How to Setup Radius authentication for ZPA App connectors

This article describes how to set up RADIUS authentication for ZPA Connectors.

Before starting with the configuration please review the article below which basically talks about shared responsibility of Zscaler App connectors wherein Zscaler takes care of the package update and the customer is responsible for updates and O.S management.

Below configuration is based on LAB devices. Please ensure to run the configuration in beta environment before implementing it on production app connector.

Lab details

1.) ZPA Connector - CentOS Linux release 7.5.1804

Note :- I am using CentOS flavour of Linux other distributions might have slightly different configurations. Please be cautios

2.) Active Directory - Acting as RADIUS server

Note :- All the devices have been configured in LAB environment please be cautious before configuring in production environment

Configuration on ZPA Connector

Packages to install

sudo yum install epel-release.noarch

sudo yum install pam_script

yum install pam_radius

yum install freeradius-util


1.) Create a folder pam_script_auth under etc/pam-script.d

vi /etc/pam-script.d/pam_script_auth

#add userlogger
Logger Adding New User $PAM_USER
/usr/sbin/adduser $PAM_USER
echo $PAM_USER:U6aMy0wojraho | sudo chpasswd -e

This is done, such that the RADIUS user gets to LINUX list of username ( getent passwd)

2.) Add RADIUS server IP/FQDN and enter RADIUS Key

vi /etc/pam_radius.conf
#server[:port] shared_secret timeout (s) Zscaler 3

3.) Point SSH authentication to PAM module

vi /etc/pam.d/sshd


auth optional /usr/lib64/security/**

auth sufficient /usr/lib64/security/ #added to include radius**

auth required
auth substack password-auth
auth include postlogin

4.) cp /etc/pam-script.d/pam_script_auth /etc/raddb/server

5.) Change SSH configuration

vi /etc/sshd/sshd_config

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

5.) Restart SSH service

service restart sshd

Configuration on Active Directory

1.) Open Network Policy Server add connector IP as client - If not already installed please Add network policy server as a role in AD

2.) Under Policies >> Connection Request Policies >> Add conditions

3.) Under Network Policy server >> Network Policies >> Define a policy

This effectively completes the configuration. The RADIUS authentication should work fine