This article describes how to integrate BeyondTrust Password Safe with RSA Cloud Access Service (CAS) using RADIUS.

Configure CAS

Perform these steps to configure RSA Cloud Access Service using RADIUS.

Procedure

1. Sign in to RSA Cloud Administration Console.
2. Click Authentication Clients > RADIUS.
   
3. Click Add RADIUS Client and Profiles.
4. On the RADIUS Client page, provide the following details:
   1. Name: Enter a descriptive name for the RADIUS client.
   2. IP Address: Enter the IP address of the RADIUS client (Resource Broker server IP address).
   3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
      
5. After entering the RADIUS client details, click Save and Next Step, and then click Finish to complete the configuration.
6. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

Notes

• The RSA Cloud Access RADIUS server is configured to listen on UDP port 1812.
• Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

Configure BeyondTrust Password Safe

Perform these steps to configure BeyondTrust Password Safe.

Procedure

1. Log in to the BeyondInsight management portal using an admin account.
2. Perform the following steps 3 to 9 to use Resource Broker and Resource Zones for the Password Safe configuration.

The BeyondTrust Resource Broker is a lightweight connector that is deployed inside the customer’s network to securely bridge communication between BeyondTrust Cloud services and internal on-premises resources, such as RADIUS servers.
A Resource Broker is not required when BeyondTrust is deployed on-premises and already has direct network access to those internal systems.
In a single-broker environment, a Resource Zone acts as a logical grouping for on-premises resources (such as RADIUS servers) that should be accessed through a specific Resource Broker.

3. Navigate to Configure Zones.
4. On the Resource Zones > Zones tab, click Create New Resource Zone.
   
5. Choose a name for the RADIUS Resource Zone and click Create Resource Zone. This will act as a logical group for the RADIUS traffic and will later be associated with a Resource Broker.
    
6. After creating the Resource Zone, click Download installer to download the Resource Broker Software exe file.
7. Click Show Install Key and take note of the install key shown, as this will be needed during the installation wizard of the Resource Broker. 
   
8. Follow the steps in the installation wizard of Resource Broker on a separate server. This should be in the RSA RADIUS Server’s network. Enter the Install Key copied earlier when prompted during the installation, and choose the Resource Zone created earlier.
9. After completing the setup, navigate to the Brokers tab, and the newly created Resource Broker should appear in the list with a Healthy status.
    
10. In the left pane, click the Configuration gear icon.
11. Under Authentication Management, choose RADIUS Two-Factor Authentication.
12. Click Create New RADIUS Alias.
    
13. Fill in the required details for the RADIUS server:
    1. Alias: Choose an alias for the RSA RADIUS server. 
    2. Host: Enter the IP address for the Identity router management IP.
    3. Resource Zone: Choose the resource zone created earlier, which is associated with the created Resource Broker. If the RADIUS server is in the same network as BeyondTrust, the Resource Zone can be left blank.
    4. Authentication mechanism: PAP.
    5. The authentication port should be left as 1812 as the default RADIUS port. 
    6. Shared secret: Enter the same secret entered earlier in the RADIUS client configuration.
    7. Initial request: Choose the Forward username and password in the drop-down list.  
14. To confirm the details, click Create New RADIUS Alias. 
    

The configuration is complete.