The RADIUS Server Service
The RADIUS Server service provides a RADIUS server within AM. The server authenticates RADIUS clients that are external to AM. The server is backed by AM's authentication chains and modules, thereby providing the possibility of multi-factor authentication in addition to simple user name and password authentication.
The following example shows the flow of a successful simple user name and password authentication attempt from a RADIUS client:
The following example shows the flow of a successful multi-factor authentication scenario in which the RADIUS Server service is backed by an authentication chain that includes the LDAP and the ForgeRock Authenticator (OATH) authentication modules. First, the LDAP authentication module requires the user to provide a user name and password. Then, the ForgeRock Authenticator (OATH) module requires the user to enter a one-time password obtained from the authenticator app on a mobile phone:
The AM RADIUS server is disabled by default. To enable it, perform the following steps:
In the AM console, go to Configure > Global Services, and then click RADIUS Server.
Under Secondary Configuration Instance, click New.
AM uses secondary configuration instances in the RADIUS Server service to encapsulate RADIUS clients. You must configure one secondary configuration instance, also known as a subconfiguration, for each client that will connect to the RADIUS Server.
Configure attributes for the subconfiguration. See "RADIUS Server" for information about configuring the subconfiguration attributes.
Click Add to add the configuration for the RADIUS client to the overall RADIUS Server service's configuration.
If you have multiple RADIUS clients that will connect to the AM RADIUS server, add a subconfiguration for each client. It is not necessary to configure all your RADIUS clients when you configure the RADIUS Server service initially—you can add and remove clients over time as you need them.
Configure global attributes of the RADIUS Server service. At a minimum, set the Enabled field to
YESto start the RADIUS server immediately after you save the RADIUS Server service configuration.
See "RADIUS Server" for information about configuring the RADIUS Server service's global attributes.
On the main configuration page for the RADIUS Server service, click Save.
The RADIUS server starts immediately after you save the configuration if the Enabled field has the value
YES. Any time you make changes to the RADIUS Server service configuration, they take effect as soon as you save the changes.