[HOW TO] Setup a simple RADIUS test where Centrify is the RADIUS Server

[HOW TO] Setup a simple RADIUS test where Centrify is the RADIUS Server

By Centrify on ‎05-22-2018 11:03 AM

RADIUS can be pretty confusing.  The most common RADIUS scenario that we see is an administrator setting up multi-factor authentication for VPN appliances.  VPN’s alone have a LOT of configuration settings.  All these settings and combinations of settings can make it difficult to test just the basic functionality of RADIUS (add to that RADIUS with a Multi-factor authentication session).

 

In the following tests, we can see that RADIUS really is a pretty simple integration.  The below can be a good jumping off point for making sure RADIUS is working without getting involved with the complexity of a VPN setup.  (Or breaking a working VPN by accident...)  Let’s get started.

 

The basic premise of our setup is:

  1. Centrify Connector(s) will serve as a RADIUS server.
  2. A 3rd party RADIUS client will be configured to use the Centrify RADIUS server.

 

For this configuration, I’m using a freeware Radius test client:

 

https://www.iea-software.com/products/radiusnt/radlogin4.cfm

 

Download and install this on a Windows machine.  Make a note of the IP address for the Windows machine you installed this on.

 

Now sign into the Centrify Admin Portal.  Navigate to Settings -> Authentication -> RADIUS Connections

 

Since Centrify is going to serve as the RADIUS server, we’ll configure a client connection.  In the ‘Clients’ tab, click Add.

 

1.png

 

 

 

Fill in the:

 

Name:

Client Hostname or IP Address:

Client Secret:  (this we will make up.  Remember what you type here as we’ll use it later.  Think of it as a password)

 

 

 3.png

 

 

That’s it.  Click Save.

 

Ok, now we need to configure a connector(s) to use with RADIUS.

 

Go to: Settings -> Network

4.png

 

 

Click the connector(s) you want to use, and go to RADIUS.  Check the Box for Enable incoming RADIUS connections. And Save.  Also, make a note of the IP addresses for these connector(s), we’ll need them later.

 

5.png

 

Now, let’s set a SIMPLE Authentication profile to test with before we get fancy with MFA.

 

Click: Settings -> Authentication

 

Click Add Profile to make a new Authentication Profile that we’ll use for our Client.

 

5.1.png

 

Give your profile a name, then check Password in Challenge 1, then select No Pass-Through for Challenge Pass-Through Duration.  Click OK.

 

6.png

 

 

Now we need to allow users actually USE this connection and Authentication profile.  We set this in Policies.  Click:  Core Services -> Policies

 

7.png

 

Here, we can either create a new Policy or use an existing one (whichever is appropriate based on your needs).  The main consideration here would be do you want ALL users to use this connection or just SOME.  For this test, let’s just create a new policy and let anyone use it.

 

Click Add Policy Set

 

Give your Policy Set a name.  (RADIUS Client X for my example)

 

Then, navigate to User Security Policies -> RADIUS

 

Select YES for Allow RADIUS client connections, check the box for Require authentication challenge, and pick the Authentication Profile that we created earlier.  Click Save.

 

8.png

 

 

Now, we need to configure our RADIUS Client.  Open RADIUS test client on your Windows machine.

 

9.png

 

Click RADIUS servers (Add)

 

Type in the IP address for the Centrify Connector that you enabled RADIUS on in a previous step.  Also, type the Shared secret that we set earlier.  Leave the rest as defaults.  NOTE:  We’ll need to modify the Timeout later when we introduce MFA.

 

10.png

 

Now, let’s test!

 

Click on the Radlogin tab.

 

Pick the Server IP we just configured for RADIUS Server.  Then type in an AD username and password.  (NOTE, this user MUST be in a Role that gets the RADIUS Policy we configured earlier in the Centrify Portal).

 

11.png

 

Click Continue.

 

Our test worked!

 

12.png

 

Now that THIS test worked, let’s add some complexity.  Let’s add SMS as a required second factor.

 

Go back into the Centrify Portal and modify the Authentication Profile (Settings -> Authentication).  Edit the Authentication Profile we made earlier and add Text Message for Challenge 2.

 

We’ll also need to make sure this user has a mobile number registered.  Go to Core Services -> Users and search for your test user to make sure this field is populated.  If not, either ADD it to their AD profile, and click Actions -> Reload to update it.  Once you see a number there, we can continue.

 

15.png

 

 

Back on your RADIUS client, Click the Radlogin tab again.  Setup like we did earlier and then click Continue.

 

This time, you should get a text message on the user’s phone.  Tap the link and then tap Approve.

 

Back on our RADIUS test client:  Wait….  Uh-oh…

 

13.png

 

This time, we got a response of Timeout!?!  What happened?

 

Well, remember earlier, we used default settings for our RADIUS Client.  It was set to 3 seconds.  Now that we’re using MFA, it’s going to be really hard to complete the extra challenge that fast.

 

Note that this will likely happen on your VPN appliance, too, when you enable MFA.  Be sure to find out how to modify this setting(s) on your VPN appliance before you get too far into that setup.

 

To resolve this in our test environment, Click RADIUS servers in your RADIUS test client.  Click on the IP address (Hostname).  Modify the Timeout (secs) to 90 and click Continue.

 

ooopppsss.png

 

Click Radlogin and run the test again.  After tapping Approve on the phone, go back to the RADIUS test client.

 

 

14.png

 

Success!!!

 

Now that we know RADIUS with MFA will work in our environment, we can test further by trying to configure our VPN appliance or whatever other RADIUS client you want to use. 

 

Hope this helps!!  Good Luck out there!!

 

 

 

 

 

 

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel