CA AuthMinder Administration Guide › How to Configure CA AuthMinder for RADIUS › Configure AuthMinder as the Proxy Server

Configure AuthMinder as the Proxy Server

Configure AuthMinder as the proxy server for a RADIUS server.

Note: Perform the procedure described in this section only if you want to configure AuthMinder as a RADIUS proxy. Do not perform this procedure if you want to configure AuthMinder as a RADIUS server.

Follow these steps:

1. Log in to the Administration Console.
2. Perform the following steps if you want to add RADIUS clients at the global level:
   1. Click the Services and Server Configurations tab on the main menu.
   2. Ensure that the WebFort tab is selected.
3. Perform the following steps if you want to add RADIUS clients at the organization level:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
4. Click RADIUS Proxy in the left pane.
5. Select Enable Proxy.
6. If you want multiple organizations to use AuthMinder as the proxy server for RADIUS, then select the Use Global Configuration check box.
7. Enter the following details of the RADIUS server in the Primary Proxy Server Details section:

   IP Address

   Specifies the IP address of the RADIUS server.

   RADIUS Port

   Specifies the port number on which the RADIUS server is listening.

   Shared Secret Key

   Specifies the secret key shared between the AuthMinder Server and the RADIUS server.

   Note: The minimum length of the key is 1, and the maximum is 512 characters.

   Description

   Specifies a string to describe the RADIUS server. The description helps to identify the RADIUS server, if multiple servers are configured.

   Read Timeout

   Specifies the maximum time in milliseconds for which the AuthMinder must wait for a response from the RADIUS server.

   Retry Count

   Specifies the number of times the AuthMinder Server must attempt to send the request to RADIUS server, if it does not receive a response.

8. In the Additional RADIUS Response Attributes section, specify the attributes that you want the AuthMinder Server to include in the request that it sends to the RADIUS server after successful authentication.

   Attribute ID

   Specifies a unique attribute identifier in this column. For example, 26.

   Attribute Value

   Specifies the value corresponding to the attribute ID. For example, a value corresponding to attribute identifier 26.

9. (Optional) Click Add More if you want to add more attributes.
10. (Optional) If you have configured an additional RADIUS server, then provide the details of that RADIUS server in the Backup Proxy Server Details section.

    AuthMinder forwards RADIUS authentication requests to this backup RADIUS server after the retry count (configured earlier) is exhausted.

11. Click Update to save the configuration.

    AuthMinder is configured as a proxy server for a RADIUS server.

Create or Update a Credential Type Resolution Configuration

Note: Perform the procedure described in this section only if you set the In-Band Password option as the authentication type while adding a RADIUS client.

You can configure credential type resolution for mapping an in-band password to any one of the following authentication types:

• Password
• ArcotOTP-OATH
• OATH OTP
• OTP
• ArcotOTP-EMV
• RADIUS OTP
• LDAP Password
• Native Token

The following predefined credential type resolutions are available in AuthMinder:

• VerifyArcotOTP-EMV
• VerifyArcotOTP-OATH
• VerifyLDAPPassword
• VerifyNativeToken
• VerifyOATH
• VerifyOTP
• VerifyOTT
• VerifyPassword

If any of these predefined credential type resolution configurations meet your requirements for processing in-band passwords, then you need not perform the procedure described in this section. Perform the procedure only if none of these predefined configurations meet your requirements.

You assign credential type resolution as the default for the organization. You can also configure credential type resolution per user by configuring a custom user attribute that specifies the mechanism to be used for each user. This custom user attribute is part of the credential type resolution configuration.

Follow these steps:

1. Log in to the Administration Console.
2. Perform the following steps if you want to add RADIUS clients at the global level:
   1. Click the Services and Server Configurations tab on the main menu.
   2. Ensure that the WebFort tab is selected.
3. Perform the following steps if you want to add RADIUS clients at the organization level:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
4. Click Credential Type Resolution in the left pane.

   The Credential Type Resolution Configuration screen opens.

5. Click Create.
6. Enter a name for the configuration.
7. If you want to copy an existing configuration, then:
   1. Select the Copy Configuration check box.
   2. From the Available Configurations drop-down list, select the configuration that you want to copy.
8. From the Resolve plain to drop-down list, select the credential type to which you want to map the incoming password type credential.
9. (Optional) If you have created a custom user attribute for specifying the credential type, then specify the name of that custom attribute in the User Custom Attribute For Credential Type field.

   When a RADIUS authentication request is received, the credential type specified in this custom user attribute overrides the credential type that you configure in the preceding step. If the credential type is not specified in the custom user attribute, then the credential type that you configure in the preceding step is used as the default credential type.

   While a user is being created, ensure that the value for the custom user attribute is set to one of the following integer values:

   • Password: 1
   • ArcotOTP-OATH: 8
   • OATH OTP: 7
   • OTP: 4
   • ArcotOTP-EMV: 8
   • RADIUS OTP: 5
   • LDAP Password: 10
   • Native Token: 11

   For example, if you want the custom user attribute to specify OATH OTP as the credential type, then ensure that 7 is set as the value of the custom user attribute.

10. Click Save.

    The credential type resolution configuration is saved.

Assign a Default RADIUS Credential Type Resolution Configuration

Note: Perform the procedure described in this section only if you set the In-Band Password option as the authentication type while adding a RADIUS client.

Set the credential type resolution configuration as the default configuration for authentication requests sent by RADIUS clients.

Follow these steps:

1. Log in to the Administration Console.
2. Perform the following steps if you want to add RADIUS clients at the global level:
   1. Click the Services and Server Configurations tab on the main menu.
   2. Ensure that the WebFort tab is selected.
3. Perform the following steps if you want to add RADIUS clients at the organization level:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
4. Click Assign Default Configurations in the left pane.
5. From the RADIUS Credential Type Resolution Configuration drop-down list, select the credential type resolution configuration that you want to use for processing in-band passwords.
6. Click Save.

   The default RADIUS credential type resolution configuration is assigned.

Configure an Authentication Policy

If you are configuring AuthMinder as a RADIUS proxy, then create or update an authentication policy for the credential type for which you are configuring AuthMinder as a RADIUS proxy. Set this policy as the default authentication policy for that credential type. In the authentication policy, specify the conditions under which authentication requests must be forwarded by AuthMinder to the RADIUS server.

Note: Perform the procedure described in this section only if you want to configure AuthMinder as a RADIUS proxy. Do not perform this procedure if you want to configure AuthMinder as a RADIUS server.

Follow these steps:

1. Log in to the Administration Console.
2. Perform the following steps if you want to add RADIUS clients at the global level:
   1. Click the Services and Server Configurations tab on the main menu.
   2. Ensure that the WebFort tab is selected.
3. Perform the following steps if you want to add RADIUS clients at the organization level:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
4. In the left pane, click the Authentication link for the credential type for which you are configuring AuthMinder as a RADIUS proxy server.

   The Password Authentication Policy screen opens.

5. Click Create if you want to create a policy configuration. Alternatively, click Update if you want to update an existing policy configuration.
6. Enter the required data in the remaining fields of the Policy Configuration section.

   Note: For detailed information about the fields of the Policy Configuration section, see the CA AuthMinder Administration Guide.

7. Expand Advanced Configurations.
8. Select one or both of the following options:

   User not Found

   Specifies that the authentication request must be forwarded to the RADIUS server if the user does not exist in the AuthMinder database.

   Credential not Found

   Specifies that the authentication request must be forwarded to the RADIUS server if the credential with which the user is trying to authenticate does not exist in the AuthMinder database.

9. Enter the required data in the remaining fields of the Advanced Configurations section.

   Note: For detailed information about the fields of the Advanced Configurations section, see the CA AuthMinder Administration Guide.

10. Click Save.

    The authentication policy is configured.

Refresh Cache

Refresh the cache for all the configurations to take effect.

Follow these steps:

1. Log in to the Administration Console.
2. Select Services and Server Configurations, Administration Console, Refresh Cache in the System Configuration section.

   The Refresh Cache screen opens.

3. Select any one or both of the following options depending on whether you have configured AuthMinder as a RADIUS server for a single organization or multiple organizations:
   • Refresh System Configuration
   • Refresh Organization Configuration
4. Click OK.

   A message stating that the request was submitted successfully appears.

5. Select Services and Server Configurations, Administration Console, Check Cache Refresh Status.

   The Search Cache Refresh Request screen opens.

6. Select the request ID of the refresh request, and then click Search.

   The status of the refresh request is displayed. The SUCCESS message in the Status column indicates that the configuration has taken effect.