CyberArk Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for CyberArk with Mirket. It also includes instructions to configure your CyberArk for integration with Mirket RADIUS.

Prior configuration and deployment of CyberArk are required before setting up MFA with Mirket. CyberArk offers various MFA configuration modes. In this integration, we've configured RADIUS authentication for CyberArk.

This integration was tested with version 10.2.0(10.2.0.55) of CyberArk.

Preparation Steps

Before proceeding with these procedures, ensure the following:

• You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).

• End-users can access the CyberArk.

Configuring RADIUS in CyberArk

Configuring Shared Secret Key

To enable RADIUS authentication with CyberArk, create a shared secret key. This key should be stored in an encrypted file. Run CAVaultManager on the Vault server to generate an encrypted RADIUS shared secret key and save it as a file.

• Execute CMD as an administrator on the Vault server.

• Enter "CAVaultManager SecureSecretFiles /SecretType Radius /Secret / \RadiusSecret.dat". Then press Enter. An example command to create a shared secret file, using abc123 as the shared secret, would be: "C:\Program Files (x86)\PrivateArk\Server>CAVaultManager.exe SecureSecretFiles /SecretType Radius /Secret abc123 /SecuredFileName C:\test.dat."

Configuring RADIUS Server on the Vault

• Initiate Server Central Administration on the Vault server. Then shut down the PrivateVault server.

• Find the dbparm.ini file locate at C:\Program Files (x86)\PrivateArk\Server.

• Modify the dbparm.ini file and enter "RadiusServerInfo=<RADIUS Server IP/Host name>;<RADIUS Port>;<Vault IP/Hostname>;<RADIUS shared secret file>" in the Main section. For instance: RadiusServersInfo=10.0.1.1; 1812; Client; RadiusSecret.dat

  • RADIUS Server IP/Host name: Refers to the Mirket(Radius Server) IP address or hostname.

  • RADIUS Port: Determines the port number used by the RADIUS client for communication with the RADIUS server. The default port is 1812.

  • Vault Hostname: Represents the name or IP address of the RADIUS client (Vault server).

  • RADIUS shared secret file: Indicates the location and filename of the previously created shared secret key file.

  Note: In our example, we don't include the file path for the RadiusSecret.dat file because it's located at C:\Program Files (x86)\PrivateArk\Server. Therefore, you won't need to specify the complete file path for RadiusServerInfo to reference RadiusSecret.dat.

• Initiate the PrivateVault server.

Configuring RADIUS Authentication within the CyberArk Privileged Account Security Portal

• Access the Privileged Account Security portal by logging in as an administrator. Then, select Options.

• 
• Go to Authentication Methods > radius.

• Enter a policy name in the DisplayName field under the Properties section. This name will be visible on the Privileged Account Security portal login page.

• Choose the "Yes" option from both the Enable dropdown list and the UseRadius dropdown list.

• Log out from the Privileged Account Security portal. Check the sign-out screen to verify the successful addition of the newly added authentication method.

Configure User Authentication as RADIUS

• Initiate the PrivateArk console and sign in to the Vault.

• Go to Tools > Administrative Tools > Users and Groups.

• Then choose the user and click on Update.

• Select the Authentication tab. Then choose the RADIUS Authentication option from the Authentication method dropdown list.

Configure Mirket

To enable Mirket to receive authentication requests from CyberArk, follow these steps:

• Define CyberArk as a RADIUS client resource within Mirket.

• Create an authentication policy for the CyberArk RADIUS client resource or include it in an existing authentication policy.

• Attach the CyberArk resource to the Mirket Radius.

Add a CyberArk as Resource in Mirket with Mirket Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:

• First, navigate to the directory C:\MirketRadius and open the config.json file.

• Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration.

  • samName: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.

  • authenticationPort: Enter the authentication port value you set for the gateway. The default value is 1812.

  • accountingPort: Enter the accounting port value you specified for the gateway. The default value is 1813.

  • gatewayIp: Enter the IP address of the server where the Mirket is installed.

  • ipAddress: Enter the IP address of your firewall.

  • secretKey: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.

• Once you've made the necessary changes to the config.json file, save and close it. Note: You can add multiple RADIUS clients.

• After completing the configuration, restart the 'Mirket Radius Gateway Service'.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user group in Mirket.

If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.

• Create a Local Group to add users manually.

• Add local Mirket users manually.

If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.

• Create a LDAP group to include LDAP users.

• Sync users from an external user database.

Add a Radius Rules to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).

First, you should follow these steps:

• Select Rules > Radius Rules.

• Click on Add New.

• Enter a rule name in the Name field.

• Enter the rule description in the Description field.

• Select the group to which the rule applies from the Group dropdown list.

• Select the provider to which the rule applies from the Provider dropdown list.

• Select the authorization profile to which the rule applies from the Authorization dropdown list.

• Click on Save to confirm settings.

Test the Integration

To validate the integration between Mirket MFA and your CyberArk, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

• Connect to "http://<host_name or IP address>/passwordvault" on the server where Password Vault Web Access is installed. Then, choose the RADIUS option.

• Enter your Mirket username in the Username field.

• Input your password in the Password field.

• Click on Sign in. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

Related Topics

Radius Clients

Radius Rules

Local Group Configuration

Local Users Configuration

LDAP Group Configuration

LDAP Users