This article describes how to integrate CyberArk PVWA with Authentication Manager (AM) using RADIUS.

Configure AM

Perform these steps to configure AM using RADIUS.

Procedure

1. Sign in to Security Console.
2. Go to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server.
   
3. Navigate to RADIUS > RADIUS Clients and click Add New.
4. On the Add RADIUS Client page, enter the following:
   1. Client Name: Enter a descriptive name for the RADIUS client.
   2. IPv4 Address: Enter the IP address of the RADIUS client (CyberArk Vault IP address).
   3. Make/Model: Standard Radius.
   4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
      
5. Click Save & Create Associated RSA Agent.
6. On the Add New Authentication Agent page, click Save, then confirm by clicking Yes, Save Agent.

Notes:

• AM RADIUS server listens on ports UDP 1645 and UDP 1812.
• The relationship of agent host record to RADIUS client in the AM can be 1 to 1, 1 to many, or 1 to all (global).
• Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

Configure CyberArk PVWA

Perform these steps to configure the CyberArk PVWA.
Procedure

1. Log in to the CyberArk Vault Windows server.
2. Stop the Vault server.
3. In the Vault installation folder, run CAVaultManager as administrator with the SecureSecretFiles command to create a file that contains an encrypted version of the RADIUS secret. You can specify the full path of the file that will contain the encrypted secret, and the secret itself. This file may be in DAT, INI, or TXT format. The following example will encrypt the secret RADIUS/Vault password, which is VaultSecret, and store it in a file called radiusauth.dat in the current folder:

   CAVaultManager SecureSecretFiles /SecretType Radius /Secret VaultSecret /SecuredFileName radiusauth.dat

4. Navigate to /Server/Conf and open DBParm.ini.
5. Set the RadiusServersInfo parameter. All the details are specified in the same parameter, separated by semicolons.

   RadiusServersInfo=1.1.1.250;1812;vaulthostname;radiusauth.dat

   In the preceding example, the IP address of the RADIUS server is 1.1.1.250, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is vaulthostname, and the name of the file that contains the secret password is radiusauth.dat. The file is stored in the current folder, and therefore, the full path is not specified.
6. (Optional) Extend the DefaultTimeoutvalue to 60 seconds. This will allow more time for users to complete out-of-band authentication challenges.
7. Start the Vault server.

Configure a RADIUS User on Password Vault Server

1. Log in to the PrivateArk Client as an Administrator user.
2. Browse to Tools > Administrative Tools > Users and Groups and Add or Update an account to use with RADIUS authentication.
   
3. Choose a username for the user.
4. Navigate to the Authentication tab of the user profile, select RADIUS Authentication in the Authentication method drop-down list, and click OK.
   
   

Configure Access Through PVWA

1. Log in to the PVWA as an Administrator.
2. Click Administration > Configuration Options to display the System Configuration page.
   
3. Click Options.
4. Open the Authentication Methods menu and click radius.
   
5. Configure the RADIUS properties and click OK.
   
   
   1. DisplayName: Enter the value the display name for this authentication method.
   2. Enabled: Set to Yes.
   3. UseVaultAuthentication: Set to Yes.
   4. UseRadius: Set to Yes.

The configuration is complete.