Skip to main content

ForgeRock Access Management RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Acceptto offers a simple method for adding MFA to ForgeRock Access Management via its Radius solution. This instruction illustrates how to configure ForgeRock OpenAM and Acceptto RADIUS MFA authentication solution.

Prerequisites

  • Acceptto RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Acceptto RADIUS deployment guide.

  • A user with administrative privileges for the ForgeRock Access Management admin panel.

Configure the Acceptto RADIUS Agent

To integrate Acceptto with your ForgeRock AM, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your ForgeRock AM, check with LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.

  1. Login to the Acceptto RADIUS Agent with an administrative user and open the radius-agent-config.env file with an editor. It is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  2. Go to the bottom of radius-agent-config.env file and change the ARA_CLIENTS attribute as follows. The values should be separated by semicolons (;).

    ARA_CLIENTS = An optional name for your AM; IP address of your AM; a shared secret

    An example configuration might look like this:

    ARA_CLIENTS = AM;192.168.1.50/32;testing12345

    ARA_CLIENTS configuration
  3. Save the file and run the following command to set changes:

    docker-compose down && docker-compose up -d
    

Configure your ForgeRock Access Management

  1. Login to the ForgeRock AM admin portal with an administrative user.

  2. Select the Realm to set MFA up for.

  3. Navigate to the Authentication section and select Modules.

  4. Click on Add Module to create a new authentication module.

    forgerock_modules.png
  5. Enter a name of your choice and in the Type field. Select RADIUS from the dropdown and click on the Create button.

    forgerock_add_new_module.png
  6. On the Servers tab, click ADD.

  7. Enter your Acceptto RADIUS Agent information and click on Save.

    Setting

    Value

    Primary Radius Servers

    IP Address of your Acceptto RADIUS Agent

    Shared Secret

    Shared Secret Set in the Acceptto RADIUS Agent

    Time

    90 Seconds (recommended)

    Port Number

    1812

    TimeOut

    60

    Health check interval

    5

    Authentication Level

    0

    forgerock_radius_config.png
  8. On the Authentication section select Settings.

  9. Go to the User Profile tab and select Ignored from User Profile’s drop down menu.

    forgerock_user_profile.png
  10. Click Save Changes.

  11. Now you can change the authentication module on the default chain of your Realm. Navigate to the Authentication section and select Chains. Click on ldapService.

    forgerock_chains.png
  12. Click on the edit icon.

    forgerock_edit_ldapservice.png
  13. In the Select Module field, select the authentication module that was created before from the dropdown and click on Ok button. Click Save Changes.

    forgerock_edit_module.png

    Note: you can check your authentication module with a url that refers to it, like the following example:

    http://Openad.example.com:8080/AM-7.1.0/XUI/#login/&authIndexType=module&authIndexValue=”enter-authentication-module-name”

Test your application integration

  1. Go to the ForgeRock Access Management Realm you created and enter your credentials.

    forgerock_login.png
  2. You’ll receive a push notification on your It’sMe mobile application. After approving the authentication request through the app, you will be logged in.

    FortiGate RADIUS its me

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.