RADIUS Authentication

Christopher Dakin

Introduction

LogonBox supports the RADIUS authentication protocol, which can be used for Password Resets, Unlocking Accounts, or even just logging on to the user or admin portals.

This is the method to use for services which utilise either hardware or software tokens, such as RSA's SecurID.

This guide will show how you can authenticate with such a third party RADIUS server.

 

1. Pre-requisite

You must have your third party RADIUS server configured and ready to accept authentication requests from your LogonBox service. A major requirement of this is to set up a RADIUS client configuration for your LogonBox IP address and setting a shared secret. Refer to your RADIUS server's documentation for how to do this.

Note: LogonBox connects to a User Database and caches user objects so that users can be assigned to various resources. As it’s not possible to list and cache users from a RADIUS server, this means that your RADIUS server could potentially be connected to a different User Database itself. LogonBox requires that your usernames on your User Database match the usernames that you will be using to authenticate to RADIUS.

 

2. Configuring authentication

Log on to your LogonBox realm and click on Authentication in the left hand navigation menu.  Select the User Logon tab if it’s not already selected and click the delete action on the existing Username + Password scheme to remove it.

 

On the right hand side, click the “+” icon next to Username + RADIUS to add this to the scheme and click Save at the bottom of the page.

 

Click the edit icon in the Username + RADIUS module.

 

Configure the RADIUS server settings:

  • Select the required Protocol (PAP is default on SecurID for example).
  • Enter the IP address or hostname of your RADIUS Server.
  • Enter the RADIUS Port.  Commonly used ports are either 1812 or 1645.
  • Enter the Shared Secret to match the shared secret as configured for this client in your RADIUS server.

 

Optionally click on the Advanced tab to configure other available options:

  • Debug (default OFF): Used to help with support issues, will write out the RADIUS authentication messages to logs.
  • Timeout: The time in seconds to wait for the RADIUS server to reply before timing out the authentication attempt.
  • Retries: If the above timeout triggers, how many times to attempt authentication to the same server before failing.
  • Maximum Packet: The maximum size of a RADIUS packet (recommended to leave at the default 4096).
  • Failover Hosts: Add in any other RADIUS servers you have that can act as a failover. If LogonBox hits the maximum number of retries above, it will start over again using the first failover and continue through the list of servers until either all fail or there is a successful authentication.

Click Apply when you have entered all the required configuration.

Your LogonBox is now configured to authenticate to RADIUS.

 

3. Testing

In the example above, we have configured RADIUS for the User Logon authentication scheme. So this can be tested by clicking on My Account from the main LogonBox page.

 

Enter your RADIUS username and password and click Next.

 

LogonBox fully supports the RADIUS protocol's Access-Challenge requests, so if you have a service which prompts you for further information (such as SecurID when setting an initial PIN), you may be prompted for other details.

 

After all challenges have been processed, the RADIUS server should grant access and you will be logged on to LogonBox.