Blog Viewer

Tech Tip - CA Privileged Access Manager: Use CA Single Sign-On as Radius Server to CA PAM

By wonsa03 posted 04-13-2017 12:14 AM

  

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 13th April 2017

 

The scope of the document is to provide the necessary steps to configure the CA Single Sign-On R12.52 SP1 as Radius Server with Active Directory as user store

 

  1. CA Single Sign-On: Policy Server Management Console >> Settings
    Enable Policy Server to act as Radius authentication server
  2. CA Single Sign-On: Policy Server Management Console >> Logs
    Enable Radius log
  3. Restart CA Single Sign-On Policy Server and ensure Radius logging is running and Radius ports are up

  4. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Directory >> User Directories
    Create User Directory object referencing the Active Directory
  5. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Agent >> Agents
    Create Radius agent for the CA PAM server (using CA PAM IP Address)
  6. CA Single Sign-On: SiteMinder Administrative UI >> Infrastructure >> Authentication >> Authentication Schemes
    Create Radius CHAP/PAP authentication scheme
  7. CA Single Sign-On: SiteMinder Administrative UI >> Policies >> Domain >> Domains
    Create Domain and associate the user directory created in Step 4 to the Domain


    Create Realm, associate the Agent created in Step 5 and Authentication Scheme created in Step 6 to the Realm

    Create Rule with Authenticate action



    Create Response with RADIUS Agent Type

    Create Response Attribute with Framed-IP-Address attribute, and User attribute 'msRADIUSFramedIPAddress'



    Create Policies to link the Users, Rules and Responses together






  8. Active Directory: Active Directory Users and Computers
    Create user with reversible encryption and assign a static IP Address to the user


  9. Reset user password
  10. CA PAM: Config >> 3rd Party >> RADIUS and TACACS+ Configuration
    Add new Radius server with the Shared Secret defined in Step 5
  11. CA PAM: Users >> Manage Users
    Create Radius user or import Radius users via 'Import LDAP Group' (with 'Radius' Authentication Type)
  12. Logoff and login with the Radius user (password is the Shared Secret defined in Step 5)
4 comments
3 views

Comments

04-20-2017 08:24 AM

Hi Kelly,

thank you for your feedback :-)

04-19-2017 06:22 PM

Hi Filippo,

 

The Radius settings on CA SSO should be the same between the releases.

 

Good luck.

04-19-2017 11:27 AM

04-19-2017 05:40 AM

Thank you very much Kelly, not tested yet but really interesting and useful.

 

Is there some difference or it is the same with CA SSO 12.6?

 

Thanks and best regards