CA Strong Authentication Administration Guide › How to Configure CA AuthMinder for RADIUS › Add RADIUS Clients

Add RADIUS Clients

A single RADIUS client can be configured in AuthMnder. If you want to configure multiple organizations in AuthMinder to use the same RADIUS client, then add the RADIUS client at the global level. Otherwise, for a single organization, add the RADIUS client for that organization.

Follow these steps:

1. Log in to the Administration Console.
2. Perform the following steps if you want to add RADIUS clients at the global level:
   1. Click the Services and Server Configurations tab on the main menu.
   2. Ensure that the WebFort tab is selected.
3. Perform the following steps if you want to add RADIUS clients at the organization level:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
4. Click RADIUS Client in the left pane.
5. Click Add.
6. Enter the following information:

   RADIUS Client IP Address

   Specifies the IP Address of the RADIUS client through which users authenticate to AuthMinder Server.

   Shared Secret Key

   Specifies the secret key shared between the RADIUS client and the AuthMinder Server.

   Note: The minimum length of the key is 1 character, and the maximum length is 512 characters.

   Description

   Specifies a short description of the RADIUS client. If you configure multiple clients, the description of each client helps distinguish between clients.

   Authentication Type

   Indicates the authentication mechanism that will be used for RADIUS-based access. Select one of the following authentication mechanisms:

   • RADIUS OTP

     Specifies the default authentication mechanism that is used to authenticate RADIUS requests. A One-Time Token (OTT) is used as the password for authentication.

   • In-Band Password

     Specifies that any password or OTP can be used for authentication. Typically, the In-Band Password option is used in the following scenarios:

     To resolve the credential type

     Use the In-Band Password option if you want to authenticate users with credentials that are set using credential type resolution.

     Note: You configure credential type resolution to map an input request that has an unknown credential type with a particular password-based authentication mechanism or to support any password-based authentication mechanism for RADIUS.

     (Optional, applicable for global configurations only) To specify the organization name

     In a RADIUS request, organization information can be sent with a password in the <orgname>\n<password> format. AuthMinder can extract the organization name from a password specified in this format. To enable the use of this feature, associate organizations with the RADIUS client as follows:

     a. Use the > button to move the required organizations from the Available Organizations list to the Supported Organizations list.

     b. Specify the default organization for the RADIUS client. If organization information is not sent with the password, then this default organization is considered in the authentication to resolve user details.

   • EAP: This option is not currently supported. Do not select it.

7. In the RADIUS Retry Handling section, specify the following:
   • Select the Enable Retry option if you want the RADIUS client to retry sending the request to AuthMinder Server if it does not receive a response.
   • In the Retry Window field, enter the duration in seconds within which the client can retry connecting to the AuthMinder Server if it does not receive a response. After this period, the retry is considered invalid. Ensure that the retry window period is greater than the client timeout period.
8. In the Additional RADIUS Response Attributes section, specify the attributes that you want the AuthMinder Server to include in the response sent to the RADIUS client after successful authentication:

   Attribute ID

   Specifies a unique attribute identifier.

   Example: 26

   Attribute Value

   Specifies the value corresponding to the attribute ID. You can pass static values, variables such as user attributes or custom attributes, or a combination of static values and variables. For example, for the user JSmith, if the custom user attribute key-value pair is Employee ID=150, then you can include the employee ID in the RADIUS response as follows:

   JSmith = $$Employee ID$$
   

   This setting returns JSmith = 150.

9. In the RADIUS Packet Drop Options section, select the events for which the AuthMinder Server must drop RADIUS packets. You can select any combination of the following events:
   • User not Found
   • Credential not Found
   • Invalid Request
   • Internal Error
10. Click Add.

    The RADIUS client is added. This configuration will take effect after you refresh the cache.