CYBERARK MULTI-FACTOR AUTHENTICATION USING UPSSO

This document provides instructions to implement multi-factor authentication to Cyberark with UPSSO RADIUS service.

PRE-REQUISITES

To integrate UPSSO with the Cyberark, below are the pre-requisites we need.

  • Administrator access to UPSSO Portal.
  • CyberArk Vault 10.X and higher

CYBERARK MULTI-FACTOR AUTHENTICATION NETWORK DIAGRAM

  1. User authenticated to the firewall using PVWA, PSM, or PSMP components.
  2. CyberArk Components sends an authentication request to the CyberArk Vault.
  3. CyberArk Vault sends an authentication request to the UPSSO Radius Server.
  4. UPSSO Radius server forwards the authentication request to the IDP server.
  5. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  6. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  7. Radius receives authorization accept or reject method from the IDP server.
  8. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.
  2. Once login, go to Radius client’s section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

INTEGRATING VAULT WITH UPSSO

  1. Connect to the CyberArk vault server and open the dbparm.ini in the installed location. By default, it installed in the following location “C:\Program Files (x86)\PrivateArk\Server\Conf”.
  2. Open the “DBparm.ini” and add the following entry in the end without quotes. Enter the UPSSO Radius server IP address and port number instead of 192.168.0.121 and 1812. Replace DCVAULT with your vault hostname.

3. Open the command prompt and navigate to the folder “C:\Program Files (x86)\PrivateArk\Server”.

4. Execute the following command to generate the encrypted secret file. This secret used to authenticate UPSSO RADIUS Server.

CAVaultManager SecureSecretFiles /SecretType Radius /Secret <<replace with UPSSO secret>> /SecuredFileName radiusauth.dat

5. Please make sure the radiusauth.dat file is present in the folder “C:\Program Files (x86)\PrivateArk\Server”.

6. Restart the vault using the PrivateArk server UI for the changes to take effect.

7. Login to the PVWA portal as an Administrator user.

8. Navigate to Configuration Options > Options

9. In the left side, menu Navigate to Authentication methods > Radius

10. Change the value enabled = Yes. Click OK to save the changes.

CYBERARK RADIUS USER PROVISIONING

There are following two ways we can provision the RADIUS users in the vault.

  1. Provisioning via LDAP
  2. Individual User Provisioning.

LDAP DIRECTORY INTEGRATION

In this method, we integrate with the LDAP directory for user provisioning. When new user login via RADIUS authentication, CyberArk looks for the user in LDAP and processes the request to RADIUS. This method widely used because, in the LDAP groups, we can easily manage users who go through RADIUS authentication as well as automate safe permissions in AD.

  1. Open PrivateArk client and login with users having access to Directory Mappings.
  2. From the menu, go to Tools > Administrative Tools > Directory Mappings.
  3. Click add to add a directory mapping or choose an existing mapping to update. Consult CyberArk for more information on Directory mapping.
  4. Click on the user template button once you open the desired directory mapping.

5. Click on Authentication TAB and select RADIUS authentication in the drop-down.

6. Click OK to save and close all the windows.

7. Now according to the LDAP group, mapping users be logged in through RADIUS authentication.

INDIVIDUAL USER PROVISIONING.

  1. Login through PrivateArk client with a user having “add user” permission.
  2. Go to Tools > Administrative Tools > Users & Groups.

3. In the users and group dialog, click New > User.

4. In the new user dialog box, enter the username.

5. In the Authentication, TAB selects “Radius authentication.”

6. Leave the rest defaults and click OK to close all the dialog boxes.

7. The user configured to connect to CyberArk using Radius Authentication.

CYBERARK PVWA LOGIN USING RADIUS MULTI-FACTOR AUTHENTICATION

  1. Go to PVWA URL. Https://<<PVWA server IP/FQDN>>/PasswordVault/V10
  2. Select Radius Authentication.

3. Enter the username of LDAP or the user-created individually.

4. Enter the OTP received by SMS, Email, or Google Authenticator.

5. You are now logged into the portal.

RADIUS AUTHENTICATION USING PSM PROXY

  1. Install Remote desktop manager from Microsoft website.
  2. Open the remote desktop manager and create a server.
  3. Right-click the server and go to properties.

4. In the server settings, enter server name = PSMServer hostname or IP address, Display Name = Hostname or IP address of the target server.

5. Click on the connection settings and configure them as per the below screenshot. The syntax example is given below. Refer to this link for more details https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-ConfigureRDPStart.htm

PSM /U VaultUsername@DomainName.com /a IPAddressOfTarget /c Connection-Component

6. Click OK to save the configuration and double-click on the server created.

7. In the login Prompt, enter UPSSO username and Password and click OK.

8. In the MFA prompt, enter the code received by SMS, Email, or Google Authenticator.

9. After entering the OTP, you logged into to target system.

RADIUS AUTHENTICATION USING PSMP

  1. Open putty client.
  2. Populate the address as below format.
VaultUser@TargetUser@TargetServer@PSMPServerIP

Example:

ad.rajesh@u.karthik@192.168.3.150@192.168.0.103

3. Click open to open the connection and enter the UPSSO user password.

4. Enter the OTP received in SMS, Email, or Google Authenticator.

5. Once Authentication successful, you logged into the target device.