Skip to main content

ForgeRock Access Management RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple method for adding MFA to ForgeRock Access Management via its Radius solution. This instruction illustrates how to configure ForgeRock OpenAM and Acceptto RADIUS MFA authentication solution.

Prerequisites

  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the ForgeRock Access Management admin panel.

Arculix RADIUS Agent configuration

To integrate Arculix with your ForgeRock AM, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your ForgeRock AM, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:

    Note

    The values should be separated by semicolons (;).

    ARA_CLIENTS = <An optional name for your AM>; <Internal IP address of your AM>; <a shared secret>

    For example, set:

    ARA_CLIENTS = AM;192.168.1.50/32;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

ForgeRock Access Management configuration

  1. Log in to the ForgeRock AM admin portal with an administrative user account.

  2. Select the Realm to set MFA up for.

  3. Go to the Authentication section and select Modules.

  4. Click Add Module to create a new authentication module.

    forgerock_modules.png
  5. In the New Module section, set the following:

    Name

    Enter a unique name.

    For example, RADIUS.

    Type

    Select RADIUS.

    forgerock_add_new_module.png
  6. Click Create.

  7. Select the Servers tab and click ADD.

  8. In the RADIUS section, set the following:

    Primary Radius Servers

    Enter the IP Address of your Arculix RADIUS Agent.

    Shared Secret

    Enter the Shared Secret set in the Arculix RADIUS Agent.

    Time

    Set to 90 Seconds (recommended).

    Port Number

    Set to 1812.

    TimeOut

    Set to 60.

    Health check interval

    Set to 5.

    Authentication Level

    Set to 0.

    forgerock_radius_config.png
  9. Click Save.

  10. In the Authentication section select Settings.

  11. Select the User Profile tab and in the User Profile section, select Ignored.

    forgerock_user_profile.png
  12. Click Save Changes.

  13. Now you can change the authentication module on the default chain of your Realm. Go to the Authentication section and select Chains. Click on ldapService.

    forgerock_chains.png
  14. Click the pencil icon to make edits.

    forgerock_edit_ldapservice.png
  15. In the Select Module field, select the authentication module that was previously created and click OK. Click Save Changes.

    Note

    You can check your authentication module with a URL that refers to it, like the following example:

    http://Openad.example.com:8080/AM-7.1.0/XUI/#login/&authIndexType=module&authIndexValue=”enter-authentication-module-name”

    forgerock_edit_module.png

Test your application integration

  1. Go to the ForgeRock Access Management Realm you created and enter your credentials.

    forgerock_login.png
  2. The Arculix Mobile app receives a push notification for your approval to log in.

    After approving the authentication request through the app, you will be logged in.

    arculix_mobile_app_010.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.