000034772 - How to configure FreeRADIUS to proxy RADIUS authentications to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Feb 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034772
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Manager
RSA Version/Condition:  8.1 Service Pack 1
IssueThis solution is for customers using FreeRADIUS who have a requirement to proxy the RADIUS authentications to an RSA Authentication Manager 8.x deployment.
ResolutionAfter configuring and installing FreeRADIUS software as the default, an administrator should review the FreeRADIUS configuration files page.  The following three files can be updated:

Visit the links above for more information.



clients.conf


#
client localhost {
        ipaddr = 127.0.0.1
#       ipv6addr = ::   # any.  ::1 == localhost
        proto = *
        secret = testing123
        require_message_authenticator = no
#       shortname = localhost
        nas_type = other        # localhost isn't usually a NAS...
#       login = !root
#       password = someadminpas
#       virtual_server = home1
#       coa_server = coa
#       response_window = 10.0
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
# IPv6 Client
client localhost_ipv6 {
        ipv6addr = ::1
        secret = testing123
}

NOTE: Only the remarks were removed from this file to simplify the reading of this file.


hints


#
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
        Hint = "PPP",
        Service-Type = Framed-User,
        Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
        Hint = "SLIP",
        Service-Type = Framed-User,
        Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
        Hint = "CSLIP",
        Service-Type = Framed-User,
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP
#
# RSA RADIUS on AM 8.x
#
# ^([a-z]{1,25}) - looking for usernames using lower case characters, up to 25 characters long which can be passed to RSA RADIUS
#
# %{1}@RSARADIUS - links the username to the RSARADIUS realm configuration in proxy.conf so the authentication can be passed to AM
#
DEFAULT User-Name =~ "^([a-z]{1,25})"
        User-Name := "%{1}@RSARADIUS"


proxy.conf


proxy server {
      default_fallback = no
}
home_server localhost {
      type = auth
      ipaddr = 127.0.0.1
      port = 1812
      secret = testing123
      require_message_authenticator = yes
      response_window = 20
      zombie_period = 40
      revive_interval = 120
      status_check = status-server
      check_interval = 30
      num_answers_to_alive = 3
      coa {
              irt = 2
              mrt = 16
              mrc = 5
              mrd = 30
      }
}
home_server_pool my_auth_failover {
      type = fail-over
      home_server = localhost
}
realm example.com {
      auth_pool = my_auth_failover
}
realm LOCAL {
}
# realm configuration for the RSA RADIUS server(s) in an authentication manager deployment
realm RSARADIUS {
        auth_pool = rsa_radius_servers
        acct_pool = rsa_radius_servers
}
# home_server_pool uses the home_server definitions in the RSARADIUS realm
home_server_pool rsa_radius_servers {
        type = fail-over
        home_server = am8p.vcloud.local
        home_server = am8r.vcloud.local
}
# home_server is the definition of each authentication manager instance running RSA RADIUS
#
# IMPORTANT - 'secret' values for all home_server definitions must match
home_server am8p.vcloud.local {
        type = auth+acct
        ipaddr = 192.168.2.50
        port = 1812
        secret = securid
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
}
home_server am8r.vcloud.local {
        type = auth+acct
        ipaddr = 192.168.2.51
        port = 1812
        secret = securid
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
}
# add a new home_server section for an additional replica instance(s)
# ..and then update the home_server_pool section to include the new home_server definition(s)


Troubleshooting FreeRADIUS


Start FreeRADIUS in debug mode with the command:
radiusd -X

With debugging enabled, an administrator can troubleshoot FreeRADIUS.
The FreeRADIUS server must have a RADIUS Client and an associated RSA Agent defined in the Security Console.  To do this,
  1. Login to the Security Console.
  2. Select RADIUS > RADIUS Clients > Add New.
  3. Enter the appropriate RADIUS Client settings for the new client.  These are,
  • Client name, which must be a resolvable host name on the network),
  • IPv4 address, and
  • A RADIUS shared secret.  This must match the secret value in the home_server section for the Authentication Manager instances of the proxy.conf file).
  1. Click Save & Create Associated RSA Agent.
  2. In the Add New Authentication Agent window, click Save.


Testing FreeRADIUS


FreeRADIUS comes with a test RADIUS client called radtest.
Usage:

radtest <username> <password | passcode> <hostname | ip address> <NAS port> <RADIUS secret>


An example of radtest usage on Red Hat 7 where the RADIUS authentication is passed to FreeRADIUS and uses the FreeRADIUS secret:
[root@redhat7 raddb]# /usr/local/bin/radtest rsatest 12345678 127.0.0.1 18120 testing123
Sent Access-Request Id 187 from 0.0.0.0:44634 to 127.0.0.1:1812 length 77
        User-Name = "rsatest"
        User-Password = "12345678"
        NAS-IP-Address = 192.168.2.111
        NAS-Port = 18120
        Message-Authenticator = 0x00
        Cleartext-Password = "12345678"
Received Access-Accept Id 187 from 127.0.0.1:1812 to 0.0.0.0:0 length 78
        Class = 0x53425232434ca29ff4fcfda1b9f495c01180250180038198ce8002800881b99cec97a395e6f412800e81a29ff4fcfda1b9f495c080808090
[root@redhat7 raddb]#
NotesFreeRADIUS is available for download here.  Version 3.0.12 is the current stable version.

Attachments

    Outcomes