Symantec Access Management

Hi,

We have Cyberark integrated with CA SSO 12.7 (using SAML) now we have requirement to implement Azure cloud MFA.
Earlier CA suggested the given below flow :

CA SSO will challenge the user for Credentials. CA SSO Web Agent will collect the user name / password / token.
CA SSO Policy Server will validate the username / password with onPremise AD.
CA SSO Policy Server will make a call to NPS using Radius Protocol to validate the Token.
NPS will speak with Azure MFA on Cloud to validate Token and pass a response back to CA SSO Policy Server.
CA SSO Policy Server based on the response back from NPS / Azure MFA; will take a final call whether user is authentication OR not.
If all is success, then CA SSO Policy Server would send IsAuthenticated() success to CA SSO Web Agent.

So we need need help in uderstanding the point 3,4 &5.

ArunGoswami007

Am going to reword this slightly..... The reason being I'd like "Microsoft to fill in the blanks".

Am going to suggest 100% what would work from CA SSO perspective. 

Where <Radius Server / EndPoint> can be any Security Vendor Solution that takes in a Radius Client Request for Token Validation.

e.g. for <Radius Server / EndPoint> 

• MobilePass.
• ActivIdentity.
• OpenRadius.
• MFA with Radius Support enabled.

So my question is did we ask Microsoft on what kind of Radius Support would they have for MFA ? 

Regards

Hubert

Hi Hubert,

Thanks for replying.  Yes we confirmed with Microsoft and they are supporting NPS flow and they told us :  Radius server would be CA SSO policy server and then it will make radius call to NPS server and then NPS server will make call to Azure cloud for MFA ( NPS make call to Azure cloud to obtain Auth token (REST)).

So we are looking for the help to setup Radius and NPS server in premise  where CA SSO is present.

Best Regards,

Arun

Hi Hubert,

Please suggest the next step.

Thanks

Arun

ArunGoswami007

Just making sure about this statement "Radius server would be CA SSO policy server". This is incorrect. In the below diagram the Server that is listed as "<Radius Server>" is the Server that handles Radius Requests.

Thus "<Radius Server>" is the NPS on Premise component for Microsoft Azure MFA (cloud).

CA SSO Policy Server ship with OOB Radius Authentication Templates. However that is not quite flexible in terms of requirements that often Customers request. Hence we deploy an addon component from CA Global Delivery PWP called 'XAuthRadius' which does far more than the OOB Authentication Template. The addon needs additional license and is not part of the Core CA SSO Product License. But this can be worked with Sales and Account Team. Reach out to your Account Manager for the licensing part.

XAuthRadius version matrix, documentation and binaries can be found within the below links.

Hi Hubert,

XAuth radius links are not accessible for me, not authorize; if you can share the support matrix and admin guide with me.

Thanks in advance.

Thanks a lot Hubert