Kelly Wong

Tech Tip - CA Privileged Access Manager: Use CA Single Sign-On as Radius Server to CA PAM

Blog Post created by Kelly Wong Employee on Apr 13, 2017

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 13th April 2017

 

The scope of the document is to provide the necessary steps to configure the CA Single Sign-On R12.52 SP1 as Radius Server with Active Directory as user store

 

  1. CA Single Sign-On: Policy Server Management Console >> Settings
    Enable Policy Server to act as Radius authentication server
  2. CA Single Sign-On: Policy Server Management Console >> Logs
    Enable Radius log
  3. Restart CA Single Sign-On Policy Server and ensure Radius logging is running and Radius ports are up

  4. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Directory >> User Directories
    Create User Directory object referencing the Active Directory
  5. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Agent >> Agents
    Create Radius agent for the CA PAM server (using CA PAM IP Address)
  6. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Authentication >> Authentication Schemes
    Create Radius CHAP/PAP authentication scheme
  7. CA Single Sign-On: SiteMinder Administrative UI >> Policies >> Domain >> Domains
    Create Domain and associate the user directory created in Step 4 to the Domain


    Create Realm, associate the Agent created in Step 5 and Authentication Scheme created in Step 6 to the Realm

    Create Rule with Authenticate action



    Create Response with RADIUS Agent Type

    Create Response Attribute with Framed-IP-Address attribute, and User attribute 'msRADIUSFramedIPAddress'



    Create Policies to link the Users, Rules and Responses together






  8. Active Directory: Active Directory Users and Computers
    Create user with reversible encryption and assign a static IP Address to the user


  9. Reset user password
  10. CA PAM: Config >> 3rd Party >> RADIUS and TACACS+ Configuration
    Add new Radius server with the Shared Secret defined in Step 5
  11. CA PAM: Users >> Manage Users
    Create Radius user or import Radius users via 'Import LDAP Group' (with 'Radius' Authentication Type)
  12. Logoff and login with the Radius user (password is the Shared Secret defined in Step 5)

Outcomes