RADIUS adapter
Overview
MultiFactor Radius Adapter is a software component developed by MultiFactor for remote access two-factor user authentication. The component is distributed free of charge.
MultiFactor.Radius.Adapter.1.0.11.zip.
Component Features
- Receiving authentication requests via the RADIUS protocol;
- Checking the first factor of authentication — user login and password;
- Verification of the second authentication factor in the Multifactor cloud: SMS or OTP token or request confirmation in the application.
Additional features:
- Verify that the user belongs to a group in Active Directory;
- Automatically create a user in the Multimedia Factor cloud by sending a phone number from Active Directory to deliver a one-time code via SMS.
The first factor (username and password) can be checked in one of the following ways, depending on your setting:
- In an Active Directory domain, this will check that the user exists, that the password is correct, that the user is not blocked, is not limited in connection hours, does not require a change of password.
- In a RADIUS server, such as a Network Policy Server, in addition to all the above checks, additional connection policies configured in NPS can be applied.
- no check: only the second authentication factor will be requested
This is important! The component does not pass on the user password to the Multifactor cloud. The password does not leave the network perimeter at all. Only the login to identify the user and deliver the second factor is transmitted.
Requirements for component installation
- The component is installed on any Windows server starting from version 2012 R2;
- The server with the installed component requires access to the host api.multifactor.ru on TCP port 443 (TLS).
Component parameters
The parameters of the component are stored in the file MultiFactor.Radius.Adapter.exe.config
in XML format.
General parameters
<!-- The address and port (UDP) on which the adapter will accept authentication requests from clients -->
<add key="adapter-server-endpoint" value="192.168.0.1:1812"/>
<!-- Shared secret for RADIUS client authentication -->
<add key="radius-shared-secret" value=""/>
<!-- Where to check the first factor: ActiveDirectory or RADIUS or None (not check) -->
<add key="first-factor-authentication-source" value="ActiveDirectory"/>
<!-- Do not request the second factor again for the user/device during the specified period in minutes (optional) -->
<add key="bypass-second-factor-period" value="30"/>
<!--Address of Multifactor API -->
<add key="multifactor-api-url" value="https://api.multifactor.ru"/>.
<!-- NAS-Identifier parameter to connect to Multifactor API - from personal cabinet -->
<add key="multifactor-nas-identifier" value=""/>
<!-- Shared Secret parameter to connect to Multifactor API - from personal cabinet -->
<add key="multifactor-shared-secret" value=""/>
<!-- Minimum log level: 'Debug', 'Info', 'Warn', 'Error' -->
<add key="logging-level" value="Info"/>
Active Directory connection settings
To check the first factor in AD, the following parameters apply:
<!--Domain-->
<add key="active-directory-domain" value="domain.local"/>
<!--Check user's group membership (not checked if you delete the setting) -->
<add key="active-directory-group" value="VPN Users"/>
<!-- Request the second factor only from users in the specified group (the second factor is required by all if the setting is removed)-->.
<add key="active-directory-2fa-group" value="2FA Users"/>
<!-- Use a phone number from AD to send a one-time code to the SMS (not used if you remove the setting)-->.
<add key="use-active-directory-user-phone" value="true"/>
When enabled, the use-active-directory-user-phone
component will use the phone recorded in the General tab. The format of the phone can be any.
Connection parameters to an external RADIUS server
To check the first factor in RADIUS, for example in Network Policy Server, the following parameters apply:
<!--Address and port (UDP) to be used to connect to the server -->
<add key="adapter-client-endpoint" value="192.168.0.1:56129" />
<!--Address and port (UDP) of the server -->
<add key="nps-server-endpoint" value="192.168.0.10:1812"/>
Additional RADIUS Attributes
You can specify what attributes the component will pass on when the authentication is successful
<RadiusReply>
<Attributes>
<add name="cisco-avpair" value="webvpn:user-vpn-group=VPNUsers"/>
<add name="cisco-avpair" value="webvpn:inacl=VPNUsers"/>
</Attributes>
</RadiusReply>
Run component
The component can operate in console mode or as a Windows service. To run in console mode, simply run the application.
To install as a Windows Service, run it with the /i
key on behalf of the Administrator.
MultiFactor.Radius.Adapter.exe /i
The component is installed in automatic start mode on behalf of Network Service
.
To uninstall Windows Service, run it with /u
on behalf of the Administrator.
MultiFactor.Radius.Adapter.exe /u
Logs
The logs of the component are located in the folder Logs
. If they do not exist, make sure that the folder is writable to the user Network Service
.
Usage scenarios
The following scenarios can be implemented using the component:
- Two-factor authentication for VPN devices Cisco, Fortigate, Microtik, Huawei, etc.
- Two-factor Windows VPN authentication with the Routing and Remote Access Service (RRAS)
- Two-factor Microsoft Remote Desktop Gateway authentication
- VMware Horizon two-factor authentication
- Two-factor Citrix VDI authentication
- Two-factor authentication of Apache Guacamole
- Two-factor authentication of Wi-Fi access points
- and many others