PingAM 7.5.1

RADIUS server service

The RADIUS server service provides a RADIUS server within AM. The server authenticates RADIUS clients that are external to AM. The server is backed by AM’s authentication chains and modules, thereby providing the possibility of multi-factor authentication in addition to simple username and password authentication.

The following example shows the flow of a successful username and password authentication attempt from a RADIUS client:

RADIUS server service: simple authentication flow
Figure 1. RADIUS server service: simple authentication flow

The following example shows the flow of a successful multi-factor authentication scenario in which the RADIUS Server service is backed by an authentication chain that includes the LDAP and the ForgeRock Authenticator (OATH) authentication modules. First, the LDAP authentication module requires the user to provide a user name and password. Then, the ForgeRock Authenticator (OATH) module requires the user to enter a one-time password obtained from the authenticator app on a mobile phone:

RADIUS server service: multi-factor authentication flow
Figure 2. RADIUS server service: multi-factor authentication flow

The AM RADIUS server is disabled by default. To enable it, perform the following steps:

Enable and configure the RADIUS server

  1. In the AM admin UI, go to Configure > Global Services, and click RADIUS Server.

  2. Under Secondary Configuration Instance, click New.

    AM uses secondary configuration instances in the RADIUS Server service to encapsulate RADIUS clients. You must configure one secondary configuration instance, also known as a subconfiguration, for each client that will connect to the RADIUS Server.

  3. Configure attributes for the subconfiguration.

    Refer to RADIUS server for information about configuring the subconfiguration attributes.

  4. Click Add to add the configuration for the RADIUS client to the overall RADIUS server service configuration.

  5. If you have multiple RADIUS clients that will connect to the AM RADIUS server, add a subconfiguration for each client.

    You don’t need to configure all your RADIUS clients when you configure the RADIUS server service initially—you can add and remove clients over time as you need them.

  6. Configure global attributes of the RADIUS server service.

    At a minimum, set the Enabled field to YES to start the RADIUS server immediately after you save the RADIUS server service configuration.

    Refer to RADIUS server for information about configuring the RADIUS server service’s global attributes.

  7. On the main configuration page for the RADIUS server service, click Save.

The RADIUS server starts immediately after you save the configuration if the Enabled field has the value YES. If you make changes to the RADIUS server service configuration, the changes take effect as soon as you save them.