Configuring the IBM Security Verify Gateway for RADIUS server
About this task
Procedure
-
Create API client credentials.
- Log in to the IBM® Security Verify administration console as an Administrator.
- Click Configuration > API access > Add API client.
-
Provide a name for the client.
For example, IBM Security Verify Gateway.
-
Select the check boxes to grant the following access rights.
- Authenticate any user
- Read second-factor authentication enrollment for all users
- Read users and groups
- Click Save.
- Locate your API client in the list and hover at the end of the row to display the edit icon.
-
Click the edit icon
The API client information is displayed.
-
Copy the Client ID and Secret to the clipboard or click the eye icon to view the secret and
save the information.
You need this information when you edit the IbmRadius configuration file.
-
Click Cancel.
No changes are necessary.
For more information, see Managing API clients. -
Create users.
-
Use the
IBM Security Verify administration
console to create users for the
Verify Gateway for RADIUS
server.
See Managing users.For each user that requires second-factor authentication, you must enroll them for OTP such as TOTP, EmailOTP, or SMSOTP through the relevant enrollment APIs in Verify.Note: The IBM RADIUS server product does not provide a function for enrolling users for OTP.
-
Use the
IBM Security Verify administration
console to create users for the
Verify Gateway for RADIUS
server.
-
Edit the IbmRadius configuration file.
The IbmRadiusConfig.json file is of JSON format with one non-standard modification. You can comment out areas of the file by wrapping them between
/*and*/.See https://www.json.org/ for the JSON.
-
Edit the JSON file with your favorite text file editor.
For Windows systems C:\Program Files\ibm\IbmRadius\IbmRadiusConfig.json
For Linux® systems /etc/IbmRadiusConfig.json
In this quick example, replace the variable values with the Client ID and Client Secret that is determined in 1.h and update the hostname of the IBM Security Verify server that is being used and the Client IP of the Verify Gateway for RADIUS client to be used.Update the client address to match your Verify Gateway for RADIUS client (NAS) address, such as a VPN server or PAM RADIUS module. The RADIUS client needs to be configured with the Client Secret value that you set in this file.
{ "address": "::", "port": 1812, "ibm-auth-api": { "host": "xxxxxxxx.verify.ibm.com", "max-handles": 16, "protocol": "https", "port": 443, "client-id": "xxxxxxxx", "client-secret": "xxxxxxxx" }, "policy" : [ { "name": "policy1", "return-attrs": [ { "value": "Login", "name": "Service-Type" } ] } ], "clients": [ { "address": "192.168.1.144", "mask": "255.255.255.255", "choice-prompt": "Please select an authentication method from the list: \r\n", "identity-source": "869e5652-bbb1-4f9b-8e55-0ae53d3bc30b", "auth-method": "password-then-totp", "name": "client1", "transients-in-choice": false, "transient-choices": ["emails", "phoneNumbers"], "use-external-ldap": true, "choice-line-prompt": "Enter %I for %D \r\n", "secret": "passw0rd", "no-devices-in-choice": false, "reject-on-missing-auth-method": false, "no-enrollments-in-choice": false, "device-prompt": "A push notification has been sent to your device: [%D].", "poll-device": true, "poll-timeout": 60 } ] } -
Edit the top level {} section.
It that contains the Verify Gateway for RADIUS global settings. See Top level {}.
-
Edit the "ibm-auth-api": {} section.
It contains the connection details to the IBM Security Verify server. See "ibm-auth-api":{}.
-
Edit the "clients": [] section.
It contains the connection details to the IBM Security Verify server. See "clients":[].
-
Edit the "policy":[] section.
It is an array of policies that can conditionally add attributes, or accept or approve authorization requests. See "policy":[].
-
Edit the JSON file with your favorite text file editor.