RADIUS with CAS Configuration - Thycotic Secret Server 10.6 - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on May 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate ThycoticSecret Server with RSA Cloud Authentication Service using RADIUS.

Architecture Diagram

RSA Cloud Authentication Service Configuration

To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the Cloud Administration Console.

Logon to the RSA Cloud Administration Console and browse to Authentication Clients > RADIUS > Add RADIUS Client and enter the Name, IP Address and Shared Secret.

Click Publish.

Note:  For RADIUS two-factor integration with Secret Server, it is required by design that the primary authentication be performed by Secret Server. When integrated with CAS, this leads to a scenario when the user may be required to enter the LDAP password twice before being prompted for a step-up authentication by CAS. This behavior can be changed by performing the following configuration when creating RADIUS client in CAS: Under Authentication Details, select the option Cloud Authentication Service only applies access policy for additional authentication. This setting prevents CAS from asking for the LDAP password again and hence mitigates the scenario where password is asked first by Secret Server (mandatory) and again by CAS.


Configure Thycotic Secret Server

Follow the steps in this section to configure Thycotic Secret Server as a RADIUS client for the Cloud Authentication Service.


1. Login to Secret Server as an admin, and click Admin > Configuration.

2. On the Configuration page, click the Login tab.

3. At the bottom of the page, click Edit.

4. Click the Enable RADIUS Integration checkbox. The page shows other configuration parameters for RADIUS. Enter the details:

  • RADIUS Server Port must be 1812.
  • RADIUS Server IP is the management IP address of the identity router.
  • RADIUS Shared Secret is the Shared Secret configured while creating the RADIUS client in the Cloud Authentication Service.

Note:  The Time Out (seconds) value is set to 60 by default. This should be good enough for most integrations. But it can be increased if required, specially in cases where there is frequent authentication failures due to timeout. Increasing the timeout value means that failover RADIUS server is not used as quickly if the primary RADIUS server is not available.

5. To configure a RADIUS failover server, click the Enable Failover RADIUS Server checkbox. The page shows other configurable parameters for the failover RADIUS server. Enter the details:

  • Failover RADIUS Server Port must be 1812.
  • Failover RADIUS Server IP is the management IP address of the replica identity router instance.
  • Failover RADIUS Shared Secret is the Shared Secret configured while creating the RADIUS client in the Cloud Authentication Service.

6. Click Save.

7. Click Admin > Users.

8. On the Users page, click the user who has to be enabled for RADIUS two-factor authentication. On the View User page, click Edit.

Note:  For successful authentication, the user record needs to be present in Secret Server. This can be achieved by adding the user record in Secret Server locally or by adding and synchronizing an LDAP Identity Source to Secret Server instance. Detailed steps for adding a user and/or synchronizing Identity Source is available in Thycotic Secret Server's documentation.

9. On the Edit User page, do the following:

  1. From the Two Factor drop-down list, select RADIUS.
  2. In the RADIUS User Name field, enter the email ID of the user, which must match the email ID the Cloud Authentication Service.
  3. Click Save.


Configuration is complete.

For additional integrations, see "Configuration Summary" on page 5.