If your users are authenticating using one of the Directory Authenticators (Active Directory or one of the LDAP type authenticators), you can configure Cloud Access Manager to use a second factor of authentication in addition to a password. The secondary authentication methods available are:
The configuration options for these methods are described in the following sections.
Complete the RADIUS Connection Settings to allow Cloud Access Manager to connect to an authentication service using the Remote Authentication Dial-In User Service (RADIUS) protocol. Please refer to the table below for a detailed explanation of each feature.
| Field | Functionality |
|---|---|
|
Hostname/IP Address (including port) |
Enter the fully-qualified domain name or the IP address of your authentication service host and the UDP port number on which the authentication service is listening. The IANA-registered port number for RADIUS is 1812. For example radius.example.com:1812 |
|
Shared Secret |
Enter the password or passphrase used to encrypt sensitive information in the RADIUS traffic sent to the authentication service. The authentication service must be configured with the same shared secret. |
|
Challenge/Response Server |
Many RADIUS authentication services are capable of maintaining an authentication session with multiple requests and responses. This allows challenge-response authentication tokens to be used, as well as other features like password expiry and token time window resynchronization. If your authentication service supports challenge/response mode, then select the Challenge/Response Server box. |
|
Attribute to use for RADIUS username |
Enter the name of the Active Directory attribute whose value is to be relayed to the RADIUS authentication service to identify the user. The default, sAMAccountName, contains the login username. |
|
Test Connection |
To determine whether Cloud Access Manager has connectivity to the RADIUS authentication service. |
The configuration procedure is similar whether you are using smart card as a primary or secondary factor authentication method. The following steps describe how to configure Cloud Access Manager for smart card authentication:
For detailed instructions on smart card configuration, please refer to Configuring smart card authentication.
Starling 2FA is a cloud based authentication service that allows users to self-register and then access their one time passwords on both mobile and desktop devices. For further information on accessing Starling 2FA and using Cloud Access Manager to authenticate Starling 2FA users, please refer to Configuring each application.
To use Starling 2FA in Cloud Access Manager, you first need to join Cloud Access Manager to Starling. See Joining Cloud Access Manager to One Identity Starling for more information.
| Field | Functionality |
|---|---|
| Attribute to use for mobile phone number |
Enter the name of the attribute from the primary directory (Active Directory / LDAP) whose value is to be relayed to the Starling 2FA authentication service to identify the user. The default attribute is mobile, this usually contains the user's mobile telephone number. If you are using Azure Active Directory then you will need to select telephoneNumber as the attribute. |
| Default country code for phone numbers |
Select the country for which mobile telephone numbers can be specified without the country code prefix. If you have telephone numbers in your directory that are not in the default region they must begin with a plus sign followed by the numeric region code. |
|
Enable push notifications |
Select whether to use push notifications. If this is selected then users will be sent a notification message that they will need to approve to authenticate rather than having to enter a one-time password. All users will be required to install the Starling 2FA application on either a mobile device or as a Windows desktop application to be able to receive and acknowledge notifications. |
|
Message to display as part of push notification |
A message that will be displayed to the user as part of the notification message. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center
