADIUS. This method is widely used because, in the LDAP groups, we can easily manage users who go through RADIUS authentication as well as automate safe permissions in AD.
Open PrivateArk client and login with users having access to Directory Mappings.
From the menu, go to Tools > Administrative Tools > Directory Mappings.
Click add to add a directory mapping or choose an existing mapping to update. Consult CyberArk for more information on Directory mapping.
Click on the user template button once you open the desired directory mapping.
5. Click on Authentication TAB and select RADIUS authentication in the drop-down.
6. Click OK to save and close all the windows.
7. Now according to the LDAP group, mapping users be logged in through RADIUS authentication
INDIVIDUAL USER PROVISIONING.
Login through PrivateArk client with a user having “add user” permission.
Go to Tools > Administrative Tools > Users & Groups.
3. In the users and group dialog, click New > User
4. In the new user dialog box, enter the username
5. In the Authentication, TAB selects “Radius authentication.”
6. Leave the rest defaults and click OK to close all the dialog boxes.
7. The user configured to connect to CyberArk using Radius Authentication
CYBERARK PVWA LOGIN USING RADIUS MULTI-FACTOR AUTHENTICATION
Go to PVWA URL. https://<<PVWA server IP/FQDN>>/PasswordVault/V10
Select Radius Authentication
3. Enter the username of LDAP or the user-created individually
4. Enter the OTP received by SMS, Email, or Google Authenticator
5. You are now logged into the portal.
RADIUS AUTHENTICATION USING PSM PROXY
Install Remote desktop manager from Microsoft website.
Open the remote desktop manager and create a server.
Right-click the server and go to properties.
4.In the server settings, enter server name = PSMServer hostname or IP address, Display Name = Hostname or IP address of the target server.
5.Click on the connection settings and configure them as per the below screenshot. The syntax example is given below. Refer to this link for more details https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-ConfigureRDPStart.htm
PSM /U VaultUsername@DomainName.com /a IPAddressOfTarget /c Connection-Component
6. Click OK to save the configuration and double-click on the server created.
7. In the login Prompt, enter UPSSO username and Password and click OK.
8. In the MFA prompt, enter the code received by SMS, Email, or Google Authenticator
9. After entering the OTP, you logged into to target system.
10. Logged into Target machine
RADIUS AUTHENTICATION USING PSMP
Open putty client.
Populate the address in the below format.
3. Click open to open the connection and enter the UPSSO user password
4. Enter the OTP received in SMS, Email, or Google Authenticator.
5. Once Authentication is successful, you logged into the target device.