SecSign Portal Test for Free
Tutorial Overview
Allgemein
For Business
Integrate
Try Now
About Us
Portal
Contact
Technical Details
On-Premise
Tutorials
SecSign ID Overview
On-Premise
Technical Details
FAQs
Server API
Single-Sign On (SSO)
2FA Server Installation
Manage Identities
ID Management
Microsoft AD
Identity Federation
SAML
SAML Overview
JIRA On-Premise SAML
Bamboo On-Premise SAML
Bitbucket On-Premise SAML
Confluence On-Premise SAML
JIRA Cloud SAML
Bitbucket SAML Cloud
Confluence SAML Cloud
GitHub with SAML
NextCloud with SAML
Amazon Web Services (AWS) with SAML
Office 365 ADFS
OAuth
Jira FS
Confluence FS
Web Plugins
Nextcloud
WordPress
Joomla
Drupal
Typo3
Shibboleth IDP
Atlassian
Overview
Crowd Overview
Crowd 2FA Tutorial
Jira
Confluence
Bitbucket
Bamboo
Atlassian 2FA Plugin Changelog
Jira Rest API OAuth
Confluence Rest API OAuth
AD Federation
Atlassian JIRA and Confluence IPSafeZone
Atlassian JIRA and Confluence Two-Step Authentication
JIRA On-premise SAML
Confluence On-Premise SAML
Bitbucket On-premise SAML
Bamboo On-premise SAML
JIRA Cloud SAML
Bitbucket Cloud SAML
Confluence Cloud SAML
APIs
Php
Php Api
2FA Composer Bundle
Java
Node.js
ASP.NET with C#
C-API
OAuth 2 Integration
OS Integration
2FA SDK
Apple Apps
Windows
Overview
Outlook on the Web (OWA)
LDAP and Active Directory
Credential Provider
Remote Desktop
ADFS for Office 365
Windows Server Tutorial
Unix
Overview
PAM Installation
SSH PAM
FTP PAM
Linux Login
Cisco VPN
SecSignID Radius Proxy
Information
SecSign Advantages
2-Factor Authentication
On-Premise Solutions
SecSign / Developers / SecSignID Radius Proxy

SecSignID 2FA: Radius Proxy

2018-10-01 11 minutes to read
Deutsche Sprache Deutsche Version
Tutorial Index

SecSignID 2-Factor-Authentication for Radius

The following tutorial describes the configuration to use the SecSign ID Two-Factor Authentication with RADIUS.

2FA Radius Proxy
Easy Touch 2FA
 2FA Radius Proxy
No Password Chaos Anymore
 2FA Radius Proxy
On-premise or Cloud Solutions
Login Procedure

System Overview and Login Procedure

The SecSignID 2FA authentication overview for RADIUS:

SecSign ID Integration

Please configure your desired integration of the SecSign ID Two Factor Authentication

Choose a system, where you want to add the secure login

How many users will utilize the two factor authentication combined in all integrations. This is important for

Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you

The location to save the assigned SecSign IDs to a user account or the IDM alltogether

System to protect
?
The System you want to protect - Choose a system, where you want to add the secure login
Amount of users
?
The users you plan to protect - How many users will utilize the two factor authentication combined in all integrations
SecSign ID Server location
?
Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you
User account location
?
The system to save the assigned SecSign IDs to a user account or the IDM alltogether
edit the settings to change the integration
2FA
2FA no AP
2SA
2SA no AP
2SA blind
OTP
Enrollment Custom
Enrollment Pattern
Show NW boundaries
Hide NW boundaries

previousnext

Step #:
ID Mapping

SecSignID Mapping

When your users login, they usually authenticate with user name and password first. After that, the second factor will be requested. So how does the mapping of user name and SecSignID work?

You have several options to assign a SecSign ID to a user:

  • The most comfortable solution is an on-premise ID Server that will handle the mapping. It saves the user names in an internal database and performs the two-factor authentication. You have full control of user data, enrollment policies and naming patterns.
  • If you don’t need the advanced functions of an on-premise ID server, you can add an attribute to the user profiles in your Active Directory quite easily. See here how it works. Adding the SecSignID mapping into Active Directory makes it easy to manage and administer user accounts
  • A simple text file can also handle the mapping. It’s recommended for testing purposes only, since this method is error prone and does not support advanced enrollment features

Please contact us, if you do not want to modify Active Directory user profiles. We offer ID – Username mapping with our on-premise SecSignID server. Mapping via text file is not recommended but possible.

Installation

Installation

1. Java VM

As the SecSign ID RADIUS proxy is written in Java it can be run on any operating system with Java support like for example Windows or Linux. So the first step of the installation is to install a recent Java virtual machine preferable with 64 bit available at Oracle’s web site.

2. SecSign ID RADIUS proxy files

The directory SecSignIDRadiusProxy contains the application code in a JAR file and its configuration file. This directory has to be copied to the system that shall run the SecSign ID RADIUS proxy.

3. Setup Environment

We assume, that you already have a working setup, where a VPN (or other service) utilizes RADIUS to validate user credentials against Active Directory.

To integrate the SecSignID RADIUS Proxy, we have to change the endpoints. The VPN server already got the RADIUS server address, which needs to be changed to the RADUS Proxy address.

The Radius server already got the client configuration of the VPN server. The only client the RADIUS server needs to know is the RADUS Proxy.

The VPN and RADIUS server do not need to know each other, they just need to know the Radius Proxy, which sits in between the two

Configuration of the SecSign ID RADIUS proxy

The configuration file secradiusproxy.properties needs to be edited:

The default port number of RADIUS is 1812. If necessary, if different value may be set here:

If the SecSign ID RADIUS proxy shall only bind to a specific IP address it may be specified here. The default is to bind to all IP addresses the machine has.

For each RADIUS client (for example a Microsoft Windows Server) the proxy needs to know the IP address and the shared secret. The list of RADIUS clients starts with the index ‘0’ and may have any number of entries which are consecutitvely numbered.

The proxy also needs to know where to forward the RADIUS access requests for validation of the primary authentication credentials (user name and password). This forward RADIUS server may be for example another Microsoft Windows Server or even the same as the RADIUS client.

For each Windows user whose log-in shall be secured in the SecSign ID the Active Directory must contain an attribute containing the SecSign ID user name of this user. The proxy uses an LDAP connection to query the SecSign ID user name in the Active Directory. For this LDAP connection it needs the name and password of a technical user with read access to the users branch of the Active Directory. Furthermore, the base DN will tell the proxy where to find the users branch in the LDAP tree. The recommended full name of this technical user is SecSign ID Radius Proxy and its descrption: Technical user to allow AD LDAP queries for the SecSign ID RADIUS proxy.

The proxy will keep a copy of each received RADIUS packet for a certain time in order to recognize duplicate packets. The proxy will also remember the Windows user names for whom it is waiting for the completion of the SecSign ID log-in. The proxy will not start a new log-in session for such users if requested by the RADIUS client. The time out for both list entries can be specified here.

In order to initiate a SecSign ID log-in the SecSign ID RADIUS proxy needs the host name of the SecSign ID server and optionally of fallback SecSign ID servers:

The connection to the SecSign ID server is TLS encrypted. Therefore, a DER encoded trusted certificate of the SecSign ID server may be configured. If the server uses a certificate issued on its official DNS name by a regular trustcenter this configuration entry is not necessary.

A timeout value be set after which the proxy tries to send its request to the next fallback SecSign ID server:

The SecSign ID RADIUS proxy may use a HTTP proxy to send requests to the SecSign ID server. The HTTP proxy has the following settings:

If certain hosts can be reached without the general HTTP proxy they can be named here:

The SecSign ID RADIUS proxy may write a log file. It contains all messages whose severity is equal to or above a specified level.

The levels are:

  • 0: Error
  • 10: Warning
  • 20: Standard
  • 30: Usage
  • 40: Event
  • 50: Debug
  • 60: Verbose

The proxy may begin a new log file each day:

Proxy start

SecSign ID RADIUS Proxy Start

The proxy can be started with:

The proxy will output messages like:

Pressing ^C in the terminal window will end the proxy.

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

Atlassian JIRA and Confluence Two-Step Authentication and IP-SafeZone

With SecSign ID you can protect all your logins with a secure Two-Factor Authentication based on a challenge response. The authentication offers the highest protection for the company data while being incredibly simple to us ...

Mehr Lesen

SSO Setup with Crowd

Content Pre-requirements Setup and configuration of the components as a server application Configuration of Crowd for the centrally organized user management Configure application (for example JIRA) to be used wit ...

Mehr Lesen

What is possible with Crowd?

The SecSign ID Crowd Plugin can be integrated in just a few steps. For more information about the plugin and the integration please refer to the following pages. Do you have any questions? Don't hesitate to contact us. ...

Mehr Lesen