Configuring IBM Verify Gateway for RADIUS

You install and configure IBM® Verify Gateway for RADIUS on a Windows server or desktop system as the gateway that connects IBM MFA for generic RADIUS to IBM Security Verify.

Before you begin

Important: For the best outcome, you should install IBM Verify Gateway for RADIUS on a Windows system with a static IP address.

The Windows server or desktop system requires network connectivity to the IBM Security Verify hostname, by default on port 443. Ensure that your network firewall allows access to this port. If you are unsure, ask your network administrator.

Configuring IBM Verify Gateway for RADIUS server is described in https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_gateway_config.html. This section summarizes the steps for your convenience. See https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_gateway_config.html for complete details.

Procedure

  1. From a Windows server or desktop system, navigate to https://exchange.xforce.ibmcloud.com/hub/extension/cb468c6c4539fad9c64eff7a1b107e86 in a browser and download IBM Verify Gateway for RADIUS.
  2. Extract the files from the downloaded .zip file and run setup.exe to install IBM Verify Gateway for RADIUS on the Windows server or desktop system.
  3. Open the https://hostname.ice.ibmcloud.com/ui/admin page, If the page does not open directly to the Admin page, click the person icon in the top right portion of the page and select Switch to admin.
  4. Click the menu icon in the top left corner of the page.
  5. Click Settings.
  6. Click API Access.
  7. Locate your API client in the list and hover the end of the row to display the edit icon.
  8. Click the edit icon. The API client information is displayed.
  9. Copy the Client ID and Secret to the clipboard (one at a time) and save the information, or click the eye icon to view the Client ID and secret and save the information. You will need this information when you edit the IbmRadiusConfig.json configuration file in Step 11.
  10. Click Cancel. No changes are necessary.
  11. Edit the IbmRadiusConfig.json configuration file in the installation directory on your Windows system where you installed IBM Verify Gateway for RADIUS,
  12. Substitute the question marks (?) as shown in the following example:
    {
        "address":"::",
        "port":1812, a 
        /* "trace-file":"c:/tmp/ibm-auth-api.log", */  b 
        "ibm-auth-api":{
            "client-id":"??????", c 
            "client-secret":"??????", d 
            "protocol":"https",
            "host":"??????.ice.ibmcloud.com", e 
            "port":443, f 
            "max-handles":16
        },
        "clients":[
            {
                "name":"??????", g 
                "address": "??????", h 
                "secret":"??????", i 
                "auth-method":"password" j 
            },
    Callout Notes:
    1. Remember this port, 1812, you will need it when you configure the IBM MFA generic RADIUS panel. If Generic Radius and SafeNet RADIUS are both using the same IP address, you can specify a different port number.
    2. Uncomment this entry and specify a location to create a log file for debugging purposes.
    3. Specify the client ID you copied in Step 9.
    4. Specify the client secret you copied in Step 9.
    5. Specify the IBM Security Verify hostname you created.
    6. This is the port that your Windows system uses to connect to the IBM Security Verify host. Your Windows system must be able to establish connections from this port.
    7. Specify the LPAR or system name where IBM MFA generic RADIUS is configured.
    8. Specify the LPAR or system IP address where IBM MFA generic RADIUS is configured.
    9. Specify the shared secret you want IBM Verify Gateway for RADIUS and IBM MFA generic RADIUS to use. Remember this secret, you will need it when you configure the IBM MFA generic RADIUS panel.
    10. See the sections that follow for information on the specific authentication methods.
  13. Save the changes.
Tip: If the shared secret is not the same in IBM Verify Gateway for RADIUS and the generic RADIUS panel, a message similar to the following is logged in the IBM Verify Gateway for RADIUS log file:
["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"400","detail":
"CSIAI0160E Authentication failed.","scimType":"INVALID_CREDS"}