This article describes how to integrate BeyondTrust Password Safe with RSA Authentication Manager (AM) using RADIUS.

  
Configure AM

Perform these steps to configure AM using RADIUS.

Procedure

1. Sign in to Security Console.
2. Go to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server.
   
3. Click RADIUS > RADIUS Clients > Add New.
4. On the Add RADIUS Client page, provide the following details:
5. Client Name: Enter a descriptive name for the RADIUS client.
6. IPv4 Address: Enter the IP address of the RADIUS client (Resource Broker server IP address).
7. Make / Model: Standard Radius.
8. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the Radius client and the Radius server.
   
9. Click Save & Create Associated RSA Agent.
10. On the Add New Authentication Agent page, click Save, then confirm by clicking Yes, Save Agent.

Notes

• AM RADIUS server listens on ports UDP 1645 and UDP 1812.
• The relationship of the agent host record to RADIUS client in the Authentication Manager can be 1-to-1, 1-to-many, or 1-to-all (global).
• Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

Configure BeyondTrust Password Safe

Perform these steps to configure BeyondTrust Password Safe.

Procedure

1. Log in to the BeyondInsight management portal using an admin account.
2. Perform the following steps 3 to 9 to use Resource Broker and Resource Zones for the Password Safe configuration.

The BeyondTrust Resource Broker is a lightweight connector that is deployed inside the customer’s network to securely bridge communication between BeyondTrust Cloud services and internal on-premises resources, such as RADIUS servers.
A Resource Broker is not required when BeyondTrust is deployed on-premises and already has direct network access to those internal systems.
In a single-broker environment, a Resource Zone acts as a logical grouping for on-premises resources (such as RADIUS servers) that should be accessed through a specific Resource Broker.

3. Navigate to Configure Zones.
4. On the Resource Zones > Zones tab, click Create New Resource Zone.
   
5. Choose a name for the RADIUS Resource Zone and click Create Resource Zone. This will act as a logical group for the RADIUS traffic and will later be associated with a Resource Broker.
    
6. After creating the Resource Zone, click Download installer to download the Resource Broker Software exe file.
7. Click Show Install Key and take note of the install key shown, as this will be needed during the installation wizard of the Resource Broker. 
   
8. Follow the steps in the installation wizard of Resource Broker on a separate server. This should be in the RSA RADIUS Server’s network. Enter the Install Key copied earlier when prompted during the installation, and choose the Resource Zone created earlier.
9. After completing the setup, navigate to the Brokers tab, and the newly created Resource Broker should appear in the list with a Healthy status.
    
10. In the left pane, click the Configuration gear icon.
11. Under Authentication Management, choose RADIUS Two-Factor Authentication.
12. Click Create New RADIUS Alias.
    
13. Fill in the required details for the RADIUS server:
    1. Alias: Choose an alias for the RSA RADIUS server. 
    2. Host: Enter the IP address for the Identity router management IP.
    3. Resource Zone: Choose the resource zone created earlier, which is associated with the created Resource Broker. If the RADIUS server is in the same network as BeyondTrust, the Resource Zone can be left blank.
    4. Authentication mechanism: PAP.
    5. The authentication port should be left as 1812 as the default RADIUS port. 
    6. Shared secret: Enter the same secret entered earlier in the RADIUS client configuration.
    7. Initial request: Choose the Forward username and password in the drop-down list.  
14. To confirm the details, click Create New RADIUS Alias. 
    

The configuration is complete.