Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Configuring Centrify Platform for Radius MFA Using Symantec Validation and Identity Protection

11 April,19 at 11:51 AM

Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).


There are several pre-requisites required to set this up in your environment.


  1. Access to a working instance of the Symantec VIP service (VIP Authentication Service.
  2. Access to a Centrify Environment, for this technical tutorial we will be primarily using Centrify Application Services.
  3. Centrify Connector installed.
  4. A Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
  5. Ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.




Part 1 – Install the Centrify Connector.


If you haven’t already setup the centrify connector, please see my colleagues article which describes this process:







Part 2:

Configure Symantec VIP service.

You may already have access to a working instance of the Symantec VIP service. If that is the case, you may want to review the steps here to ensure you have a test user to work with. If you do not have access to a working instance of Symantec VIP, you can register for a trial license of the service online at Symantec’s website.


Once you register for the trial you will get an email with the steps below. Follow the instructions below.


  • Access VIP Manager (
  • On the Sign in page, enter the email address and temporary password you were provided in your email.
  • Change your password upon initial logon.
  • Register your credential. In order to do this step, you need to download the “VIP Access” mobile application to your smartphone and register it with the user that you use to initially access the service.
  • Once you have your username/password and VIP access credential, you will access the VIP Manager by logging in:
  • Optional: Create an additional user with administrative rights to the VIP Manager portal.
  • From the Accounts Tab, Select “Create VIP Administrators”

Screen Shot 2017-12-28 at 08.31.10.png 

Screen Shot 2017-12-28 at 08.31.36.png


  • This ensures a second account is available for accessing the VIP Manager.





Part 3:

  1. Install VIP Enterprise Gateway:


Log into the VIP Manager to download the required files.


Screen Shot 2017-12-28 at 08.59.28.png


From the accounts Tab, Select “Download Files”


Screen Shot 2017-12-28 at 09.00.41.png 


Select Enterprise Gateway then the latest version. Example 9.8


Screen Shot 2017-12-28 at 09.01.18.png 


Download the Enterprise Gateway Install files. Also note the documentation is also contained in this location.


Screen Shot 2017-12-28 at 09.02.13.png 


Extract the zip file and run the setup program. Accepts defaults, entering a user to administer the gateway.


Screen Shot 2017-12-28 at 09.12.01.png



Screen Shot 2017-12-28 at 09.12.26.png


Screen Shot 2017-12-28 at 09.13.32.png


You will now be able to log into the Enterprise Gateway




Screen Shot 2017-12-28 at 09.15.00.png 



Part 4:

Install a VIP Certificate.


The first task required is to add a VIP Certificate.



Screen Shot 2017-12-28 at 09.15.41.pngScreen Shot 2017-12-28 at 09.18.25.png


From VIP Manager, Account Tab, Manage VIP Certificates



Request a VIP Certificate:


Follow the steps and enter a certificate name, eg Centrify.


 Screen Shot 2017-12-28 at 09.20.22.png


Select PKCS#12 and set a password


Screen Shot 2017-12-28 at 09.21.42.png 


Download the certificate


Go back to the VIP Enterprise Gateway.  Click on “Add VIP Certificate”


 Screen Shot 2017-12-28 at 09.23.42.png


Browse to the previously download certificate, enter the password and set an alias.


 Screen Shot 2017-12-28 at 09.25.07.png


The certificate will now be imported.


 Screen Shot 2017-12-28 at 09.25.47.png



Part 5:

Add a Trusted CA Certificate. (Configuration steps for an enterprise CA are excluded from this tutorial. ) For this lab guide, the trusted root CA has been exported from the local CA and imported into the EGW. The steps below are provided as a background.





Certificate Export Wizard:



 Screen Shot 2017-12-28 at 17.41.45.pngScreen Shot 2017-12-28 at 17.41.58.pngScreen Shot 2017-12-28 at 17.42.28.png


On the enterprise gateway server, import the trusted root certificate as per Symantec Documentation.





 Screen Shot 2017-12-28 at 17.45.33.pngScreen Shot 2017-12-28 at 17.46.05.png



With the Trusted CA Certificate imported, in the Enterprise Gateway Console, Add the Trusted CA Certificate


 Screen Shot 2017-12-28 at 17.47.41.png



Select the certificate previously exported


 Screen Shot 2017-12-28 at 17.48.13.png



Save the changes


 Screen Shot 2017-12-28 at 17.48.23.png

Restart the Symantec VIP Enterprise Gateway for the changes to take effect


 Screen Shot 2017-12-28 at 17.48.58.png


Part 6:


Configure the User Store:


From the VIP Enterprise Gateway, Select User Store, Add User Store.



The information below is self explanatory. Consult the Symantec documentation for further information. A user “vipuser” was created for the bind in CN=Users


 Screen Shot 2017-12-28 at 18.13.14.png


Part 7. Add a SSL Certificate.

(As previously mentioned, Certificate advice and discussion are excluded from this tutorial. For this lab guide, we have created a self signed SSL certificate from IIS Manager and are importing this certificate into the VIP Enterprise Gateway. )




Screen Shot 2017-12-28 at 18.42.55.png


From within the VIP Enterprise Gateway, select SSL Certificate, add SSL Certificate:



 Screen Shot 2017-12-28 at 18.44.46.png



Screen Shot 2017-12-28 at 18.45.18.png


Part 8. Configure the Self Service Portal


 Screen Shot 2017-12-28 at 18.46.42.png



Select to configure the Self Service Portal.


Screen Shot 2017-12-28 at 18.47.36.png


Select to use SSL and select the CentrifySelfSigned Certificate


Screen Shot 2017-12-28 at 18.49.01.png


Start the Service


Screen Shot 2017-12-28 at 18.50.03.png


Note the URL for the Self Service Portal.


Login to the Self Service Portal. The expected behaviour, a user within your active directory will be redirected to the Symantec Self Service Portal for registering a token.



 Screen Shot 2017-12-28 at 19.01.45.png




User Kev.smith logs into the local Self Service Portal.


 Screen Shot 2017-12-28 at 19.02.03.png

Kev.Smith is then asked to select and register the Symantec Credential.





Part 9:


Configure the Symantec Enterprise Gateway as a RADIUS validation server.


Access the Symantec Enterprise Gateway, Validation, RADIUS Validation Server “Add Server”



 Screen Shot 2017-12-29 at 10.28.06.png


Select Custom Configuration


Add Server Name eg “Centrify”

Add RADIUS Shared Secret eg “Centrify”

Enter Remote Access Service Name eg “Centrify VIP”

Click Submit.



 Screen Shot 2017-12-29 at 10.34.10.png



Under Status, select to turn on the Radius Validation Server


 Screen Shot 2017-12-29 at 10.35.38.pngScreen Shot 2017-12-29 at 10.36.49.png


The Status should now show on:












Part 10:


Configure Centrify for Radius Support.


From the Centrify Portal, Settings, Authentication, Radius Connections.


Provide a Name eg “Radius VIP”

Set the Server hostname or IP address to the address of the Symantec Enterprise Gateway Server.

Enter the shared secret eg “Centrify”

User Identifier Attribute, change to “custom” and “sAMAccountName” (This is to match the attributes set on the Symantec Enterprise Gateway.



Screen Shot 2017-12-29 at 10.42.58.png


Part 11. Enable Connections to external RADIUS servers

 Screen Shot 2017-12-29 at 11.16.08.png



Part 11. Create an Authentication Profile


Centrify Portal, Settings, Authentication, Authentication Profiles, “Add Profile”


Screen Shot 2017-12-29 at 10.52.06.png


Profile Name “MFA with Radius”

For initial Testing select “Password” and “3rd Party Radius Authentication”

 Screen Shot 2017-12-29 at 10.54.31.png


Create a Role.

Core Services, Roles “Add Role”

Name = “Radius Test Users”

Member = Select a group from AD or individual users for testing purposes. In this lab I am adding my test user Kev.Smith


Screen Shot 2017-12-29 at 10.58.22.png



Create a New Policy:

Core Services, Policies, “Add Policy Set” Name = “Radius Test Policy”

Policy Assignment, Specified roles = “Radius Test Users”

 Screen Shot 2017-12-29 at 10.59.26.png


Under User Security Policies, Radius, set “Allow 3rd Party RADIUS Authentication “ to “Yes”


 Screen Shot 2017-12-29 at 11.00.56.png


Under Login Policies, Centrify Portal, “Enable Authentication Policy Controls”

Set the Default profile to “MFA with Radius”


 Screen Shot 2018-03-01 at 15.55.17.png


Part 12: Test the Radius Authentication.


From the Centrify Portal.

Enter your user details “kev.smith”


Screen Shot 2017-12-29 at 16.53.15.png


From the drop down authentication options, select “MFA with Radius”

Open the Symantec VIP Access Client

Enter the OTP code


Screen Shot 2017-12-29 at 17.02.57.png


You will now be authenticated via Radius.

Optionally, check the dashboard for review of user logins.

 Screen Shot 2017-12-29 at 16.54.37.png


End of Main Labs:


Notes. In this lab example the authentication policy was enabled to allow users to log into the portal using Radius. This authentication policy or new authentication policies can be created across your Centrify estate. Authentication policies using Radius can be enacted across your Centrify environment to supplement as required.


A few further examples:


Windows Desktop Authentication with Radius


 Screen Shot 2017-12-29 at 17.12.14.png

User Chris.Morgan enters password


 Screen Shot 2017-12-29 at 17.12.14.pngScreen Shot 2017-12-29 at 17.13.13.png



The users credentials are checked and the policy requires this user to use a second factor for authentication.



MFA with Radius is selected and allows Chris to log into his workstation.



Example 2:

Protecting Server Authentication with Radius:


Screen Shot 2017-12-29 at 17.17.56.pngScreen Shot 2017-12-29 at 17.18.21.png


User Chris policy requires MFA with Radius to authenticate to the 2016 windows server



Example 3:

Privilege Elevation requiring MFA with Radius


Chris is a standard user with no rights. In order to Create users, privilege elevation is required. Chris selects to run this application with privilege


Screen Shot 2017-12-29 at 17.18.39.png



Screen Shot 2017-12-29 at 17.19.55.png


The options available to Chris are then presented, for example purposes, in addition to MFA with Radius,  options also include

Security Questions

OATH OTP Client, eg Google Authenticator




(Other options are also available, eg Yubikey)


Screen Shot 2017-12-29 at 17.20.09.png



End Of examples.