CyberArk Password Vault Web Access - RADIUS Configuration with Cloud Access Service - RSA Ready Implementation Guide
7 months ago
Originally Published: 2021-10-07

This article describes how to integrate Cloud Access Service (CAS) with CyberArk Password Vault Web Access (PVWA) using RADIUS.

        

Configure CAS

Perform these steps to configure CAS using RADIUS.
Procedure

  1. Sign in to RSA Cloud Administration Console. 
  2. Navigate to Authentication Clients > RADIUS.
  3. Click Add Radius Client and Profiles.
  4. On the RADIUS Client page, enter the following:
    1. Name: Enter a descriptive name for the RADIUS client.
    2. IP Address: Enter the IP address of the RADIUS client (CyberArk Vault IP address).
    3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save and Next Step, and then click Finish to complete the configuration.
  6. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

Notes:

  • The Cloud Access RADIUS server is configured to listen on UDP port 1812.  
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

    

Configure CyberArk PVWA

Perform these steps to configure the CyberArk PVWA.
Procedure

  1. Log in to the CyberArk Vault Windows server.
  2. Stop the Vault server.
  3. In the Vault installation folder, run CAVaultManager as an administrator with the SecureSecretFiles command to create a file that contains an encrypted version of the RADIUS secret. You can specify the full path of the file that will contain the encrypted secret and the secret itself. This file may be in DAT, INI, or TXT format. The following example will encrypt the secret RADIUS/Vault password, which is VaultSecret, and store it in a file called radiusauth.dat in the current folder: 
    CAVaultManager SecureSecretFiles /SecretType Radius /Secret VaultSecret /SecuredFileName radiusauth.dat
  4. Navigate to /Server/Conf and open DBParm.ini.
  5. Set the RadiusServersInfo parameter. All the details are specified in the same parameter, separated by semicolons. 
    RadiusServersInfo=1.1.1.250;1812;vaulthostname;radiusauth.dat
    In the preceding example, the IP address of the RADIUS server is 1.1.1.250, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is vaulthostname, and the name of the file that contains the secret password is radiusauth.dat. The file is stored in the current folder, and therefore, the full path is not specified.
  6. (Optional) Extend the DefaultTimeoutvalue to 60 seconds. This will allow more time for users to complete out-of-band authentication challenges.
  7. Start the Vault server.

  

Configure a RADIUS User on Password Vault Server

  1. Log in to the PrivateArk Client as an Administrator user.
  2. Browse to Tools > Administrative Tools > Users and Groups and Add or Update an account to use with RADIUS authentication.
  3. Choose a username for the user.
  4. Navigate to the Authentication tab of the user profile, select RADIUS Authentication in the Authentication method drop-down list, and click OK.

  

Configure Access Through PVWA

  1. Log in to the PVWA as an Administrator.
  2. Click Administration > Configuration Options to display the System Configuration page.
  3. Click Options.
  4. Open the Authentication Methods menu and click radius.
  5. Configure the RADIUS properties and click OK.

    1. DisplayName: Enter the value for the display name for this authentication method.
    2. Enabled: Set to Yes.
    3. UseVaultAuthentication: Set to Yes.
    4. UseRadius: Set to Yes.

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?