Settings Up Two Factor Authentication - RADIUS Authenticator
(Feature Available only in Enterprise Edition)
You can integrate RADIUS server or any RADIUS-compliant two-factor authentication system (like Vasco Digipass) with Password Manager Pro for the second factor authentication. Following is the sequence of events involved in using RADIUS-based authentication system as the second factor:
- Provide basic details about RADIUS server.
- Enable the RADIUS-based authentication system as the second factor.
Summary of steps:
- Configuring two factor authentication in Password Manager Pro.
- Enforcing two factor authentication for required users.
Step 1: Setting up Two Factor Authentication in Password Manager Pro
- Navigate to "Admin" > "Authentication" >> "Two-factor Authentication".
- Choose the option "RADIUS Authenticator".
- In the new dropdown form that opens, provide the following details:
- Server Name/IP Address - Enter the host name or IP address of the host where RADIUS server is running.
- Server Authentication Port - Enter the port used for RADIUS server authentication. By default, RADIUS has been assigned the UDP port 1812 for RADIUS Authentication.
- Server Protocol - Select the protocol that is used to authenticate users. Choose from four protocols - Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MSCHAP), Version 2 of Microsoft Challenge-Handshake Authentication Protocol (MSCHAP2).
- Server Secret - You have the option to enter the RADIUS server secret either manually in the text box or you can direct Password Manager Pro to use the secret already stored in the product. In that case, you need to select the resource name and account name from the drop-down. The second option - storing the RADIUS password in PMP and selecting it from drop-down is the recommended approach.
Step 2: Enforcing two factor authentication for required users
In Step 1 above, you have chosen 'RADIUS Authenticator' for two factor authentication. Now, you need to apply two factor authentication for the required users.
To enforce two factor authentication for a user,
- Navigate to "Users" tab. Select the desired users for whom two-factor authentication is to be activated.
- Next, click on "More Actions" button at the top of the users list and select "Set Two-factor Authentication" from the dropdown.
- In the UI that opens, confirm the list of your selected users one more time.
- Once you're done, click "Enable" to activate TFA for the desired users. Now,
How to connect to PMP Web-Interface when TFA through RADIUS Authenticator is Enabled?
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication. If the administrator has chosen the TFA option "RADIUS Authenticator", the two factor authentication will happen as detailed below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to Password Manager Pro and click "Login".
- Once the first level of authentication succeeds, you will be prompted to enter the RADIUS code.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro, secondary server once.