Legacy Remote Access Experience

Imprivata Confirm ID integrates with any VPN gateway that supports RADIUS to streamline authentication management and simplify two-factor authentication for remote access for employees. In addition to logging in remotely, Imprivata Confirm ID users can also enroll authentication methods from outside your network.

This topic includes an overview for configuring Imprivata Confirm ID remote access. Detailed instructions for specific VPN gateways can be found here:

Before You Begin

Your VPN gateway may be supported, or supported and tested by Imprivata: review Imprivata Confirm ID Supported Components for details. Fully configure your environment for remote access with single-factor username and password authentication before configuring its connection to Imprivata.

BEST PRACTICE:

To plan your rollout and learn how Remote Access works, start here.

Download a PDF of this guide

Configure The VPN Gateway (RADIUS client)

  • Configure a VPN server (RADIUS client) or server group to point to the IP address(es) or hostname(s) of your Imprivata appliance(s) or RADIUS load balancer virtual IP (VIP) address.
  • Configure RADIUS timeout, retry interval, and maximum attempts settings to allow time for Imprivata Confirm ID Push Authentication to be completed.
  • Set the Authentication Port field to 1812.
  • Create a secret key (or encryption key, shared secret). You will also enter this key as the "encryption key" in the Imprivata Admin Console (see Imprivata Remote Access).

NOTE: The Imprivata Confirm ID RADIUS server only supports PAP protocol. CHAP protocols are not supported. Configure your RADIUS clients for PAP protocol to support Imprivata Confirm ID.

BEST PRACTICE: In large deployments, a load balancing solution should be used to distribute RADIUS traffic from your RADIUS client to all your Imprivata appliances in production. In a large deployment, you should not configure your RADIUS client to send all RADIUS requests to one Imprivata appliance.

Configure Imprivata Remote Access

Add a New RADIUS Client

To enable Imprivata to serve your RADIUS client, name your RADIUS client and configure the NAS address / SNIP address on the Imprivata Admin Console:

  1. In the Imprivata Admin Console, go to Applications > Remote access integrations.
  2. Click Add new RADIUS client.
  3. On the Add new RADIUS client screen:
    • Select a Client type
    • Enter a descriptive Client name
    • Enter the Hostname or IP address of the RADIUS client. (The RADIUS client may also be referred to as the Network Access Server (NAS) or VPN Server);
    • Enter the Encryption key (shared secret).

    • BEST PRACTICE: This encryption key will be used as a shared secret between your server and RADIUS client. Use a computer-generated string of 22 to 64 characters in length.

      You do not need to repeat this process for each Imprivata appliance. This client configuration is distributed to all Imprivata appliances in your enterprise.

  5. Click Save.

Optional — Non-licensed User Access

When you integrate Imprivata Confirm ID Remote Access with your gateway, the following users will be blocked from logging in:

  • Imprivata Confirm ID users who are not licensed for Remote Access, and
  • All non-Imprivata users: users not synced with the Imprivata users list.

However, you can override this default behavior and allow remote access for these users:

  1. In the Imprivata Admin Console, go to Applications > Remote access integrations.
  2. Select the RADIUS client.
  3. In the section Non-licensed user access, select Allow remote access for users without a Confirm ID for Remote Access license.
  4. Click Save.

This option uses Active Directory authentication for these users only, bypassing Imprivata Confirm ID authentication.

Active Directory Groups Queried

Users synced with the Imprivata appliance — The Imprivata appliance will query direct group and nested group memberships.

Users not synced with the Imprivata appliance — The Imprivata appliance will only query direct group memberships.

Troubleshooting — Nested Groups Not Queried

If you allow non-licensed user access and a non-Imprivata user is still blocked from Remote Access, their Active Directory group may be nested and not queried in this Remote Access Log In workflow.

Example — A user who is a member of Group1, where Group1 is a member of Group2 is not considered to be a member of Group2 and will not be queried for non-Imprivata users attempting Remote Access.

If you need to provide remote access to non-Imprivata users in nested groups, sync them with the Imprivata appliance. You do not need to license them for any Imprivata features. The sync alone will cause them to be queried by Imprivata Confirm ID for Remote Access.

CAUTION: All users synced with the Imprivata appliance must be added to a user policy. If you do not want these users consuming any licenses, verify that the user policy they're added to consumes no licenses (the Imprivata Admin Console may present a Caution on this user policy stating these users will not be able to log in; this message can be ignored in this specific case). See Creating and Managing User Policies and Synchronizing the Users List.

Optional - Configure RADIUS Group Attributes

Some RADIUS clients demand return information about authenticating users in the form of RADIUS attributes. See Managing RADIUS Connections

Troubleshooting The RADIUS Connection

You can troubleshoot the connection between your RADIUS client and the Imprivata appliance by viewing serverProxy.log:

  1. On the Imprivata appliance, go to System > Logs.
  2. In the section Log data export, export the log data for the period you wish to troubleshoot.
  3. Click View files.
  4. In the index of logs, open RadiusENA/serverProxy.log.gz
  5. The communication between the RADIUS client and the Imprivata appliance is logged here.

Examples

  • If you see the message Source IP address [ip address] does not have a NAS entry, the IP address for the RADIUS client may have been entered incorrectly or not configured at all.
  • If you see no entries in the log, and the Imprivata appliance does not respond to the request from the RADIUS client, this may mean:
    • The IP address for the Imprivata appliance was not entered properly on the RADIUS client.
    • The authentication port for the Imprivata appliance was not set to 1812 on the RADIUS client.
  • If you see the message The Remote Authentication failed, either because the assigned user policy has no permission configured in the Authentication subtab OR the user's credentials failed, this may mean:
    • The encryption key (shared secret) does not match on the RADIUS client and the Imprivata appliance; or
    • The RADIUS client is configured to use an unsupported protocol.
  • Push Notifications — If the Imprivata Admin Console reports an authentication via push notification succeeded, but the RADIUS client reports the authentication timed out, the timeout value on the RADIUS client may need to be increased.

To create and run a RADIUS Activity report, in the Imprivata Admin Console, go to Reports > Add new report.

CAUTION: Do not select the option Use graphical user interface for this RADIUS client. This option is only supported for Citrix Netscaler gateways at this time.