Log In

Sign Up Contact Sales
Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> Configuring Two-Factor Authentication for Wallix PAM

Configuring Two-Factor Authentication for Wallix PAM

Easily enable two-factor authentication (2FA) in Wallix PAM with Protectimus using the RADIUS protocol.


To make this work, you’ll need to configure authentication policies in Wallix to send authentication requests through RADIUS to the Protectimus RADIUS Server. After receiving the request, the Protectimus RADIUS Server forwards it to the Protectimus authentication platform to verify the user’s one-time password (OTP), then returns the result to Wallix over the same RADIUS connection.


Take a look at the Wallix PAM 2FA setup scheme to see exactly how this RADIUS-based two-factor authentication process works in action.


Wallix PAM 2FA (two-factor authentication) setup scheme

To enable Wallix PAM two-factor authentication (2FA):
  1. Install and configure Protectimus RADIUS Server.
  2. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  3. Configure Wallix authentication policies.

1. Install and configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server are available in the Protectimus RADIUS Server Installation Guide for Wallix PAM MFA..

2. Register and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Add Protectimus as a RADIUS Server in Wallix Bastion

  1. Log in to the Wallix Bastion web interface, then navigate to Configuration –> External Authentications.
  2. Select + Add an Authentication to create a new authentication entry.

Add Protectimus as a RADIUS server in Wallix Bastion - step 1

  1. Select RADIUS from the Authentication Type dropdown menu.

Add Protectimus as a RADIUS server in Wallix Bastion - step 2

  1. Fill in the required fields for your RADIUS authentication
Authentication type RADIUS
Authentication name Come up with a name for your RADIUS server, e.g. Protectimus RADIUS Server.
Server Enter the hostname or IP of server where the Protectimus RADIUS Server component is installed.
Port Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Timeout (s) Set to 5 seconds.
Secret Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Description Enter a description of your choice (optional).

Add Protectimus as a RADIUS server in Wallix Bastion - step 3

  1. If you’re using a Protectimus platform cluster setup, it’s recommended to configure a second RADIUS server by completing the form again to ensure high availability.
  2. Go to Configuration –> LDAP/AD Domains, and add RADIUS Authentication as the Secondary authentication method.

Add Protectimus as a RADIUS server in Wallix Bastion - step 5

You’ve successfully integrated two-factor authentication (2FA/MFA) with Wallix PAM.


For assistance, please contact Protectimus Customer Support.

Last updated on 2025-05-28
Ubuntu 2FAWinlogon & RDP 2FA
OATH certified
ALL RIGHTS RESERVED. PROTECTIMUS LTD. 2025