Radius Server for Linux

MultiFactor Radius Adapter is a software component, RADIUS server for Linux.

The component is distributed under an open-source license and is available free of charge. The current version can be found in our GitHub repository: code and build.

Please note the licence. It does not entitle you to modify the source code of the Component or create derivative products based on it. The source code is provided for evaluation purposes.

Requirements for component installation

The component is installed on a Linux server, tested on CentOS, Ubuntu, Debian, Astra Linux;
Minimum server requirements: 1 CPU, 2 GB RAM, 8 GB HDD (to run the OS and adapter for 100 simultaneous connections — approximately 1500 users);
Port 1812 (UDP) must be open on the server to receive requests from Radius clients;
The server with the component installed needs access to api.multifactor.ru via TCP port 443 (TLS) directly or via HTTP proxy;
To communicate with Active Directory, the component needs access to the domain server via TCP port 389 (LDAP scheme) or 636 (LDAPS scheme);
To communicate with the Network Policy Server, the component needs access to NPS via UDP port 1812.

Installation

Dependencies Installation

The component uses the ASP.NET Core runtime environment version 3.1, which is free, open-source, developed by Microsoft and the open-source community. The runtime environment does not impose any restrictions on its use.

To install, run the commands:

CentOS 7

CentOS 8

Ubuntu 18.04

Debian 10

Astra Linux Orel

$ sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
$ sudo yum install aspnetcore-runtime-3.1

https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos

$ sudo dnf install aspnetcore-runtime-3.1

https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos

$ wget https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb

$ sudo apt-get update; \
  sudo apt-get install -y apt-transport-https && \
  sudo apt-get update && \
  sudo apt-get install -y aspnetcore-runtime-3.1

https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-ubuntu

$ wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb

$ sudo apt-get update; \
  sudo apt-get install -y apt-transport-https && \
  sudo apt-get update && \
  sudo apt-get install -y aspnetcore-runtime-3.1

https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-debian

$ sudo apt install ca-certificates

$ wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg
$ sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/
$ wget -q https://packages.microsoft.com/config/debian/9/prod.list
$ sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list
$ sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg
$ sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list

$ echo deb https://download.astralinux.ru/astra/current/orel/repository/ orel non-free main contrib | sudo tee -a /etc/apt/sources.list

$ sudo apt update
$ sudo apt install dotnet-sdk-3.1

https://wiki.astralinux.ru/pages/viewpage.action?pageId=41192241

Install the component

Create a folder, download and unzip the current version of the component from GitHub:

$ sudo mkdir /opt/multifactor /opt/multifactor/radius /opt/multifactor/radius/logs
$ VER=1.0.16
$ sudo wget https://github.com/MultifactorLab/multifactor-radius-adapter/releases/download/${VER}/release_linux_x64.zip
$ sudo unzip release_linux_x64.zip -d /opt/multifactor/radius

Create a system user mfa and give it rights to the application:

$ sudo useradd -r mfa
$ sudo chown -R mfa: /opt/multifactor/radius/
$ sudo chmod -R 700 /opt/multifactor/radius/

Create a service

$ sudo vi /etc/systemd/system/multifactor-radius.service

[Unit]
Description=Multifactor Radius Adapter

[Service]
WorkingDirectory=/opt/multifactor/radius/
ExecStart=/usr/bin/dotnet /opt/multifactor/radius/multifactor-radius-adapter.dll
Restart=always
# Restart service after 10 seconds if the service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=multifactor-radius
User=mfa
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
 
# How many seconds to wait for the app to shut down after it receives the initial interrupt signal. 
# If the app doesn't shut down in this period, SIGKILL is issued to terminate the app. 
# The default timeout for most distributions is 90 seconds.
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target

Enable autorun:

$ sudo systemctl enable multifactor-radius

Configuration

The component's parameters are stored in /opt/multifactor/radius/multifactor-radius-adapter.dll.config in XML format.

General Parameters

<!-- The address and port (UDP) on which the adapter will receive authentication requests from clients -->
<!-- If you specify 0.0.0.0, then the adapter will listen on all network interfaces -->
<add key="adapter-server-endpoint" value="0.0.0.0:1812"/>

<!-- Shared secret to authenticate RADIUS clients -->
<add key="radius-shared-secret" value=""/>

<!-- How to check the first factor: Active Directory, RADIUS or None (do not check) -->
<add key="first-factor-authentication-source" value="ActiveDirectory"/>

<!-- Multifactor API address -->
<add key="multifactor-api-url" value="https://api.multifactor.ru"/>
<!-- NAS-Identifier parameter to connect to the Multifactor API (found in user profile) -->
<add key="multifactor-nas-identifier" value=""/>
<!-- Shared Secret parameter to connect to the Multifactor API (found in user profile) -->
<add key="multifactor-shared-secret" value=""/>

<!-- Use this option to access the Multifactor API via HTTP proxy (optional)-->
<!--add key="multifactor-api-proxy" value="http://proxy:3128"/-->

<!-- Logging level: 'Debug', 'Info', 'Warn', 'Error' -->
<add key="logging-level" value="Debug"/>

Active Directory Connection Parameters

To check the first factor in the Active Directory domain, the following parameters apply:

<!--Domain-->
<add key="active-directory-domain" value="ldaps://10.0.0.4"/>

<!--Give access to users from specified group only (not checked if setting is removed)-->
<add key="active-directory-group" value="VPN Users"/>
<!--Require the second factor for users from a specified group only (second factor is required for users if the setting is removed)-->
<add key="active-directory-2fa-group" value="2FA Users"/>
<!--Use your users' phone numbers listed in Active Directory to send one-time SMS codes (not used if settings are removed)-->
<!--add key="use-active-directory-user-phone" value="true"/-->
<!--add key="use-active-directory-mobile-user-phone" value="true"/-->

When the use-active-directory-user-phone option is enabled, the component will use the phone recorded in the General tab. The format of the phone can be anything.

When the use-active-directory-mobile-user-phone option is enabled, the component will use the phone recorded in the Telephones tab in the Mobile field. The format of the phone can also be any format.

External RADIUS Server Connection

To check the first factor in RADIUS, for example in Network Policy Server, the following parameters are applicable:

<!--Address (UDP) from which the adapter will connect to the server -->
<add key="adapter-client-endpoint" value="192.168.0.1"/>
<!--Server address and port (UDP) -->
<add key="nps-server-endpoint" value="192.168.0.10:1812"/>

Optional RADIUS attributes

You can specify attributes the component will pass further upon successful authentication, including verification that the user is a member of a security group.

<RadiusReply>
    <Attributes>
        <!--This is an example, any attributes can be used-->
        <add name="Class" value="Super" />
        <add name="Fortinet-Group-Name" value="Users" when="UserGroup=VPN Users"/>
        <add name="Fortinet-Group-Name" value="Admins" when="UserGroup=VPN Admins"/>
    </Attributes>
</RadiusReply>

Start-Up

After configuring the configuration, run the component:

$ sudo systemctl start multifactor-radius

You can check the status with the command:

$ sudo systemctl status multifactor-radius

Logs

The logs of the component are located in the /opt/multifactor/radius/logs folder as well as in the system log.

Further information about Active Directory

The Linux version of the adapter for now does not know how to handle multiple domains with trust between them.
A simple user password authentication is used to work with Active Directory. We strongly recommend using the LDAPS scheme to encrypt traffic between the adapter and

Multifactor

HTTP API

RADIUS Adapter