> Configuring Two-Factor Authentication for Wallix PAM
Configuring Two-Factor Authentication for Wallix PAM
Easily enable two-factor authentication (2FA) in Wallix PAM with Protectimus using the RADIUS protocol.
To make this work, you’ll need to configure authentication policies in Wallix to send authentication requests through RADIUS to the Protectimus RADIUS Server. After receiving the request, the Protectimus RADIUS Server forwards it to the Protectimus authentication platform to verify the user’s one-time password (OTP), then returns the result to Wallix over the same RADIUS connection.
Take a look at the Wallix PAM 2FA setup scheme to see exactly how this RADIUS-based two-factor authentication process works in action.

To enable Wallix PAM two-factor authentication (2FA):
- Install and configure Protectimus RADIUS Server.
- Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
- Configure Wallix authentication policies.
1. Install and configure Protectimus RADIUS Server
Detailed instructions for installing and configuring the Protectimus RADIUS Server are available in the Protectimus RADIUS Server Installation Guide for Wallix PAM MFA..
2. Register and Configure Basic Settings
- Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
- Add Resource.
- Add Users.
- Add Tokens or activate Users’ Self Service Portal.
- Assign Tokens to Users.
- Assign Tokens with Users to the Resource.
3. Add Protectimus as a RADIUS Server in Wallix Bastion
- Log in to the Wallix Bastion web interface, then navigate to Configuration –> External Authentications.
- Select + Add an Authentication to create a new authentication entry.

- Select RADIUS from the Authentication Type dropdown menu.

- Fill in the required fields for your RADIUS authentication
Authentication type | RADIUS |
Authentication name | Come up with a name for your RADIUS server, e.g. Protectimus RADIUS Server. |
Server | Enter the hostname or IP of server where the Protectimus RADIUS Server component is installed. |
Port | Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server). |
Timeout (s) | Set to 5 seconds. |
Secret | Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server. |
Description | Enter a description of your choice (optional). |

- If you’re using a Protectimus platform cluster setup, it’s recommended to configure a second RADIUS server by completing the form again to ensure high availability.
- Go to Configuration –> LDAP/AD Domains, and add RADIUS Authentication as the Secondary authentication method.

You’ve successfully integrated two-factor authentication (2FA/MFA) with Wallix PAM.
For assistance, please contact Protectimus Customer Support.