You enable RADIUS software on an authentication manager server. For RADIUS authentication, follow the vendor's configuration documentation.

Prerequisites

Install and configure the RADIUS software on an authentication manager server. For RADIUS authentication, follow the vendor's configuration documentation.

You need to know the following RADIUS server information to configure RADIUS on the service.

  • IP address or DNS name of the RADIUS server.

  • Authentication port numbers. Authentication port is usually 1812.

  • Authentication type. The authentication types include PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP1, MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol, versions 1 and 2).

  • RADIUS shared secret that is used for encryption and decryption in RADIUS protocol messages.

  • Specific timeout and retry values needed for RADIUS authentication

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Select Administration > Directories Management > Connectors.
  2. On the Connectors page, select the Worker link for the connector that is being configured for RADIUS authentication.
  3. Click Auth Adapters and then click RadiusAuthAdapter.

    You are redirected to the identity manager sign-in page.

  4. Click Edit to configure these fields on the Authentication Adapter page.

    Option

    Action

    Name

    A name is required. The default name is RadiusAuthAdapter. You can change this.

    Enable Radius Adapter

    Select this box to enable RADIUS authentication.

    Number of authentication attempts allowed

    Enter the maximum number of failed login attempts when using RADIUS to log in. The default is five attempts.

    Number of attempts to Radius server

    Specify the total number of retry attempts. If the primary server does not respond, the service waits for the configured time before retrying again.

    Radius server hostname/address

    Enter the host name or the IP address of the RADIUS server.

    Authentication port

    Enter the Radius authentication port number. This is usually 1812.

    Accounting port

    Enter 0 for the port number. The accounting port is not used at this time.

    Authentication type

    Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP, MSCHAP1, OR MSCHAP2.

    Shared secret

    Enter the shared secret that is used between the RADIUS server and the VMware Identity Manager service.

    Server timeout in seconds

    Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does not respond.

    Realm Prefix

    (Optional) The user account location is called the realm.

    If you specify a realm prefix string, the string is placed at the beginning of the user name when the name is sent to the RADIUS server. For example, if the user name is entered as jdoe and the realm prefix DOMAIN-A\ is specified, the user name DOMAIN-A\jdoe is sent to the RADIUS server. If you do not configure these fields, only the user name that is entered is sent.

    Realm Suffix

    (Optional) If you specify a realm suffix, the string is placed at end of the user name. For example, if the suffix is @myco.com, the username jdoe@myco.com is sent to the RADIUS server.

    Login page passphrase hint

    Enter the text string to display in the message on the user login page to direct users to enter the correct Radius passcode. For example, if this field is configured with AD password first and then SMS passcode, the login page message would read Enter your AD password first and then SMS passcode. The default text string is RADIUS Passcode.

  5. You can enable a secondary RADIUS server for high availability.

    Configure the secondary server as described in step 4.

  6. Click Save.

What to do next

Add the RADIUS authentication method to the default access policy. Select Administration > Directories Management > Policies and click Edit Default Policy to edit the default policy rules to add the RADIUS authentication method to the rule in the correct authentication order.