RADIUS can be pretty confusing. The most common RADIUS scenario that we see is an administrator setting up multi-factor authentication for VPN appliances. VPN’s alone have a LOT of configuration settings. All these settings and combinations of settings can make it difficult to test just the basic functionality of RADIUS (add to that RADIUS with a Multi-factor authentication session).
In the following tests, we can see that RADIUS really is a pretty simple integration. The below can be a good jumping off point for making sure RADIUS is working without getting involved with the complexity of a VPN setup. (Or breaking a working VPN by accident...) Let’s get started.
The basic premise of our setup is:
- Centrify Connector(s) will serve as a RADIUS server.
- A 3rd party RADIUS client will be configured to use the Centrify RADIUS server.
For this configuration, I’m using a freeware Radius test client:
Download and install this on a Windows machine. Make a note of the IP address for the Windows machine you installed this on.
Now sign into the Centrify Admin Portal. Navigate to Settings -> Authentication -> RADIUS Connections
Since Centrify is going to serve as the RADIUS server, we’ll configure a client connection. In the ‘Clients’ tab, click Add.
Fill in the:
Client Hostname or IP Address:
Client Secret: (this we will make up. Remember what you type here as we’ll use it later. Think of it as a password)
That’s it. Click Save.
Ok, now we need to configure a connector(s) to use with RADIUS.
Go to: Settings -> Network
Click the connector(s) you want to use, and go to RADIUS. Check the Box for Enable incoming RADIUS connections. And Save. Also, make a note of the IP addresses for these connector(s), we’ll need them later.
Now, let’s set a SIMPLE Authentication profile to test with before we get fancy with MFA.
Click: Settings -> Authentication
Click Add Profile to make a new Authentication Profile that we’ll use for our Client.
Give your profile a name, then check Password in Challenge 1, then select No Pass-Through for Challenge Pass-Through Duration. Click OK.
Now we need to allow users actually USE this connection and Authentication profile. We set this in Policies. Click: Core Services -> Policies
Here, we can either create a new Policy or use an existing one (whichever is appropriate based on your needs). The main consideration here would be do you want ALL users to use this connection or just SOME. For this test, let’s just create a new policy and let anyone use it.
Click Add Policy Set
Give your Policy Set a name. (RADIUS Client X for my example)
Then, navigate to User Security Policies -> RADIUS
Select YES for Allow RADIUS client connections, check the box for Require authentication challenge, and pick the Authentication Profile that we created earlier. Click Save.
Now, we need to configure our RADIUS Client. Open RADIUS test client on your Windows machine.
Click RADIUS servers (Add)
Type in the IP address for the Centrify Connector that you enabled RADIUS on in a previous step. Also, type the Shared secret that we set earlier. Leave the rest as defaults. NOTE: We’ll need to modify the Timeout later when we introduce MFA.
Now, let’s test!
Click on the Radlogin tab.
Pick the Server IP we just configured for RADIUS Server. Then type in an AD username and password. (NOTE, this user MUST be in a Role that gets the RADIUS Policy we configured earlier in the Centrify Portal).
Our test worked!
Now that THIS test worked, let’s add some complexity. Let’s add SMS as a required second factor.
Go back into the Centrify Portal and modify the Authentication Profile (Settings -> Authentication). Edit the Authentication Profile we made earlier and add Text Message for Challenge 2.
We’ll also need to make sure this user has a mobile number registered. Go to Core Services -> Users and search for your test user to make sure this field is populated. If not, either ADD it to their AD profile, and click Actions -> Reload to update it. Once you see a number there, we can continue.
Back on your RADIUS client, Click the Radlogin tab again. Setup like we did earlier and then click Continue.
This time, you should get a text message on the user’s phone. Tap the link and then tap Approve.
Back on our RADIUS test client: Wait…. Uh-oh…
This time, we got a response of Timeout!?! What happened?
Well, remember earlier, we used default settings for our RADIUS Client. It was set to 3 seconds. Now that we’re using MFA, it’s going to be really hard to complete the extra challenge that fast.
Note that this will likely happen on your VPN appliance, too, when you enable MFA. Be sure to find out how to modify this setting(s) on your VPN appliance before you get too far into that setup.
To resolve this in our test environment, Click RADIUS servers in your RADIUS test client. Click on the IP address (Hostname). Modify the Timeout (secs) to 90 and click Continue.
Click Radlogin and run the test again. After tapping Approve on the phone, go back to the RADIUS test client.
Now that we know RADIUS with MFA will work in our environment, we can test further by trying to configure our VPN appliance or whatever other RADIUS client you want to use.
Hope this helps!! Good Luck out there!!