Previous Topic: Disable an Advanced Authentication FlowNext Topic: Advanced Authentication Flows

Advanced Authentication ServiceConfiguring Advanced AuthenticationHow to Disable Advanced AuthenticationDisable the Advanced Authentication Manager Role

Disable the Advanced Authentication Manager Role

The Advanced Authentication Manager role is one of the roles that control Advanced Authentication. To disable Advanced Authentication, disable all authentication methods that are based on Advanced Authentication, disable all advanced authentication flows, and then disable the Advanced Authentication Manager role. The outcome is that Advanced Authentication is not available to any application. No further configuration changes can be made to Advanced Authentication until you re-enable the role.

Follow these steps:

  1. Log in to the User Console.
  2. Select Admin Roles, Enable/Disable Admin Role.

    The Enable/Disable Admin Role screen opens.

  3. Clear the Advanced Authentication Manager check box, and click Select.
  4. Click Yes on the next screen that opens.

    The Advanced Authentication service is disabled.

How to Configure CA CloudMinder for RADIUS

CloudMinder 1.5 supports RADIUS. RADIUS offers two-factor authentication for VPN systems protected by CloudMinder. RADIUS is enabled by default, and you configure RADIUS clients as outlined in the following diagram:

Configure a CloudMinder RADIUS Client

As a prerequisite, configure the ArcotID OTP application to use the ArcotID OTP authentication type. To configure a CA CloudMinder RADIUS Client, complete the following tasks:

  1. Review Network Configuration
  2. Add a RADIUS Client
  3. Assign a Default RADIUS Credential Type Resolution Configuration
  4. Update or Delete a RADIUS Client

Review Network Configuration

Review this section before adding RADIUS clients and configuring a firewall and load balancer.

Network

Authentication Manager is not exposed outside the network. A proxy server runs on the web server, which forwards authentication requests. All requests must go through the proxy.

Ports

AuthMinder is on the app tier and listens on port 1812 for UDP traffic. The web-tier proxy server listens to client requests on 1812, and listens to AuthMinder responses on 1814. This information is important when configuring your firewall and load balancer.

Source NAT

If SNAT is enabled on the web-tier load balancer, each external IP of the VPN servers that sends requests to CA CloudMinder should be mapped to a unique, static, internal IP. The same internal IP should be used when you add RADIUS clients.

Add RADIUS Clients

You can add a RADIUS client for an organization from the Arcot Administration Console.

Follow these steps:

  1. Log in to the Arcot Administration Console http://<server name>:9090/arcotadmin/adminlogin.htm as a global admin.
  2. Click the Organizations tab, and search for the organization.
  3. Select the organization, and click the Webfort Configuration tab.
  4. From the left pane, click RADIUS Client.
  5. From the main window, click Add.
  6. Complete the following:
    RADIUS Client IP Address

    Specifies the IP Address of the RADIUS client through which users authenticate to AuthMinder Server.

    Shared Secret Key

    Specifies the secret key shared between the RADIUS client and the AuthMinder Server.

    Note: Keys must be between 1 and 512 characters.

    Description

    Specifies a short description of the RADIUS client. If you configure multiple clients, the description of each client helps distinguish between clients.

    Authentication Type

    Select In-Band Password.

  7. In the RADIUS Retry Handling section, specify the following:
  8. In the Additional RADIUS Response Attributes section, specify the attributes that you want the AuthMinder Server to include in the response sent to the RADIUS client after successful authentication:
    Attribute ID

    Specify 224.

    Attribute Value

    Specifies the value corresponding to the attribute ID. You can pass static values, such as user attributes or a combination of static values and variables. For example ,for the user JSmith, you can include the full name in RADIUS response as:

    Name=$$LNAME$$,$$FNAME$$

    to return:

    224= [Name=Smith, John]

    Note: The mapped attributes FNAME, LNAME, TELEPHONENUMBER, and EMAILADDR can be returned.

  9. In the RADIUS Packet Drop Options section, select the event or events when AuthMinder Server must drop RADIUS packets.
  10. Click Add.

    The RADIUS client is added.

Assign a Default RADIUS Credential Configuration

This section shows you how to assign a default RADIUS credential type resolution configuration.

Follow these steps:

  1. Log in to the Arcot Administration Console as global admin.
  2. Complete the following steps:
    1. Click the Organizations tab.
    2. Search for the organization.
    3. Select the organization from the search results.
    4. Click the Webfort Configuration tab.
  3. From the left pane, click Assign Default Configuration.
  4. For the field ArcotOTP-OATH Profile, select MobileArcotOTPProfile_<TENANT GUID>.
  5. From ArcotOTP-OATH Policy drop down list, select MobileArcotOTPPolicy_<TENANT GUID>.
  6. For the field RADIUS Credential Type Resolution Configuration, select VerifyArcotOTP-OATH.
  7. Click Save.

    The default RADIUS credential type resolution configuration is assigned.

Update or Delete a RADIUS Client

If a RADIUS client is configured, the RADIUS Configuration page displays the configured clients in the Configured RADIUS Clients table. You can use this table to update or delete the RADIUS client IP addresses.

Follow these steps:

  1. From the Arcot Administration Console, click the Organizations tab, and search for the organization.
  2. Select the organization, and click the Webfort Configuration tab.
  3. From the left pane, click RADIUS Client.
  4. Log in to the Administration Console.
  5. From the Configured RADIUS Clients section, select the IP address of the machine that requires updates.
  6. Edit the fields as needed, and click the Update or Delete button.