RADIUS How To Guide
From Swivel Knowledgebase Wiki
Contents |
RADIUS How To Guide
Overview
PINsafe is a RADIUS server and can accept requests from Network Access Servers (NAS/RADIUS Clients) that ask authentication information from the PINsafe sever. For non RADIUS devices, PINsafe supports an XML authentication.
Configuring the PINsafe server
From the PINsafe Administration Console select RADIUS\Server
Options are:
PINsafe 3.7 RADIUS server options
Server enabled: Yes/No, default No, select Yes to start the PINsafe server
IP address: The IP address of the PINsafe server interface which will accept authentication requests. To accept requests on multiple interfaces, leave the entry blank
Authentication port: default 1812, commonly also 1645 is used. This is UDP
Accounting port: default 1813, commonly also 1646 is used. This is UDP
Maximum no. sessions: default 50, Maximum number of concurrent requests
Permit empty attributes: Yes/No, Enable/disable the servicing of RADIUS requests containing empty attributes. The RADIUS standard states that empty attributes should not be used, and by default these non-conforming requests will be dropped. Enabling this option will allow the RADIUS server to operate with clients who do not adhere to the standard and send empty attributes.
Additional RADIUS logging: None/Failure/Success/Both, Enable/disable additional information, this will add the RADIUS entries for successful and failed RADIUS authentication attempts
Enable debug: Yes/No, Enable/disable, debugging of RADIUS authentication
Radius Groups: Yes/No, Allows group membership information to be passed back with the RADIUS response, using the parameters defined in the Vendor Group on the NAS. Enabling this option will return the PINsafe Group as a RADIUS Group.
Radius Group Keyword: default POLICY, This restricts the group membership information to only pass back the group names that include this keyword
Session TTL: 1-600 seconds
PINsafe 3.6 RADIUS server options
Filter ID: Yes/No, Enable/disable the return of the Filter ID attribute back to the NAS. This is required by the Watchguard VPN.
Configuring the NAS Client Information
From the PINsafe Administration Console select RADIUS\NAS
Options are:
NAS: Identifier: Descriptive name of access device, this will be reported in logs
Hostname/IP: IP address of the access device
Secret: a shared secret, this can be an alphanumeric string that must be also entered on the access device
EAP protocol: None/EAP-MD5/LEAP, Allows RADIUS EAP protocol to be specified, choices being EAP-MD5 and LEAP. If this is left as None, RADIUS will support PAP, CHAP and MS-CHAP
Group: ---ANY---/PINsafe groups, allows only specific groups to authenticate to access device
Check Password with repository Yes/No, This allows the repository password to be checked against the repository, by PINsafe for the specified NAS. Note that this option is restricted to PAP authentication. This feature is generally used where the access device can only authenticate against one authentication device. This option was moved from a global setting to a RADIUS NAS and Agent setting in PINsafe 3.8.
Authentication Mode: All/Dual Channel/Single Channel, allows only specific authentication method to authenticate to access device
Change PIN warning: Yes/No, If this option is set when a user authenticates via RADIUS and their PIN is due to expire, rather than send a RADIUS-Accept packet PINsafe will send a RADIUS-Challenge packet. If supported by the access device it can be used to redirect the user to a change-PIN page.
Vendor (Groups): default: None, Vendor Specific parameters, possible options are:
- None
- Cisco
- Fortinet
- Watchguard
Change PIN warning: Yes/No, default: No, When a user is authenticates, PINsafe can return a change PIN response if the user is required to change their PIN, allowing access devices that support this function to redirect to a Change PIN page.
Two Stage Auth: Yes/No, default: No, Two Stage Authentication, see Two Stage Authentication How to Guide
PINsafe RADIUS Proxy
See Also RADIUS Proxy How to guide
PINsafe 3.7 onwards can proxy RADIUS requests against other RADIUS servers. This allows PINsafe to be inserted into an existing RADIUS infrastructure such as where tokens are being used, so such solutions can be used in parallel.
The RADIUS proxy is set on the PINsafe Administration Console under Server/Peers
The RADIUS proxy functions in the following manner.
Peers: Name: Descriptive Name used for logging information
Hostname/IP: Hostname/IP address of RADIUS server to be proxied against
HTTP port: Default: 8080. Not used in RADIUS Proxy
SSL: Options: Yes/No, Default: No. Not used in RADIUS Proxy
Context: Default: pinsafe. Not used in RADIUS Proxy
RADIUS authentication port: Authentication port to be used for RADIUS server to be proxied against. Usually 1812 or 1645
RADIUS accounting port: Accounting port to be used for RADIUS server to be proxied against. Usually 1813 or 1646
Shared secret: A shared secret which must be the same as that entered on the RADIUS server to be proxied against.
RADIUS Proxy: Options Never/On Passcode/Unknown User. Default: Never. How to handle the RADIUS password that the PINsafe server receives and if it should be proxied, the options for this are:
- Never: No Proxy request is made.
- Unknown User: If the user is not in the PINsafe Database then a proxy request is made.
- On Passcode: If it sees that the user has submitted a one-time code that is at least 6 characters long and that the user: Either (a) does not have an account: Or (b) has an account but has not started a session (eg requested a TURing image or on-demand SMS) then it is treated as a third party code and passed to another RADIUS server.
- No User Session: Available in PINsafe 3.8 onwards. PINsafe can proxy RADIUS requests purely in the absence of a local session for the user making the RADIUS request.
Configuring the Access Device
Exact options will vary according to access device, but they are typically:
Primary RADIUS Server/Secondary RADIUS Server: allows configuration of more than one RADIUS server for redundancy, the primary RADIUS server is tried and if a reply is not received, then the secondary server is tried.
RADIUS server Name or Identifier: Name of PINsafe server
Hostname/IP: IP address of the PINsafe server
Secret: a shared secret, this can be an alphanumeric string that must be also entered on the PINsafe server NAS entry
One Time Code or token: this will prevent the access device reusing an authentication code
PAP
With RADIUS PAP protocol, the NAS sends username and password and the RADIUS server authenticates. With all other RADIUS protocols, the NAS requests the password for the user and authenticates itself. Also see Mobile Phone Client RADIUS Authentication
Check Password With Repository
This requires the use of PAP, see Passwords with PINsafe How to Guide
RADIUS Groups
By default, the RADIUS group is set to None, and does not send back a RADIUS group. On the PINsafe Administration console the setting for Enable Groups under RADIUS\Server, when enabled, will return the users PINsafe group membership as a RADIUS group. If the vendor group is not listed test with other vendor groups.
The vendor Watchguard uses Filter ID 11 for group and can be used for Juniper.
Mobile Client (Java Midlet or Swivlet)
One thing to be aware of is that when using RADIUS authentication with the Swivlet, except for the PAP protocol, you must use every string from the phone for authentication. If you generate a string and don't use it, authentication will fail until you Top Up again. This is an unavoidable consequence of the way most RADIUS protocols work. Also see Mobile Phone Client RADIUS Authentication
RADIUS Troubleshooting
Mobile Phone Client RADIUS Authentication
RADIUS: <72> Access-Request(1) LEN=130 192.168.1.1:9328 Access-Request by domain\user Failed: AccessRejectException: AGENT_ERROR_NO_USER_DATA
Where the domain name is required to differentiate users of the same name, set the PINsafe repository username attribute to be userPrincipalName, and instead login with username@domain. You are unable to pass DOMAIN\username in a RADIUS request.
