RADIUS | PRA

• Name: Create a unique name to help identify this provider.

• Enabled: If checked, your appliance can search this security provider when a user attempts to log in to the access console or /login. If unchecked, this provider will not be searched.

• Keep display name synchronized with remote system: These values determine which fields should be used as the user's private and public display names.

• Authorization settings

  • Only allow the following users: You can choose to allow access only to specified users on your RADIUS server. Enter each username separated by a line break. Once entered, these users will be available from the Add Policy Member dialog when editing group policies on the /login > Users & Security > Group Policies page.

    If you leave this field blank, all users who authenticate against your RADIUS server will be allowed; if you allow all, you must also specify a default group policy.

  • Default group policy: Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

  • LDAP group lookup If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup.

• Connection settings

  • Hostname: Enter the hostname of the server that houses your external directory store.

  • Port: Specify the authentication port for your RADIUS server. This is typically port 1812.

  • Timeout (seconds): Set the length of time to wait for a response from the server. Note that if the response is Response-Accept or Response-Challenge, then RADIUS will wait the entire time specified here before authenticating the account. Therefore, it is encouraged to keep this value as low as reasonably possible given your network settings. An ideal value is 3-5 seconds, with the maximum value at three minutes.

  • Connection method

    • Proxy from appliance through the Connection Agent: If you are using an external directory store in the same LAN as your appliance, the two systems may be able to communicate directly, so leave this option unchecked.

      If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall, you must use a connection agent. Downloading the Win32 connection agent enables your directory server and your appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

      Check this option, create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

    ℹ️

    The Proxy from appliance through the Connection Agent option is not available to Privileged Remote Access Cloud customers, as Cloud instances must run the connection agent in order to use an external directory store.

  • Shared secret: Provide a new shared secret so your appliance and your RADIUS server can communicate.

• Cluster settings (Visible only for clusters)

  • Member selection algorithm: Select the method to search the nodes in this cluster.

    • Top-to-bottom first attempts the server with the highest priority in the cluster. If that server is unavailable or the account is not found, the next highest priority server is attempted. The search moves down through the list of clustered servers until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

    • Round-robin is designed to balance the load between multiple servers. The algorithm chooses at random which server to attempt first. If that server is unavailable or the account is not found, another random server is attempted. The search continues at random through the remaining servers in the cluster until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

  • Retry delay: Set how long to wait after a cluster member becomes unavailable before trying that cluster member again.

• Test settings

  • Username and password: Enter a username and password for an account that exists on the server you are testing. This account must match the criteria for login specified in the configuration above.
  • Try to obtain user attributes and group memberships if the credentials are accepted If this option is checked, your successful credential test will also attempt to check user attributes and group lookup.
  • Test If your server is properly configured and you have entered a valid test username and password, you will receive a success message. Otherwise, you will see an error message and a log that will help in debugging the problem.

  ℹ️

  For these features to be successfully tested, they must be supported and configured in your security provider.

✅

See Additional setup and tips to:

• Authenticate using on-time passwords (OTP)
• Configure for Windows 2000/2003 IAS
• Troubleshoot the integration

• Cluster settings (Visible only for clusters)

  • Member selection algorithm: Select the method to search the nodes in this cluster.

    • Top-to-bottom first attempts the server with the highest priority in the cluster. If that server is unavailable or the account is not found, the next highest priority server is attempted. The search moves down through the list of clustered servers until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

    • Round-robin is designed to balance the load between multiple servers. The algorithm chooses at random which server to attempt first. If that server is unavailable or the account is not found, another random server is attempted. The search continues at random through the remaining servers in the cluster until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

  • Retry delay: Set how long to wait after a cluster member becomes unavailable before trying that cluster member again.

• Test settings

  • Username and password: Enter a username and password for an account that exists on the server you are testing. This account must match the criteria for login specified in the configuration above.
  • Try to obtain user attributes and group memberships if the credentials are accepted If this option is checked, your successful credential test will also attempt to check user attributes and group lookup.
  • Test If your server is properly configured and you have entered a valid test username and password, you will receive a success message. Otherwise, you will see an error message and a log that will help in debugging the problem.

  ℹ️

  For these features to be successfully tested, they must be supported and configured in your security provider.

✅

See Additional setup and tips to:

• Authenticate using on-time passwords (OTP)
• Configure for Windows 2000/2003 IAS
• Troubleshoot the integration

When using the RADIUS security provider, you can choose to use a one-time password (OTP) service provider, such as RSA SecurID. An OTP is a randomized password that is generated by a third-party service provider through a token or some other means and changes within a certain time frame to provide an extra layer of security upon login.

Within your OTP provider's interface, you can configure a prompt to appear asking for credentials on the login screens for the BeyondTrust access console or /login administrative interface. Once configured, users must enter their BeyondTrust username and password and then the OTP into the prompt.

If the OTP is entered correctly, access to the BeyondTrust access console or /login administrative interface will be granted.

However, if the OTP is entered incorrectly, a new prompt will appear asking for the password to be re-entered.

Each user who will be authenticating with your IAS server must have remote access permission. The remote access permission can be defined via the Active Directory Users and Computer snap-in. View the properties for the appropriate user. On the tab Dial-in, grant the Allow Access to Remote Access permission.

You can also configure this permission through the remote access policy. Please consult your Windows documentation for the proper steps.

🚧

Important information

The policy must allow for authentication via PAP, as this is the only RADIUS method currently supported by BeyondTrust. Review your IAS policy and ensure this method is supported as a means of authenticating via your appliance.