Your own ID-Server
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreThe following tutorial describes the configuration to use the SecSign ID Two-Factor Authentication with RADIUS.
The SecSignID 2FA authentication overview for RADIUS:
When your users login, they usually authenticate with user name and password first. After that, the second factor will be requested. So how does the mapping of user name and SecSignID work?
You have several options to assign a SecSign ID to a user:
Please contact us, if you do not want to modify Active Directory user profiles. We offer ID – Username mapping with our on-premise SecSignID server. Mapping via text file is not recommended but possible.
1. Java VM
As the SecSign ID RADIUS proxy is written in Java it can be run on any operating system with Java support like for example Windows or Linux. So the first step of the installation is to install a recent Java virtual machine preferable with 64 bit available at Oracle’s web site.
2. SecSign ID RADIUS proxy files
The directory SecSignIDRadiusProxy contains the application code in a JAR file and its configuration file. This directory has to be copied to the system that shall run the SecSign ID RADIUS proxy.
3. Setup Environment
We assume, that you already have a working setup, where a VPN (or other service) utilizes RADIUS to validate user credentials against Active Directory.
To integrate the SecSignID RADIUS Proxy, we have to change the endpoints. The VPN server already got the RADIUS server address, which needs to be changed to the RADUS Proxy address.
The Radius server already got the client configuration of the VPN server. The only client the RADIUS server needs to know is the RADUS Proxy.
The VPN and RADIUS server do not need to know each other, they just need to know the Radius Proxy, which sits in between the two
The configuration file secradiusproxy.properties needs to be edited:
The default port number of RADIUS is 1812. If necessary, if different value may be set here:
1 |
secradiusproxy.radius.port=1812 |
If the SecSign ID RADIUS proxy shall only bind to a specific IP address it may be specified here. The default is to bind to all IP addresses the machine has.
1 |
secradiusproxy.radius.bind.address=10.4.0.1 |
For each RADIUS client (for example a Microsoft Windows Server) the proxy needs to know the IP address and the shared secret. The list of RADIUS clients starts with the index ‘0’ and may have any number of entries which are consecutitvely numbered.
1 2 |
secradiusproxy.radiusclient.0.host=10.3.0.1 secradiusproxy.radiusclient.0.sharedsecret=theSecretClientValue |
The proxy also needs to know where to forward the RADIUS access requests for validation of the primary authentication credentials (user name and password). This forward RADIUS server may be for example another Microsoft Windows Server or even the same as the RADIUS client.
1 2 3 |
secradiusproxy.forwardradiusserver.host=10.5.0.1 secradiusproxy.forwardradiusserver.port=1812 secradiusproxy.forwardradiusserver.sharedsecret=theSecretServerValue |
For each Windows user whose log-in shall be secured in the SecSign ID the Active Directory must contain an attribute containing the SecSign ID user name of this user. The proxy uses an LDAP connection to query the SecSign ID user name in the Active Directory. For this LDAP connection it needs the name and password of a technical user with read access to the users branch of the Active Directory. Furthermore, the base DN will tell the proxy where to find the users branch in the LDAP tree. The recommended full name of this technical user is SecSign ID Radius Proxy and its descrption: Technical user to allow AD LDAP queries for the SecSign ID RADIUS proxy.
1 2 3 4 5 |
secradiusproxy.activedirectoryldapserver.host=10.6.0.1 secradiusproxy.activedirectoryldapserver.port=389 secradiusproxy.activedirectoryldapserver.username=DOMAIN\\radiusproxyuser secradiusproxy.activedirectoryldapserver.password=123456 secradiusproxy.activedirectoryldapserver.usersbasedn=CN=Users,DC=domain,DC=com |
The proxy will keep a copy of each received RADIUS packet for a certain time in order to recognize duplicate packets. The proxy will also remember the Windows user names for whom it is waiting for the completion of the SecSign ID log-in. The proxy will not start a new log-in session for such users if requested by the RADIUS client. The time out for both list entries can be specified here.
1 2 |
secradiusproxy.receivedpackets.cleanup.seconds=60 secradiusproxy.currentwindowsusers.cleanup.seconds=60 |
In order to initiate a SecSign ID log-in the SecSign ID RADIUS proxy needs the host name of the SecSign ID server and optionally of fallback SecSign ID servers:
1 2 3 4 |
seccommerce.secappserver.0=id1.secsign.com seccommerce.secappserverport.0=443 #seccommerce.secappserver.1=localhost #seccommerce.secappserverport.1=25200 |
The connection to the SecSign ID server is TLS encrypted. Therefore, a DER encoded trusted certificate of the SecSign ID server may be configured. If the server uses a certificate issued on its official DNS name by a regular trustcenter this configuration entry is not necessary.
1 |
seccommerce.secappservertlscert.0=trustedServerCert.der |
A timeout value be set after which the proxy tries to send its request to the next fallback SecSign ID server:
1 |
seccommerce.secappserver.connecttimeout=5000 |
The SecSign ID RADIUS proxy may use a HTTP proxy to send requests to the SecSign ID server. The HTTP proxy has the following settings:
1 2 3 4 |
seccommerce.secappserver.proxy.server=proxy.sec.intern seccommerce.secappserver.proxy.port=3128 seccommerce.secappserver.proxy.username= seccommerce.secappserver.proxy.password= |
If certain hosts can be reached without the general HTTP proxy they can be named here:
1 2 |
seccommerce.secappserver.proxy.bypass.0=www.available.direct seccommerce.secappserver.proxy.bypass.1=need.no.proxy |
The SecSign ID RADIUS proxy may write a log file. It contains all messages whose severity is equal to or above a specified level.
1 2 3 4 |
log.fileactive=on log.filename=secradiusproxy.log log.dir=. log.maxlogtype=50 |
The levels are:
The proxy may begin a new log file each day:
1 |
log.filenamealter=on |
The proxy can be started with:
1 |
java -classpath SecSignIDRadiusProxy.jar seccommerce.radius.RadiusProxy secradiusproxy.properties |
The proxy will output messages like:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
30.07.2015 15:21:34:696 main: Log messages to '.' with level 50 according to radproxy.fz open logfile /SecSignIDRadiusProxy/./secradiusproxy30.log 30.07.2015 15:21:34:774 main: SecPKI host 0 = id1.secsign.com:443 30.07.2015 15:21:34:774 main: seccommerce.secappserver.1 not set in properties file. Failover configuration finished with 1 SecPKI hosts. 30.07.2015 15:21:34:785 main: Data format to SecPKI = serialized Java objects 30.07.2015 15:21:34:786 main: TLS to SecPKI = true 30.07.2015 15:21:34:786 main: WARNING: No SecPKI server trusted TLS certificate configured. 30.07.2015 15:21:34:788 main: Init SecPKI API: First server id1.secsign.com:443, First trusted TLS certificate: null 30.07.2015 15:21:34:788 main: Set SecPKI connect timeout 5000 ms 30.07.2015 15:21:34:790 main: SecPKIApi version 6 Build 1 30.07.2015 15:21:34:790 main: java.version=1.6.0_65 30.07.2015 15:21:34:790 main: Number of servers configured = 1 30.07.2015 15:21:34:794 main: RADIUS proxy server listening at 0.0.0.0:1812 |
Pressing ^C in the terminal window will end the proxy.
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreOptions for securing Atlassian SSO Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move beyond your authentication ...
Mehr LesenMulti-Factor Authentication powered IdM/IAM with SecSign ID Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move bey ...
Mehr LesenWith SecSign ID you can protect all your logins with a secure Two-Factor Authentication based on a challenge response. The authentication offers the highest protection for the company data while being incredibly simple to us ...
Mehr LesenWant to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in