RADIUS Adapter

The RADIUS adapter allows interaction with the RADIUS server for authentication.

Basic Prerequisites for the RADIUS Server

When using this adapter, it requires that the RADIUS server include a vendor specific attribute (VSA) that is typically placed within the dictionary file.

A suggested dictionary entry is found in the section on configuring FreeRADIUS files below and will correspond with this guide. The syntax provided is for FreeRADIUS. The syntax with other RADIUS servers and dictionary files may be different, so please refer to the individual RADIUS server documentation to determine the exact syntax needed. Moreover, you will need to ensure you have the users and group (VSA attribute – Itential-Group) correctly configured.

Local_Radius Parameters

Default parameters are shown in the sample below. It is important to include the correct groups that will be allowed to access IAP. At a minimum, the group that will have administrative rights should be included. If the login user and their associated group are not listed, they will not have access to any adapters or apps within IAP.

Note: If you choose to use a name different than Local_Radius, you will also need to update the "id" property along with the "name": "admin" and "group": "admin" properties under "radius_groups".

Example: Default Parameters

{
    "name": "Local_Radius",
    "model": "@itential/adapter-radius",
    "type": "Adapter",
    "properties": {
        "id": "Local_Radius",
        "type": "RADIUS",
        "properties": {
            "host": "11.11.1.11",
            "port": 1812,
            "secret": "password",
            "radius_groups": [
                {
                    "name": "admin",
                    "group": "admin"
                },
                {
                    "name": "pronghorn_admin_radius",
                    "group": "pronghorn_admin_radius"
                }
            ],
            "healthcheck": {
                "type": "startup",
                "frequency": 6000
            }
        },
        "brokers": [
            "aaa"
        ],
        "groups": []
    },
    "isEncrypted": true,
    "redisProps": {
        "host": "127.0.0.1",
        "port": 6379
    },
    "loggerProps": {
        "description": "Logging",
        "log_max_files": 100,
        "log_max_file_size": 1048576,
        "log_level": "spam",
        "log_directory": "/var/log/pronghorn",
        "log_filename": "RADIUS.log",
        "console_level": "warn"
    },
    "rabbitmq": {
        "protocol": "amqp",
        "port": 5672,
        "username": "guest",
        "password": "guest",
        "locale": "en_US",
        "frameMax": 0,
        "heartbeat": 0,
        "vhost": "/",
        "certPath": "",
        "keyPath": "",
        "passphrase": "guest",
        "caPath": "",
        "hosts": [
            "localhost"
        ]
    }
}

Add RADIUS Adapter

The steps for adding a RADIUS adapter are outlined below.

1. After logging into IAP, click the Gear icon and select Services from the dropdown menu.

   Figure 1: Services

   

2. Click the plus sign next to Adapters in the left menu panel. A dialog opens.

   Figure 2: Add Adapter

   

3. Enter a name for the adapter and select RADIUS from the adapter type list.

   Note: Try to avoid special characters when naming the adapter.

   Figure 3: Create Adapter

   

4. Click the Save button (top-right) to finish adding the new adapter. The adapter will appear in the Adapters menu on the left and the configuration editor for Local_Radius will automatically display.

   Figure 4: Save Adapter Information

   

5. Next, verify the brokers property is populated. If the brokers field is empty, click the Brokers & Groups tab to add the broker.

   Figure 5: Brokers Property

   

6. Select the checkbox next to aaa (authentication, authorization, and accounting) in the Available Brokers box and click the right-arrow button. The aaa broker will move to the Selected Brokers box.

   Figure 6: Add aaa Broker

   

7. Click the Save button and then click the Service Configuration tab to verify the aaa broker has been added to the adapter.

   Figure 7: Verify Broker

   

Create Profile for RADIUS Adapter

The steps for creating a profile for the RADIUS adapter are outlined below.

1. Click the Gear icon and select Profiles from the dropdown menu.

   Figure 8: Select Profile

   

2. Click the Clone profile button.

   Figure 9: Clone Profile

   

3. Name the cloned profile (e.g., RADIUS_Profile) and click the Save button. The profile will appear in the Profiles menu on the left.

   Figure 10: Name New Profile

   

4. Edit the RADIUS_Profile by clicking the pencil icon. The aaa checkbox should be checked.

   Figure 11: Verify Broker

   

5. Next, scroll through the Services list to determine if the Local AAA checkbox is selected, and if so, uncheck it and then click the Save button.

   Figure 12: Uncheck Local AAA

   

6. Click the right-arrow for RADIUS_Profile from the menu on the left, and then select authenticationProps. Verify the correct group property is populated as this is what provides admin rights to IAP.

   Figure 13: Authentication Properties

   

7. Now you can set the RADIUS_Profile to active by clicking the Active Profile box.

   Figure 14: Set Active Profile

   

Note: To encrypt the secret under the adapter properties refer to the Encryption section of the IAP Installation Guide.

Installing FreeRADIUS

The following steps provide a basic installation process for FreeRADIUS. All information is provided as an example scenario. IPs, usernames, groups, and passwords will vary with the environment. Be sure to use your specific environment information in order to install and configure FreeRADIUS.

Note: This sample installation was performed on a CentOS 7 virtual machine in a test environment.

1. Install FreeRADIUS with this command.

   sudo yum -y install freeradius freeradius-utils freeradius-mysql freeradius-perl

2. The commands for start, enable, and status are as follows.

   systemctl start radiusd.service
   systemctl enable radiusd.service
   systemctl status radiusd.service

3. The status command should show as active (running).

   Figure 15: FreeRADIUS Server Status

   

4. The recommended ports to be opened for UDP and TCP are 1812 and 1813. An example using the firewall command is below.

   Figure 16: FreeRADIUS Open Ports

   

Configure Files for FreeRADIUS

FreeRADIUS will require some file configuration before it can be used. This section will show what and how to edit the files.

Note: These instructions are provided as an example, and your environment will differ.

The RADIUS configuration file will most likely not require changes. This file location is /usr/lib/firewalld/services/radius.xml.

A Vendor Specific Attribute (VSA) is required when using FreeRADIUS. The VSA information needs to be added to the dictionary and user files.

1. Navigate to /etc/raddb/dictionary using your preferred editor and open the dictionary file to add the VSA information below. The lines may be added to the end of the dictionary file.

   # itential
   VENDOR Itential 47688
   BEGIN-VENDOR Itential
   ATTRIBUTE Itential-Group 26 string
   END-VENDOR Itential

2. Navigate to /etc/raddb/user and open the user file to add the following information.

   testing Cleartext-Password := "password"
       Itential-Group = "admin"
   
   admin Cleartext-Password := "admin"
       Itential-Group = "pronghorn_admin"

3. Navigate to etc/raddb/clients.conf and open the client file. The client localhost information should be adjusted to reflect the actual IP address for the production environment. The example provided does not need to be changed for a test environment.

   Figure 17: FreeRADIUS clients.conf File

   

Testing FreeRADIUS

To test FreeRADIUS, stop the service and restart it in debug mode.

1. Stop FreeRADIUS using the command radiusd -X.

2. Open a second terminal window and use the following command for testing.

   radtest admin admin 127.0.0.1 0 testing123

3. Once there is activity in the second terminal window, login to IAP utilizing the previously created RADIUS credentials. The login user should be part of the admin group or group identified as the administrator group under IAP PROFILES → authenticationProps.

Troubleshooting

The following steps provide basic troubleshooting if you encounter any issues.

1. If there are issues with accessing IAP using the RADIUS profile, use the original IAP Profile instead. To revert to the original profile, from a terminal prompt, use root login to edit the /opt/pronghorn/current/properties.json file and set the active profile to profile1.

   {
   "pathProps": {
       "description": "File Path Variables",
       "sdk_dir": "/opt/pronghorn-applications",
       "encrypted": true
   },
   "id": "profile1",
   "mongoProps": {
       "credentials": {
       "passwd": "itentialPassword",
       "user": "itentialUser"
       },
       "db": "pronghorn",
       "url": "mongodb://127.0.0.1:27017"
   }
   }

2. Restart IAP service using the service pronghorn restart command and then attempt to login again.

3. If there are problems using the RADIUS adapter or profile it is usually related to the configuration. Check the following:

   RADIUS Adapter

   • Check RADIUS hostname and port.
   • Check how the groups are configured.
   • From a server prompt, stop and restart the associated process for the adapter using the kill command and associated PID for the RADIUS adapter.

   
   

   RADIUS Server

   • Check the whitelist file to ensure the IAP server address is listed. With FreeRADIUS, check in the /etc/raddb/clients.conf file.
   • Check the user file to see if the IAP user is correctly defined and active with the correct username, password, etc. in the /etc/raddb/users file.
   • Check to make sure that the VSA is defined correctly in the /etc/raddb/dictionary file.
   • Check the firewall and ACL rules.

   Note: Consult the documentation on the FreeRADIUS website for further instructions on installation, configuration, and troubleshooting.