Centrify comes with Multi Factor Authentication (link to https://www.centrify.com/solutions/why-multi-factor-authentication/), but many customers that have already implemented a 3rd party MFA would like to integrate with Centrify. Alternative solutions include DUO, RSA SecurID, SecureAuth.
This will enable your users to take advantage of your existing MFA for any Centrify enabled application or server.
The steps in this document are designed to enable RADIUS MFA without affecting any existing users or applications. We will be creating separate policies, profiles and roles to keep everything apart during testing. After everything is working properly you can introduce MFA into your existing system.
1) Configure a RADIUS server connection to the 3rd party product.
Go to Settings -> Authentication -> RADIUS Connections -> Servers (tab)
Add the information for your 3rd party RADIUS server.
Enter the name of the service in a form that will be familiar to your end users. (DUO, SecurID, SecureAuth, etc)
OPTIONAL: Configure the user identity mapping attribute from Centrify to the RADIUS Server.
Background : Your existing RADIUS server might use a different username attribute than the Centrify Identity Service.
By default, the Canonical Name attribute is sent to the RADIUS Server. The Canonical Name is constructed as follows:
For AD users it is set to one of the following (in this order):
- userPrincipalName, if that field's format is usable (not empty and doesn't start with "@"), otherwise
- the concatenation of sAMAccountName, a "@", and the AD domain.
For Centrify cloud users it is the contents of the "Name" field.
You can configure the service to send any directory attribute. For many services, you will want to send the AD sAMAccountName attribute. (See below)
You can enter any Active Directory by entering the AD attribute in the Custom field.
2) Enable the RADIUS Settings in your Cloud Connector.
The cloud connectors must be configured to allow RADIUS connections. By default it is turned off.
Go to Settings -> Network -> Select a cloud connector.
Select RADIUS and “Enable connections to external RADIUS server”. Do NOT override the server secret.
Ignore the top setting for "Enable Incoming RADIUS connections". It is not used for the this RADIUS setup.
You should perform this task on every cloud connector that will be used for RADIUS authentication
3) Create a new authentication profile that includes the RADIUS authentication.
The authentication profile defines which MFA options are available during an authentication request. In this example, we will create a separate profile for DUO testing. You could use any name instead of "DUO" in the label names.
Settings -> Authentication -> Authentication Profiles -> Add Profile (button)
I named my profile "Duo Authentication Test"
Select Text Message, Email confirmation code and 3rd Party RADIUS Authentication. We will use text message and email in case RADIUS isn't working during our test. You can still log in and rescue yourself.
4) Create a new role for testing the DUO authentication.
The role will be used to assign DUO testing to a select group of users.
Roles -> Add Role button
I called my role "DUO Testers".
Assign a small number of members to this role. Add your test account or your real account if you feel brave. Make sure you have an additional administrator account that is not involved with Duo testing as a backup.
5) Create a new policy to test with DUO RADIUS
We will create a new policy that will bring everything together for testing. Role, Authentication Profile, RADIUS client switch.
Policies -> Add Policy Set (button)
Restrict the scope of the policy to ONLY apply to the DUO Testers role
Set the User Security Policies -> Login Authentication policy. Set to "Yes".
Do not add any Login Authentication Rules. This will require the users in the DUO Testers role to authenticate every time they log in.
Set the Default Profile to the one you created above, my example is "DUO Authentication Test".
5) Configure the RADIUS authentication settings :
Select the RADIUS item in the left frame of User Security Policies.
Set "Yes" for “Allow 3rd Party RADIUS Authentication” (Second item)
Do not configure “Allow RADIUS client connections”. (First item)
Log out of the Centrify Identity Service.
Open an incognito broswer.
Log in again.
Under the multi-factor authentication popup, you should see the RADIUS Server listed by IP address.
If it doesn’t work, collect the logs from the RADIUS server and look for any errors related to your user authentication.
The most common error is a username mismatch, where the attribute sent by Centrify is not the same format as the RADIUS userID.
If this happens, go back to the optional user attribute mapping step above and specify the correct username type.
Integrating in to your production services
To enable this for all users
Locate the Authentication Profile that is used by everyone for authentication.
Enable the 3rd party RADIUS authentication challenge like in step #3.
Locate the Policy that applies to users for authentication.
Enable the RADIUS Client connection like in step #5
After this, the Duo option will show up in any multi-factor authentications for the user.