Skip to main content

ForgeRock Access Management RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple method for adding MFA to ForgeRock Access Management via its Radius solution. This instruction illustrates how to configure ForgeRock OpenAM and Acceptto RADIUS MFA authentication solution.


  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the ForgeRock Access Management admin panel.

Arculix RADIUS Agent configuration

To integrate Arculix with your ForgeRock AM, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your ForgeRock AM, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:


    The values should be separated by semicolons (;).

    ARA_CLIENTS = <An optional name for your AM>; <Internal IP address of your AM>; <a shared secret>

    For example, set:

    ARA_CLIENTS = AM;;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

ForgeRock Access Management configuration

  1. Log in to the ForgeRock AM admin portal with an administrative user account.

  2. Select the Realm to set MFA up for.

  3. Go to the Authentication section and select Modules.

  4. Click Add Module to create a new authentication module.

  5. In the New Module section, set the following:


    Enter a unique name.

    For example, RADIUS.


    Select RADIUS.

  6. Click Create.

  7. Select the Servers tab and click ADD.

  8. In the RADIUS section, set the following:

    Primary Radius Servers

    Enter the IP Address of your Arculix RADIUS Agent.

    Shared Secret

    Enter the Shared Secret set in the Arculix RADIUS Agent.


    Set to 90 Seconds (recommended).

    Port Number

    Set to 1812.


    Set to 60.

    Health check interval

    Set to 5.

    Authentication Level

    Set to 0.

  9. Click Save.

  10. In the Authentication section select Settings.

  11. Select the User Profile tab and in the User Profile section, select Ignored.

  12. Click Save Changes.

  13. Now you can change the authentication module on the default chain of your Realm. Go to the Authentication section and select Chains. Click on ldapService.

  14. Click the pencil icon to make edits.

  15. In the Select Module field, select the authentication module that was previously created and click OK. Click Save Changes.


    You can check your authentication module with a URL that refers to it, like the following example:”enter-authentication-module-name”


Test your application integration

  1. Go to the ForgeRock Access Management Realm you created and enter your credentials.

  2. The Arculix Mobile app receives a push notification for your approval to log in.

    After approving the authentication request through the app, you will be logged in.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.