Configuring IBM Verify Gateway for RADIUS for IBM Verify

In password-and-device, the user provides their IBM® Security Verify password plus the authentication is verified through the IBM Verify application on their mobile device. The user must configure their device in IBM Security Verify.

Before you begin

The auth-method you set must match the authentication method you set for users in IBM Security Verify.

The user's device must have connectivity to the IBM Security Verify Access system.

Procedure

  1. Instruct the user to install the IBM Verify application on their mobile device.
  2. Instruct the user to open https://hostname.ice.ibmcloud.com/ui and log in to their IBM Security Verify account.
  3. Instruct the user to perform the following steps:
    1. Click the person icon and click Security settings.
    2. Click Add new.
    3. Click Next: Connect your account.
    4. Launch the IBM Verify application on their mobile device.
    5. Choose Use Touch ID.
    6. Tap to connect a new account.
    7. Scan the QR Code on the IBM Security Verify web page using the device’s camera.
    8. Allow IBM Verify to send you notifications.
    9. On the IBM Security Verify web page, click Verify.
    10. On the device, click the check mark and enter your fingerprint to verify the device.
    11. On the IBM Security Verify web page, click Done.
    The device is listed on the user's web page under IBM Verify.
  4. In the installation directory on your Windows system where you installed IBM Verify Gateway for RADIUS, edit the IbmRadiusConfig.json configuration file to set the auth-method to password-and-device:
    {
        "address":"::",
        "port":1812,
        "trace-file":"c:/directory-name/ibm-auth-api.log",
        "ibm-auth-api":{
            "client-id":"client-id",
            "client-secret":"client-secret",
            "protocol":"https",
            "host":"hostname.ice.ibmcloud.com",
            "port":443,
            "max-handles":16
        },
        "clients":[
            {
                "name":"hostname.company.com",
                "address": "ip-address",
                "secret":"your-secret",
                "auth-method":"password-and-device"
            },
  5. Save the changes.
  6. In password-and-device authentication, the login flow is as follows:
    1. The user must provide their IBM Security Verify password.
    2. The authentication is then verified through the IBM Verify application on the user's mobile device. The user is prompted as follows:
      A push notification has been sent to your device :device-name. 
           Please refresh your IBM Verify application if you did not receive it.
           ENTER MFA INFORMATION:
    3. The user must follow the prompts to verify the push notification on their mobile device.
    4. The user must enter any single character as the response to the ENTER MFA INFORMATION prompt and press Enter to continue.
      Note: In IBM MFA Out-of-Band authentication, the user must enter any single character in response to the Response prompt and press Submit.
Tip: When the user attempts to log in, the following error in the IBM Verify Gateway for RADIUS trace log indicates that the IBM Security Verify authentication factor settings are incorrect. {"messageId":"CSIAK4300E","messageDescription":"You are not authorized to access this resource."}. See Configuring IBM Security Verify authentication factors for the correct settings.