SecSign ID 2FA: Radius Proxy

2018-10-01 11 minutes to read
Tutorial Index

Two-Factor-Authentication for Radius

The following tutorial describes the configuration to use the SecSign ID Two-Factor Authentication with RADIUS.

Login Procedure

System Overview and Login Procedure

The SecSignID 2FA authentication overview for RADIUS:

SecSign ID Integration

Please configure your desired integration of the SecSign ID Two Factor Authentication

Choose a system, where you want to add the secure login

Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you

The location to save the assigned SecSign IDs to a user account or the IDM alltogether

System to protect
?
The System you want to protect - Choose a system, where you want to add the secure login
SecSign ID Server location
?
Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you
User account location
?
The system to save the assigned SecSign IDs to a user account or the IDM alltogether
edit the settings to change the integration
Authentication
2FA
2FA blind
2FA no AP
2SA
2SA no AP
2SA blind
OTP
Enrollment
Custom ID
Pattern
IDP Custom Website
Enrollment initiated by SP
Enrollment with IDM
Show Network
Hide Network
Fullscreen
Request Solution
x
The authentication was successful
ID Mapping

SecSignID Mapping

When your users login, they usually authenticate with user name and password first. After that, the second factor will be requested. So how does the mapping of user name and SecSignID work?

You have several options to assign a SecSign ID to a user:

  • The most comfortable solution is an on-premise ID Server that will handle the mapping. It saves the user names in an internal database and performs the two-factor authentication. You have full control of user data, enrollment policies and naming patterns.
  • If you don’t need the advanced functions of an on-premise ID server, you can add an attribute to the user profiles in your Active Directory quite easily. See here how it works. Adding the SecSignID mapping into Active Directory makes it easy to manage and administer user accounts
  • A simple text file can also handle the mapping. It’s recommended for testing purposes only, since this method is error prone and does not support advanced enrollment features

Please contact us, if you do not want to modify Active Directory user profiles. We offer ID – Username mapping with our on-premise SecSignID server. Mapping via text file is not recommended but possible.

Installation

Installation

1. Java VM

As the SecSign ID RADIUS proxy is written in Java it can be run on any operating system with Java support like for example Windows or Linux. So the first step of the installation is to install a recent Java virtual machine preferable with 64 bit available at Oracle’s web site.

2. SecSign ID RADIUS proxy files

The directory SecSignIDRadiusProxy contains the application code in a JAR file and its configuration file. This directory has to be copied to the system that shall run the SecSign ID RADIUS proxy.

3. Setup Environment

We assume, that you already have a working setup, where a VPN (or other service) utilizes RADIUS to validate user credentials against Active Directory.

To integrate the SecSignID RADIUS Proxy, we have to change the endpoints. The VPN server already got the RADIUS server address, which needs to be changed to the RADUS Proxy address.

The Radius server already got the client configuration of the VPN server. The only client the RADIUS server needs to know is the RADUS Proxy.

The VPN and RADIUS server do not need to know each other, they just need to know the Radius Proxy, which sits in between the two

Configuration of the SecSign ID RADIUS proxy

The configuration file secradiusproxy.properties needs to be edited:

The default port number of RADIUS is 1812. If necessary, if different value may be set here:

secradiusproxy.radius.port=1812

If the SecSign ID RADIUS proxy shall only bind to a specific IP address it may be specified here. The default is to bind to all IP addresses the machine has.

secradiusproxy.radius.bind.address=10.4.0.1

For each RADIUS client (for example a Microsoft Windows Server) the proxy needs to know the IP address and the shared secret. The list of RADIUS clients starts with the index ‘0’ and may have any number of entries which are consecutitvely numbered.

secradiusproxy.radiusclient.0.host=10.3.0.1
secradiusproxy.radiusclient.0.sharedsecret=theSecretClientValue

The proxy also needs to know where to forward the RADIUS access requests for validation of the primary authentication credentials (user name and password). This forward RADIUS server may be for example another Microsoft Windows Server or even the same as the RADIUS client.

secradiusproxy.forwardradiusserver.host=10.5.0.1
secradiusproxy.forwardradiusserver.port=1812
secradiusproxy.forwardradiusserver.sharedsecret=theSecretServerValue

For each Windows user whose log-in shall be secured in the SecSign ID the Active Directory must contain an attribute containing the SecSign ID user name of this user. The proxy uses an LDAP connection to query the SecSign ID user name in the Active Directory. For this LDAP connection it needs the name and password of a technical user with read access to the users branch of the Active Directory. Furthermore, the base DN will tell the proxy where to find the users branch in the LDAP tree. The recommended full name of this technical user is SecSign ID Radius Proxy and its descrption: Technical user to allow AD LDAP queries for the SecSign ID RADIUS proxy.

secradiusproxy.activedirectoryldapserver.host=10.6.0.1
secradiusproxy.activedirectoryldapserver.port=389
secradiusproxy.activedirectoryldapserver.username=DOMAIN\\radiusproxyuser
secradiusproxy.activedirectoryldapserver.password=123456
secradiusproxy.activedirectoryldapserver.usersbasedn=CN=Users,DC=domain,DC=com

The proxy will keep a copy of each received RADIUS packet for a certain time in order to recognize duplicate packets. The proxy will also remember the Windows user names for whom it is waiting for the completion of the SecSign ID log-in. The proxy will not start a new log-in session for such users if requested by the RADIUS client. The time out for both list entries can be specified here.

secradiusproxy.receivedpackets.cleanup.seconds=60
secradiusproxy.currentwindowsusers.cleanup.seconds=60

In order to initiate a SecSign ID log-in the SecSign ID RADIUS proxy needs the host name of the SecSign ID server and optionally of fallback SecSign ID servers:

seccommerce.secappserver.0=id1.secsign.com
seccommerce.secappserverport.0=443
#seccommerce.secappserver.1=localhost
#seccommerce.secappserverport.1=25200

The connection to the SecSign ID server is TLS encrypted. Therefore, a DER encoded trusted certificate of the SecSign ID server may be configured. If the server uses a certificate issued on its official DNS name by a regular trustcenter this configuration entry is not necessary.

seccommerce.secappservertlscert.0=trustedServerCert.der

A timeout value be set after which the proxy tries to send its request to the next fallback SecSign ID server:

seccommerce.secappserver.connecttimeout=5000

The SecSign ID RADIUS proxy may use a HTTP proxy to send requests to the SecSign ID server. The HTTP proxy has the following settings:

seccommerce.secappserver.proxy.server=proxy.sec.intern
seccommerce.secappserver.proxy.port=3128
seccommerce.secappserver.proxy.username=
seccommerce.secappserver.proxy.password=

If certain hosts can be reached without the general HTTP proxy they can be named here:

seccommerce.secappserver.proxy.bypass.0=www.available.direct
seccommerce.secappserver.proxy.bypass.1=need.no.proxy

The SecSign ID RADIUS proxy may write a log file. It contains all messages whose severity is equal to or above a specified level.

log.fileactive=on
log.filename=secradiusproxy.log
log.dir=.
log.maxlogtype=50

The levels are:

  • 0: Error
  • 10: Warning
  • 20: Standard
  • 30: Usage
  • 40: Event
  • 50: Debug
  • 60: Verbose

The proxy may begin a new log file each day:

log.filenamealter=on
Proxy start

SecSign ID RADIUS Proxy Start

The proxy can be started with:

java -classpath SecSignIDRadiusProxy.jar seccommerce.radius.RadiusProxy secradiusproxy.properties

The proxy will output messages like:

30.07.2015 15:21:34:696 main: Log messages to '.' with level 50 according to radproxy.fz
open logfile /SecSignIDRadiusProxy/./secradiusproxy30.log
30.07.2015 15:21:34:774 main: SecPKI host 0 = id1.secsign.com:443
30.07.2015 15:21:34:774 main: seccommerce.secappserver.1 not set in properties file. Failover configuration finished with 1 SecPKI hosts.
30.07.2015 15:21:34:785 main: Data format to SecPKI = serialized Java objects
30.07.2015 15:21:34:786 main: TLS to SecPKI = true
30.07.2015 15:21:34:786 main: WARNING: No SecPKI server trusted TLS certificate configured.
30.07.2015 15:21:34:788 main: Init SecPKI API: First server id1.secsign.com:443, First trusted TLS certificate: null
30.07.2015 15:21:34:788 main: Set SecPKI connect timeout 5000 ms
30.07.2015 15:21:34:790 main: SecPKIApi version 6 Build 1
30.07.2015 15:21:34:790 main: java.version=1.6.0_65
30.07.2015 15:21:34:790 main: Number of servers configured = 1
30.07.2015 15:21:34:794 main: RADIUS proxy server listening at 0.0.0.0:1812

Pressing ^C in the terminal window will end the proxy.

Radius Proxy: Windows Server 2012 R2 as Radius Client

The SecSign ID RADIUS proxy can be used with different systems that support RADIUS. As an example the following section shows how to configure the SecSign ID RADIUS proxy in a Microsoft Windows Server 2012.

In the Server Manager the option Network Policy Server in the Tools menu will open the configuration of the Network Policy Server. A new RADIUS server can be added at the node NPS (Local) – RADIUS Clients and Servers – Remote RADIUS Server Groups. There, in the context menu the option New opens the following dialog in which a RADIUS server group with a name like SecSign ID RADIUS proxy group may be created:

The button Add shows a dialog in which the IP address or host name of the SecSign ID RADIUS proxy can be added:

The shared secret has to be entered in the Authentication/Accounting tab. It must be identical to the value of secradiusproxy.radiusclient..sharedsecret in the configuration file of the proxy.

In the Load Balancing tab it is necessary to set the Number of seconds without response before a request is considered dropped to at least 60 seconds. This time allows the user to perform the SecSign ID authentication on his smart phone. The SecSign ID RADIUS proxy cannot answer the RADIUS client before the SecSign ID log-in is completed.

Now, the Microsoft Network Policy Server will be configured to send RADIUS requests to the SecSign ID RADIUS proxy in case of for example a VPN log-in: Selecting the node NPS (Local) – Policies – Connection Request Policies shows the following dialog:

A double click on Microsoft Routing and Remote Access Service Policy displays a dialog in which the tab Settings has to be selected. The node Forwarding Connection Request – Authentication allows to determine that RADIUS requests shall be forwarded to the SecSign ID RADIUS proxy:

Radius Proxy: Windows Server 2012 R2 as Forward Radius Server

The SecSign ID RADIUS proxy can forward RADIUS requests to different systems that support RADIUS. As an example the following section shows how to allow the SecSign ID RADIUS proxy as a RADIUS client in a Microsoft Windows Server 2012.

In the Server Manager the option Network Policy Server in the Tools menu will open the configuration of the Network Policy Server. A new RADIUS client can be added at the node NPS (Local) – RADIUS Clients and Servers – RADIUS Clients. There, in the context menu the option New opens the following dialog in which a RADIUS client with a name like SecSign ID RADIUS proxy may be created.

The IP address or DNS host name is the one of the machine running the SecSign ID RADIUS proxy. The shared secret is the same which was specified as secradiusproxy.forwardradiusserver.sharedsecret in the configuration file of the proxy.

2FA for Windows VPN

If the SecSign ID RADIUS proxy is integrated into a Microsoft Windows Server infrastructure it can be used to secure for example the log-in of a Windows 8.1 VPN client with SecSign ID.

To create a VPN connection using Microsoft Windows 8.1, open the Windows Control Panel and then the Network and Sharing Center. Select:

  • Set up a new connection or network
  • Connect to a workplace and finally:
  • Use my Internet connection (VPN)

In this example, the Internet address of the VPN target is win2012r2.secsignersde.com and the destination is described by the name: „VPN with SecSign ID“

Pressing Create opens the Windows side bar showing all connections. Selecting VPN with SecSign ID and clicking on Connect opens a password entry asking for the Windows user name and password having an account at the VPN target:

When Window 8.1 says Verifying your credentials, please authenticate the log-in in the SecSignApp on your smart phone.

If desired, the authentication methods for the VPN connection can be changed in the network adapter settings in the Network and Sharing Center of the Windows Control Panel. The SecSign ID RADIUS proxy supports the authentication methods MS-CHAP v2 and PAP:

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

Protecting the Home Office VPN with 2FA

In the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...

Mehr Lesen

Two-Factor Authentication (2FA) vs. Two-Step Authentication (2SA)

Two-Factor Authentication and Two-Step Authentication are two options for secure authentication of users. Either one can be a good fit for your setup depending on your requirements and preferences. What is Two-Factor Authenti ...

Mehr Lesen

Options for secure SSO for Atlassian products

Options for securing Atlassian SSO Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move beyond your authentication ...

Mehr Lesen
Do NOT follow this link or you will be banned from the site!