Skip to main content

Radius server for Linux

MULTIFACTOR Radius Adapter is a software component, RADIUS server for Linux.

The component is available along with the source code and is distributed free of charge. The current version is on GitHub: code and assembly.

License

Please note the license. It does not give you the right to make changes to the source code of the Component or create derivative works based on it. The source code is provided for informational purposes.

Requirements for installing the component

  • The component is installed on a Linux server, tested on CentOS, RHEL, Ubuntu, Debian, Astra Linux, REDOS, ALT Linux, SUSE Linux;
  • Minimum requirements for the server: 1 CPU, 2 GB RAM, 8 GB HDD (ensures the operation of the OS and adapter for 100 simultaneous connections - approximately 1500 users);
  • Port 1812 (UDP) must be open on the server to receive requests from Radius clients;
  • The server with the installed component needs access to the host api.multifactor.kz via TCP port 443 (TLS) directly or via an HTTP proxy;
  • To interact with Active Directory, the component needs access to the domain server via TCP port 389 (LDAP scheme) or 636 (LDAPS scheme);
  • To interact with Network Policy Server, the component needs access to NPS via UDP port 1812.
Important

Linux versions of components do not support & and # symbols

Installation

Installing libraries

The component uses the ASP.NET Core runtime version 6, which is free, open, developed by Microsoft and the Open-Source community. The runtime does not impose any restrictions on use.

To install, run the commands:

$ sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
$ sudo yum install aspnetcore-runtime-6.0
https://docs.microsoft.com/ru-ru/dotnet /core/install/linux-centos

If an error occurs: Unable to load shared library 'ldap.so.2' or one of its dependencies it is necessary to correct the chain so that the libldap.so.2 symlink ultimately links to the specific library libldap-2.X.so.2.Y.Z

Example: libldap.so.2 -> libldap-2.4.so.2 // this is a symlink libldap-2.4.so.2 -> libldap_r-2.4.so.2 // this is a symlink libldap_r-2.4.so.2 -> libldap_r-2.4.so.2.11.5 // this is a symlink libldap_r-2.4.so.2.11.5 // this is the library itself

Checking and fixing the symlink To check the symlinks, you need to find where the libldap library itself is located, as a rule, this is the /usr/lib/x86_64-linux-gnu directory.

Next, enter the command ls -la and see all the files and symlinks. We look there for who and how links to libldap, what link is missing and create it. Most often, one symlink is missing - from libldap.so.2 to the major version of the library. Let's create it:

For Debian and Ubuntu
ln -s/usr/lib/x86_64-linux-gnu/libldap-2.4.so.2 /usr/lib/x86_64-linux-gnu/libldap.so.2
For CentOS and REDOS
ln -s /usr/lib64/libldap_r-2.4.so.2.10.9 /usr/lib64/libldap.so.2
(Library versions may vary)

We carry out similar manipulations with the libber library

Component installation

Create a folder, download and unpack the current version of the component from GitHub:

$ sudo mkdir /opt/multifactor /opt/multifactor/radius /opt/multifactor/radius/logs
$ sudo wget https://github.com/MultifactorLab/multifactor-radius-adapter/releases/latest/download/release_linux_x64.zip
$ sudo unzip release_linux_x64.zip -d /opt/multifactor/radius

Create a system user mfa and give him rights to the application:

$ sudo useradd -r mfa
$ sudo chown -R mfa: /opt/multifactor/radius/
$ sudo chmod -R 700 /opt/multifactor/radius/

Create a systemd service file:

$ sudo vi /etc/systemd/system/multifactor-radius.service

Replace the contents and save the file:

[Unit]
Description=Multifactor Radius Adapter

[Service]
WorkingDirectory=/opt/multifactor/radius/
ExecStart=/usr/bin/dotnet /opt/multifactor/radius/multifactor-radius-adapter.dll
Restart=always
# Restart service after 10 seconds if the service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=multifactor-radius
User=mfa
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
 
# How many seconds to wait for the app to shut down after it receives the initial interrupt signal. 
# If the app doesn't shut down in this period, SIGKILL is issued to terminate the app. 
# The default timeout for most distributions is 90 seconds.
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target

Enable service autostart:

$ sudo systemctl enable multifactor-radius

Common parameters

General parameters for the component's operation are stored in the file /opt/multifactor/radius/multifactor-radius-adapter.dll.config in XML format.

Minimum configuration:

<!-- Address and port (UDP) at which the adapter will accept authentication requests from clients -->
<add key="adapter-server-endpoint" value="0.0.0.0:1812"/>

<!-- MULTIFACTOR API address -->
<add key="multifactor-api-url" value="https://api.multifactor.kz"/>

<!-- Access to MULTIFACTOR API via HTTP proxy (optional) -->
<!-- <add key="multifactor-api-proxy" value="http://login:password@proxy:3128"/> -->

<!-- Logging level: 'Debug', 'Info', 'Warn', 'Error' -->
<add key="logging-level" value="Debug"/>

Setting up network connections

Client identification

To configure each network connection to the adapter, a separate configuration file with the extension .config is used, which should be located in the /clients folder.

The client is identified either by IP address or by the NAS-Identifier attribute. IP is convenient for identifying the configuration of individual network devices, for example, firewalls. By NAS-Identifier - several of the same type, for example, a group of hosts with WinLogon or SSH.

<!-- IP address of the network device that will connect to the adapter -->
<add key="radius-client-ip" value="10.10.10.10"/>
<!-- Or RADIUS attribute NAS-Identifier transmitted from the network device when connecting to the adapter -->
<add key="radius-client-nas-identifier" value="windows"/>
<!-- Shared secret configured on the network device -->
<add key="radius-shared-secret" value=""/>

If client identification is not required, you can make universal settings in the multifactor-radius-adapter.dll.config file, which will be applicable for all connections.

warning

In the radius-shared-secret parameter, special characters are not supported: ('>','<','&'), since the adapter's XML parser considers this part of the markup.

Checking the first factor in Active Directory

To check the first factor in an Active Directory domain, add the following parameters to the client configuration:

<!-- Where to check the first factor: ActiveDirectory -->
<add key="first-factor-authentication-source" value="ActiveDirectory"/>

<!-- Domain: in the current example domain.local on server 10.0.0.4 -->
<add key="active-directory-domain" value="ldaps://10.0.0.4/DC=domain,DC=local"/>

<!-- Allow access only to users from the specified group (not checked if the setting is removed) -->
<add key="active-directory-group" value="VPN Users"/>
<!-- Request the second factor only from users in the specified group (the second factor is required for everyone if the setting is removed) -->
<add key="active-directory-2fa-group" value="2FA Users"/>
<!-- Do not request the second factor from users from the specified group (including if the user is also in the group specified in active-directory-2fa-group) -->
<add key="active-directory-2fa-bypass-group" value="Bypass 2FA Users"/>

<!-- Use a phone number from Active Directory to send a one-time code via SMS (not used if the setting is removed) -->
<!-- <add key="phone-attribute" value="mobile"/> -->

When the phone-attribute parameter is enabled, the component will use the phone number recorded in the specified LDAP user attribute. The phone format can be any.

Checking the first factor in an external RADIUS server

To check the first factor in RADIUS, for example, in Network Policy Server the following parameters apply:

<!-- Where to check the first factor: Radius -->
<add key="first-factor-authentication-source" value="Radius"/>
<!-- Address (UDP) from which the adapter will connect to the server -->
<add key="adapter-client-endpoint" value="0.0.0.0"/>
<!-- Address and port (UDP) of the server -->
<add key="nps-server-endpoint" value="192.168.0.10:1812"/>

Without checking the first factor

The adapter can work without checking the user password, only with the second access factor. The following client configuration is used for setup:

<!--Where to check the first factor: None -->
<add key="first-factor-authentication-source" value="None"/>

Setting up a service account

A service account is required to check user membership in Active Directory groups or to load LDAP attributes in case the first factor is checked in Radius or not checked (None).

To connect to a domain, you must specify the domain and service user credentials.

<!-- Domain: in the current example domain.local on server 10.0.0.4 -->
<add key="active-directory-domain" value="ldaps://10.0.0.4/DC=domain,DC=local"/>
<!-- Active Directory service account login to check user group membership -->
<add key="service-account-user" value="service-account@domain.local"/>
<!-- Active Directory service account password for checking user group membership -->
<add key="service-account-password" value=""/>

Connect to the authentication server

To interact with MULTIFACTOR authentication servers that send a second access factor, you need to fill out two parameters in the client configuration:

<!-- NAS-Identifier parameter for connecting to the MULTIFACTOR API - from your personal account -->
<add key="multifactor-nas-identifier" value=""/>
<!-- Shared Secret parameter for connecting to the MULTIFACTOR API - from your personal account -->
<add key="multifactor-shared-secret" value=""/>

The parameter values ​​must be taken from personal account, in the "Resources" section.

Additional RADIUS attributes

If authentication is successful, the component can send custom RADIUS attributes in the response to the client. Such attributes are usually used on network equipment to differentiate access rights.

Attributes can be of four types:

  1. Unconditional
  2. Conditional: checking whether the user is a member of a group on the LDAP server
  3. Conditional: with username verification
  4. With translation of the LDAP attribute value into RADIUS.

Example XML syntax of a configuration file for passing the Class attribute (RADIUS Attribute ID 25 ).

<configuration>
  <!-- RadiusReply section declaration -->
  <configSections>
      <section name="RadiusReply" type="MultiFactor.Radius.Adapter.RadiusReplyAttributesSection, multifactor-radius-adapter" />
  </configSections>
  
  <!-- Component operation parameters -->
  <appSettings>
    ...
  </appSettings>
  
  <!-- Configuring the transmission of additional RADIUS attributes -->
  <RadiusReply>
      <Attributes>
        <!-- Always pass the Class attribute with the value Test1 -->
        <add name="Class" value="Test1" />
        <!-- Always pass the Class attribute with the value from the Ldap attribute SampleLdapAttr -->
        <add name="Class" from="SampleLdapAttr"/>
        <!-- Pass the Class attribute with all user groups in Active Directory -->
        <add name="Class" from="memberOf"/>
        <!-- Pass the Class attribute with the value Users if the user is a member of the LDAP group VPN Users -->
        <add name="Class" value="Users" when="UserGroup=VPN Users"/>
        <!-- Pass the Class attribute with the value Admin if the user name is SamlpeAdminName -->
        <add name="Class" value="Admin" when="UserName=SamlpeAdminName"/>
      </Attributes>
  </RadiusReply>
</configuration>

The attribute names and values ​​can be anything that is supported on your network device. For example, you can use the Fortinet-Group-Name attribute to convey FortiGate groups. The dictionary with all available attributes is located in the file /opt/multifactor/radius/content/radius.dictionary.

To transfer LDAP attributes, one of the following conditions must be met:

  • The source of the first ActiveDirectory factor is specified and the domain name is specified;
  • Active Directory service account parameters are set if the source of the first factor is RADIUS, or the first factor is not checked.

Authentication caching

The adapter can be configured to cache user authentications with a second factor.

In this mode, repeated requests from previously second-factor authenticated users will be accepted without requiring a second factor. The cache is valid for a configurable time interval.

A request is repeated if the parameters of the current request match the parameters of the previous request. Options:

  1. name of the adapter client configuration;
  2. calling-station-id (IP or Remote Host of the user) - cannot be empty;
  3. user login.

The following parameter is used for setting:

<!-- Skip re-authentications without prompting for a second factor for 1 hour 20 minutes 10 seconds (caching is disabled if the setting is removed) -->
<add key="authentication-cache-lifetime" value="01:20:10" />

Failure protection

If the MULTIFACTOR API is unavailable (for any reason), the adapter can work in one of two options:

  1. Skip without second factor (default)
  2. Deny access

The following parameter is used for setting:

<!-- true: allow, false: deny -->
<add key="bypass-second-factor-when-api-unreachable" value="true"/>

Other parameters

Additional parameters for working with Active Directory:

<!-- Disable checking nested groups in Active Directory (query speedup) -->
<add key="load-active-directory-nested-groups" value="false"/>
<!-- Pass the userPrincipalName attribute from Active Directory as the user login -->
<add key="use-upn-as-identity" value="true"/>
<!-- Pass the specified attribute from Active Directory as the user login -->
<add key="use-attribute-as-identity" value="mail"/>

The use-upn-as-identity option has been deprecated and use-attribute-as-identity should be used instead.

Users logging into the system via the Radius adapter can be automatically assigned membership in MULTIFACTOR groups with the following setting:

<add key="sign-up-groups" value="group1;Group name 2"/>

Additional security and privacy settings:

<!-- Response delay in seconds when access is denied: random in the interval between 3 and 6 seconds. (including interval boundaries) -->
<add key="invalid-credential-delay" value="3-6" />
<!-- Disable the adapter from transmitting the full name, email, and IP of users to the MULTIFACTOR server -->
<add key="privacy-mode" value="Full"/>

Setting the MULTIFACTOR API response timeout (minimum timeout 65 seconds):

<add key="multifactor-api-timeout" value="00:01:05"/>

Launch

After setting up the configuration, run the component:

$ sudo systemctl start multifactor-radius

The status can be checked with the command:

$ sudo systemctl status multifactor-radius

Subsequent changes to the service configuration file will require a restart of the service subsystem and service:

$ sudo systemctl daemon-reload
$ sudo systemctl restart multifactor-radius

Magazines

Component operation logs are recorded in syslog and saved in text files in the /opt/multifactor/radius/logs directory. If the directory is empty or does not exist, you need to make sure that the user under whom the service is running has permission to write to this directory.

To view the contents of syslog you can use the command:

$ sudo less /var/log/syslog

To view the multifactor-radius service logs, use the command:

$ sudo journalctl -fu multifactor-radius

Log Templates

To configure the logging template, use the following settings in the root configuration file multifactor-radius-adapter.dll.config:

<!-- 
  Examples of templates:
  1) [{Timestamp:HH:mm:ss} {Level:u3}] ext_ip={CallingStationId} {Message:lj}{NewLine}{Exception}
  2) [{Timestamp:HH:mm:ss} {Level:u3}] {CorrelationId} {Message:lj}{NewLine}{Exception}
  3) {Timestamp:yyyy-MM-dd HH:mm:ss.fff zzz} [{Level:u3}] {CorrelationId}{Message:lj}{NewLine}{Exception}
-->

<!-- Template for writing logs to a text file -->
<!-- <add key="file-log-output-template" value=""/> -->
<!-- Console logging template -->
<!-- <add key="console-log-output-template" value=""/> -->

More about templates: https://github.com/serilog/serilog/wiki/Formatting-Output.

Correlation ID

The correlation identifier {CorrelationId} is used to track events throughout the user authentication chain.

The identifier value is transmitted in the format "ConfigName-N", where

  • "ConfigName" - configuration name of the client that connected
  • "N" is a counter that is reset every day at 00:00.

Remote client address

To record the hostname or IP of a remote user, use the {CallingStationId} template.

The parameter value is sequentially checked in the following RADIUS attributes until the first non-empty one:

  • Calling-Station-Id;
  • MS-Client-Machine-Account-Name;
  • MS-RAS-Client-Name.

Cluster configuration

When placing a component in a cluster configuration, follow the Active/Passive scheme or choose an option in which a repeated request from the client will be processed by the same server.

For the best experience with nginx or HAProxy, also specify the header proxy_protocol in the proxy server settings .

Additional information about Active Directory

  • To work with Active Directory, simple user password authentication is used. We strongly recommend using the LDAPS scheme to encrypt traffic between the adapter and the domain (a certificate, including a self-signed one, must be installed on the AD server).

Removing a component

Uninstalling .NET Core

To view a list of .NET Core SDK versions and runtimes installed on your machine, use the command:

dotnet --info

Next, run the commands:

$ sudo yum remove aspnetcore-runtime-6.0

Removing the adapter

Stop the multifactor-radius service, remove it from autostart and delete the unit configuration file:

$ sudo systemctl stop multifactor-radius
$ sudo systemctl disable multifactor-radius
$ sudo rm /etc/systemd/system/multifactor-radius.service

Reload systemd settings, scanning the system for modified units:

$ sudo systemctl daemon-reload

Remove the adapter and system user mfa files:

$ sudo rm -rf /opt/multifactor/radius/
$ sudo userdel -r mfa

Questions and answers

Q: Where is the service account registered to connect to Active Directory?

A: If the first factor check is performed in Active Directory, the service account is not used. The adapter connects to AD on behalf of the user who is requesting authentication.

In other cases, see [Setting up a service account](https://multifactor.kz/docs/radius-adapter/linux#%D0%BD%D0%B0%D1%81%D1%82%D1%80% D0%BE%D0%B9%D0%BA%D0%B0-%D1%81%D0%B5%D1%80%D0%B2%D0%B8%D1%81%D0%BD%D0%BE%D0 %B9-%D1%83%D1%87%D1%91%D1%82%D0%BD%D0%BE%D0%B9-%D0%B7%D0%B0%D0%BF%D0%B8%D1 %81%D0%B8).

Q: Can I specify multiple AD groups for access control and conditional inclusion of the second factor?

O: Yes, list them separated by semicolons.

Q: How can I speed up checking groups in Active Directory?

A: By default, the adapter also checks nested groups, that is, the user can be a member of a group or be a member of a group that is a member of the group that the adapter checks. If the request takes more than 100 milliseconds, you can disable nesting checking with the following setting:

<add key="load-active-directory-nested-groups" value="false"/>

Q: How do I specify multiple domains or DC hosts?

O: List them separated by semicolons.

Q: Can the adapter work in Radius proxy mode?

O: Yes, when connected to an external Radius server, the adapter works as a proxy: it transmits traffic between the network device and the external server without changes.

Q: How can I specify multiple IPs for client identification?

O: You can list addresses separated by semicolons, you can specify a range, you can combine them, for example:

<add key="radius-client-ip" value="192.168.0.1-192.168.0.5; 192.168.0.10"/>

or so

<add key="radius-client-ip" value="10.0.0.0/24"/>
Last updated on