RADIUS Adapter

The RADIUS adapter allows interaction with the RADIUS server for authentication.

Basic Prerequisites for the RADIUS Server

When using this adapter, it requires that the RADIUS server include a vendor specific attribute (VSA) that is typically placed within the dictionary file.

A suggested dictionary entry is found in the section on configuring FreeRADIUS files below and will correspond with this guide. The syntax provided is for FreeRADIUS. The syntax with other RADIUS servers and dictionary files may be different, so please refer to the individual RADIUS server documentation to determine the exact syntax needed. Moreover, you will need to ensure you have the users and group (VSA attribute – Itential-Group) correctly configured.

Local_Radius Parameters

Default parameters are shown in the sample below. It is important to include the correct groups that will be allowed to access IAP. At a minimum, the group that will have administrative rights should be included. If the login user and their associated group are not listed, they will not have access to any adapters or apps within IAP.

Note: If you choose to use a name different than Local_Radius, you will also need to update the "id" property along with the "name": "admin" and "group": "admin" properties under "radius_groups".

Example: Default Parameters

{
    "name": "Local_Radius",
    "model": "@itential/adapter-radius",
    "type": "Adapter",
    "properties": {
        "id": "Local_Radius",
        "type": "RADIUS",
        "properties": {
            "host": "11.11.1.11",
            "port": 1812,
            "secret": "password",
            "radius_groups": [
                {
                    "name": "admin",
                    "group": "admin"
                },
                {
                    "name": "pronghorn_admin_radius",
                    "group": "pronghorn_admin_radius"
                }
            ],
            "healthcheck": {
                "type": "startup",
                "frequency": 6000
            }
        },
        "brokers": [
            "aaa"
        ],
        "groups": []
    },
    "isEncrypted": true,
    "redisProps": {
        "host": "127.0.0.1",
        "port": 6379
    },
    "loggerProps": {
        "description": "Logging",
        "log_max_files": 100,
        "log_max_file_size": 1048576,
        "log_level": "spam",
        "log_directory": "/var/log/pronghorn",
        "log_filename": "RADIUS.log",
        "console_level": "warn"
    },
    "rabbitmq": {
        "protocol": "amqp",
        "port": 5672,
        "username": "guest",
        "password": "guest",
        "locale": "en_US",
        "frameMax": 0,
        "heartbeat": 0,
        "vhost": "/",
        "certPath": "",
        "keyPath": "",
        "passphrase": "guest",
        "caPath": "",
        "hosts": [
            "localhost"
        ]
    }
}

Add RADIUS Adapter

The steps for adding a RADIUS adapter are outlined below.

1. After logging into IAP, select Admin Essentials in the left navigation menu.

   Figure 1: Admin Essentials

   

2. Click the plus sign in the top toolbar to create a new adapter. The Create dialog opens.

   Figure 2: Add Adapter

   

3. Click the dropdown arrow and select Adapter from the menu list.

   Figure 3: Create Adapter

   

4. Enter a name for the adapter (i.e., Local_RADIUS) and select the RADIUS adapter type from the dropdown menu.

   Figure 4: Enter Adapter Information

   

5. Click the Create button to finish adding the adapter. The adapter will appear in the Adapters collection in the left navbar and the Configuration tab for will automatically display.

6. Click the Advanced View toggle (upper-right) to display the Service Config editor to check the adapter's configuration.

   Figure 5: Advanced View

   

7. Check for aaa (authentication, authorization, and accounting) in the brokers property field. If the field is empty, add the broker.

   Figure 6: Verify Brokers

   

Create Profile for RADIUS Adapter

The steps for creating a profile for the RADIUS adapter are outlined below.

1. Select an existing profile (usually it is profile1) from the Profiles collections in the left navbar.

2. Click the stacked dots icon (upper-right) and select Clone from the menu options.

   Figure 7: Clone Profile

   

3. Enter a name for the new profile (i.e., RADIUS) and click the Clone button. The profile will appear in the Profiles collection on the left and the editor to Configure the profile will display.

   Figure 8: Name New Profile

   

4. Edit the Profiles Services and Profile Properties, as needed. Remember to click the Save button to keep your changes.

   Figure 9: Edit Profile

   

5. To use the RADIUS profile you will need to restart the IAP service with the service pronghorn restart command. Authorization levels will also need to be set to provide admin group access.

Note: To encrypt the secret under the adapter properties refer to the Encryption section of the IAP Installation Guide.

Installing FreeRADIUS

The following steps provide a basic installation process for FreeRADIUS. All information is provided as an example scenario. IPs, usernames, groups, and passwords will vary with the environment. Be sure to use your specific environment information in order to install and configure FreeRADIUS.

This sample installation was performed on a CentOS 7 virtual machine in a test environment.

1. Install FreeRADIUS with this command.

   sudo yum -y install freeradius freeradius-utils freeradius-mysql freeradius-perl

2. The commands for start, enable, and status are as follows.

   systemctl start radiusd.service
   systemctl enable radiusd.service
   systemctl status radiusd.service

3. The status command should show as active (running).

   Figure 10: FreeRADIUS Server Status

   

4. The recommended ports to be opened for UDP and TCP are 1812 and 1813. An example using the firewall command is below.

   Figure 11: FreeRADIUS Open Ports

   

Configure Files for FreeRADIUS

FreeRADIUS will require some file configuration before it can be used. This section will show what and how to edit the files.

Note: These instructions are provided as an example, and your environment will differ.

The RADIUS configuration file will most likely not require changes. This file location is /usr/lib/firewalld/services/radius.xml.

A Vendor Specific Attribute (VSA) is required when using FreeRADIUS. The VSA information needs to be added to the dictionary and user files.

1. Navigate to /etc/raddb/dictionary using your preferred editor and open the dictionary file and add the information below. The lines may be added to the end of the dictionary file.

   # itential
   VENDOR Itential 47688
   BEGIN-VENDOR Itential
   ATTRIBUTE Itential-Group 26 string
   END-VENDOR Itential

2. Navigate to /etc/raddb/user and open the user file to add the following information.

   testing Cleartext-Password := "password"
       Itential-Group = "admin"
   
   admin Cleartext-Password := "admin"
       Itential-Group = "pronghorn_admin"

3. Navigate to the etc/raddb/clients.conf and open the client file. The client localhost information should be adjusted to reflect the actual IP address for the production environment. The example provided does not need to be changed for a test environment.

   Figure 12: FreeRADIUS clients.conf File

   

Testing FreeRADIUS

To test FreeRADIUS, stop the service and restart it in debug mode.

1. Stop FreeRADIUS using the command radiusd -X.

2. Open a second terminal window and use the following command for testing.

   radtest admin admin 127.0.0.1 0 testing123

3. Once there is activity in the second terminal window, login to IAP utilizing the previously created RADIUS credentials. The login user should be part of the admin group or a group identified as the administrator group under IAP PROFILES → authenticationProps.

Troubleshooting

The following steps provide basic troubleshooting if you encounter any issues.

1. If there are issues with accessing IAP using the RADIUS profile, use the original IAP Profile instead. To revert to the original profile, from a terminal prompt, use root login to edit the /opt/pronghorn/current/properties.json file and set the active profile to profile1.

   {
   "pathProps": {
       "description": "File Path Variables",
       "sdk_dir": "/opt/pronghorn-applications",
       "encrypted": true
   },
   "id": "profile1",
   "mongoProps": {
       "credentials": {
       "passwd": "itentialPassword",
       "user": "itentialUser"
       },
       "db": "pronghorn",
       "url": "mongodb://127.0.0.1:27017"
   }
   }

2. Restart IAP service using the service pronghorn restart command and then attempt to login again.

3. If there are problems using the RADIUS adapter or profile it is usually related to the configuration. Check the following:

   RADIUS Adapter

   • Check RADIUS hostname and port.
   • Check how the groups are configured.
   • From a server prompt, stop and restart the associated process for the adapter using the kill command and associated PID for the RADIUS adapter.

   
   

   RADIUS Server

   • Check the whitelist file to ensure the IAP server address is listed. With FreeRADIUS, check in the /etc/raddb/clients.conf file.
   • Check the user file to see if the IAP user is correctly defined and active with the correct username, password, etc. in the /etc/raddb/users file.
   • Check to make sure that the VSA is defined correctly in the /etc/raddb/dictionary file.
   • Check the firewall and ACL rules.

Note: Consult the documentation on the FreeRADIUS website for further instructions on installation, configuration, and troubleshooting.