Configure the EmpowerID RADIUS Server

EmpowerID provides a RADIUS Server support for managing authentication and authorization of RADIUS devices. Doing so involves configuring the RADIUS device to remotely access EmpowerID, configuring EmpowerID for the remote RADIUS device, and configuring the EmpowerID Password Manager Policy for RADIUS.

The EmpowerID RADIUS Server is now available in a new version that runs as a Docker container and integrates with flexible ABAC authorization policies that can be managed and assigned in the web interface.

This article demonstrates configuring EmpowerID for RADIUS by configuring EmpowerID for the Cisco ASA 5505 RADIUS device and covers how to:

  • Configure Cisco server settings

  • Configure EmpowerID RADIUS Settings

  • Configure the EmpowerID Password Manager Policy for RADIUS

Configure the Cisco Server Settings

  1. On the Cisco server, open the Cisco ASDM.

  2. Click Configuration on the toolbar.

  3. Click the Device Management panel at the bottom of the screen.

  4. Expand Users/AAA and select AAA Server Groups.

  5. Add the following settings to set up the server group and then click OK when completed.

    1. Name

    2. Protocol — Select RADIUS from the drop-down.

       

  6. In the Servers in the Selected Group section, click Add to the right and then enter the following settings:

    1. Server Name or IP Address — This should be the IP address or server name of the EmpowerID server.

    2. Interface Name— This should be the same interface as the EmpowerID server.

    3. Server Authentication Port— Set this to 1812.

    4. Server Secret Key

    5. Common Password— This should be the same password as the Server Secret Key.

    6. Microsoft CHAPv2 Capable— Make sure this is selected.

  7. Click OK to save the RADIUS Server Group settings.

  8. Click Apply to apply the settings.

  9. Make sure the Server Group method on the connection profile is set to RADIUS.

  10. Apply and save the configuration.

 

Configure EmpowerID RADIUS Settings

  1. On the navbar, expand Single Sign-On > SSO Connections and click RADIUS Connections.

  2. On the RADIUS Connections page, click the Add Connection button above the grid.

  3. In the Connection Details form that appears, enter the following:

    • Name — Name of the RADIUS connection

    • Shared Secret — Secret key set for the RADIUS server group on the CISCO deviceType the IP address for the CISCO device in the Start Allowed IP field.

    • Start Allowed IP — IP address for the CISCO device

    • End Allowed IP — IP address for the CISCO device

    • Click Save.

       

Configure the Password Manager Policy

  1. On the navbar, expand Admin > Password Management and click Password & Login Policies.

  2. Search for the policy to which you want to enable RADIUS authentication and then click the Display Name link for that policy.

  3. On the Policy Details page that appears, click the Edit link to put the policy in edit mode.

  4. On the Edit page for the policy, select the Authentication Settings tab and in the RADIUS Policy section do the following:

    1. Select Enable Authentication to allow RADIUS authentication.

    2. Select Require Second Factor Authentication if two-factor auth for RADIUS is required in your environment.

    3. Select Enable RADIUS Login if No Token Assigned according to your requirements.

  5. Click Save to save your changes to the policy.

IN THIS ARTICLE