PingAM 8.0.0

RADIUS server service

The RADIUS server service relies on authentication modules and chains. Authentication modules and chains have been removed in AM 8.0. To continue using the RADIUS server service in this release, you must re-enable modules and chains.

Re-enable modules and chains

  1. Go to Configure > Server Defaults > Advanced in the AM admin UI.

  2. Add the org.forgerock.am.authentication.chains.enabled property and set it to true.

  3. Save your changes.

  4. Restart AM or the container where it runs.

You can now access modules and chains through the REST endpoints. Modules and chains aren’t accessible through the AM admin UI.

The RADIUS server service provides a RADIUS server within AM. The server authenticates RADIUS clients that are external to AM. The server is backed by AM’s authentication chains and modules, thereby providing the possibility of multi-factor authentication in addition to simple username and password authentication.

The following example shows the flow of a successful username and password authentication attempt from a RADIUS client:

RADIUS server service: simple authentication flow
Figure 1. RADIUS server service: simple authentication flow

The following example shows the flow of a successful multi-factor authentication scenario in which the RADIUS Server service is backed by an authentication chain that includes the LDAP and the ForgeRock Authenticator (OATH) authentication modules. First, the LDAP authentication module requires the user to provide a user name and password. Then, the ForgeRock Authenticator (OATH) module requires the user to enter a one-time password obtained from the authenticator app on a mobile phone:

RADIUS server service: multi-factor authentication flow
Figure 2. RADIUS server service: multi-factor authentication flow

The AM RADIUS server is disabled by default. To enable it, perform the following steps:

Enable and configure the RADIUS server

  1. In the AM admin UI, go to Configure > Global Services, and click RADIUS Server.

  2. Under Secondary Configuration Instance, click New.

    AM uses secondary configuration instances in the RADIUS Server service to encapsulate RADIUS clients. You must configure one secondary configuration instance, also known as a subconfiguration, for each client that will connect to the RADIUS Server.

  3. Configure attributes for the subconfiguration.

    Refer to RADIUS server for information about configuring the subconfiguration attributes.

  4. Click Add to add the configuration for the RADIUS client to the overall RADIUS server service configuration.

  5. If you have multiple RADIUS clients that will connect to the AM RADIUS server, add a subconfiguration for each client.

    You don’t need to configure all your RADIUS clients when you configure the RADIUS server service initially—you can add and remove clients over time as you need them.

  6. Configure global attributes of the RADIUS server service.

    At a minimum, set the Enabled field to YES to start the RADIUS server immediately after you save the RADIUS server service configuration.

    Find more information on configuring the RADIUS Server service in RADIUS server.

  7. On the main configuration page for the RADIUS server service, click Save.

The RADIUS server starts immediately after you save the configuration if the Enabled field has the value YES. If you make changes to the RADIUS server service configuration, the changes take effect as soon as you save them.