GreenRADIUS Quick Start Guide

Transcription

1 GreenRADIUS Quick Start Guide Introduction GreenRADIUS is an easy to use RADIUS two factor authentication server from Green Rocket Security. GreenRADIUS is based on the popular YubiRADIUS but rebuilt from the ground up. We have added additional important features and hardened the VA to ensure that the GreenRADIUS is secure against current threats. What is New in GreenRADIUS Some of the most important updates include the following: Updated OS Ubuntu LTS Hardened at delivery Two-factor authentication for administrators In addition to naturally supporting big name Access/VPN vendors we added support for NetMotion popular Mobile VPN for mobile users that need simplicity while on the road Patched SSL for fixing the Heartbleed issue Included the latest Yubico sync protocols Simplified process for re-sync of multiple servers Table of Contents Introduction Page 1 What is new in GreenRADIUS 1 Quick Setup Guide 2 - Deployment Planning 2 - Overview of Typical Deployment 4 - Setup Step-by-Step 4 - Initial Testing 8 - Adding Users 9 - Assigning Security Tokens to Users 9 - Enable Auto-Provisioning 10 - Configuring a RADIUS Client 10 1 as of October 2014

2 Quick Setup Guide The purpose of this quick-start guide is to provide quick step-by-step instructions for administrators deploying GreenRADIUS for the first time. The document focuses on creating a working instance of GreenRADIUS that integrates with your Microsoft Active Directory instance for authentication of the first factor (password), uses YubiCloud online validation service for validation of YubiKey OTPs and integrated with your Remote Access Gateway (RAG) to serve RADIUS authentication requests for easy and quick implementation of Two- Factor-Authentication (TFA) for Remote Access Users. For using more advanced features of GreenRADIUS, please refer to the GreenRADIUS Admin Guide. Deployment Planning In this section we cover the list of items you need to have, and details to know and prepare in order to successfully implement TFA using YubiKeys and GreenRADIUS in your environment. a. Download GreenRADIUS Virtual Appliance Visit to download a fully enabled evaluation version (which you can convert at a later stage to a production version with an activation code. b. GreenRADIUS Virtual Appliance is packaged as an.ova file (Open Virtualization format). Deploy the GreenRADIUS Virtual Appliance in a VMWare or (free) Oracle VirtualBox platform c. GreenRADIUS Virtual Appliance is shipped with a default setting for acquiring an IP address using DHCP protocol. However, it is recommended to assign a static IP address to the GreenRADIUS Server instance for production use. Allocate a free static IP address in your network for assigning to your GreenRADIUS Server instance and note down the subnet mask, default gateway and DNS settings for your network where GreenRADIUS will be deployed. d. GreenRADIUS Virtual Appliance is shipped with a default hostname of greenradius. It is recommended to change it to a hostname of your choice and to configure correct DNS entry so the GreenRADIUS Server instance can be reached using its hostname. It is not an absolute requirement to change the hostname. If you are planning only for one server greenradius makes it easy to identify. e. Please have the following details about your Active Directory instance handy as they will be required during the configuration steps to follow i. Active Directory hostname (or IP address) ii. Active Directory Domain Name iii. Login name for AD administrative account (required for importing AD users into your GreenRADIUS Server instance) iv. Password for the above AD administrative account f. A set of YubiKeys (at least one for each remote access user) For quick deployment we will in this guide use YubiCloud online OTP validation service for validating YubiKey OTPs. YubiKeys are factory programmed to work out-of-the-box with YubiCloud online OTP validation service. 2 as of October 2014

3 Note: If you don t already have YubiKeys you can order them from Green Rocket Security or from Yubico. If you want the key to validate locally on the server, then order YubiKeys from Green Rocket Security which will send the keys with corresponding import file for local validation directly on the GreenRADIUS VA. g. During the setup process, you will require login credentials and access information to your Remote Access Gateway (RAGW) configuration. Please note down the IP address of the interface of the RAGW from where RADIUS requests will be sent to the GreenRADIUS Server. Also, it may be helpful to keep corresponding configuration guide handy. 3 as of October 2014

4 Overview of Typical Deployment The following diagram gives an overview of a typical VPN deployment. The Remote Access Gateway is configured to use RADIUS authentication and to use the GreenRADIUS Server instance as the RADIUS Server to authenticate remote access users. The GreenRADIUS Server is configured to interface with Active Directory or LDAP (which are most widely used User Directory in production networks) for the first factor of authentication (i.e. username and password) and interface with YubiCloud online OTP validation service to validate YubiKey OTP. Finally, GreenRADIUS itself checks the Username to YubiKey ID binding to verify the OTP has come from one of the YubiKeys assigned to the User. Setup Step-by-Step The following section takes you through the actual setup of GreenRADIUS step by step. If you need additional instructions please review the manual found on the GreenRADIUS website or contact us support@greenrocketsecurity.com Load the VA in your Virtual Environment Start the VA and login to get the process started. 4 as of October 2014

5 1. Accessing the Web Console a. The GreenRADIUS Virtual Appliance comes with default configuration to acquire an IP address using the DHCP protocol. It is highly recommended to assign a static IP address to the GreenRADIUS Virtual Appliance as part of the initial configuration. b. The Console of the Virtual Appliance displays the IP address it has acquired using DHCP and the URL to access the GreenRADIUS web-console c. Insert IP address or host name in the browser, and login to GreenRADIUS using username "root" and default password "GreenRocket!23" (without quotes). 2. Network Settings a. Open the Networking settings in webmin console as shown in the following diagram : b. Click on the link Network Configuration for configuring the Static IP settings for the VM. 5 as of October 2014

6 c. In the next window, click on the link Hostname and DNS client as show below: d. In the DNS client options, settings fill in the details for hostname and set DNS servers as required for your network. e. Click Save for saving the settings and click on the return link to come back to the previous settings page. f. Now, click on the Network Interfaces link as shown below. g. Next, in the opened window, click on the link eth0 as shown below: h. Set the static IP address and the other related fields in the network configuration page. Important: Note down the entered IP address because after saving these settings, webmin and other service will be accessible only through the new specified IP address. See the image below: 6 as of October 2014

7 i. After following the above steps, restart the virtual machine (VA) and access webmin on the new specified Static IP address (in the above steps) as hostname or IP address in the browser. 3. Insert the domain name (normally same as your AD domain name) in the test box show in front of the "Add Domain" button and click on "Add Domain" button this will generate the domain for your users. 4. To import the users click on "Domain Name" >> click on the "Users Import" tab. 5. You can importing the users from Active Directory or OpenLDAP. To import users, there are two modes you can use, "normal mode" and advanced "mode" a. For normal mode your Active Directory or OpenLDAP domain name should be same as you have created in the GreenRADIUS. i. Select the "Directory Type" whether it is active directory or Open LDAP. ii. Enter "LDAP/AD Server Address or Host Name". iii. Admin User. iv. Password. v. Click on "Save" and then "Import Users" b. For Advanced mode click on the "Advanced" button. i. Select "Yes" or "No" for "Use Secure Connection?" ii. Select "Directory Type" as "Active Directory" or "OpenLDAP". iii. Enter the "LDAP/AD Server IP Address" or "Host Name". iv. "Backup LDAP/AD Server IP Address" or "Host Name" ("optional" for user authentication only) using this option if you want you can give the backup LDAP/AD server for authentication. 7 as of October 2014

8 6. "Port (use 0 or blank to use the default port)" using this option you can provide a specific port number, if you have configured your AD/LDAP for a non-default port. If not (empty), the default port number will be used. 7. "LDAP Version" using this option you can specify the LDAP version. (normally 3 ) 8. "Base DN" Enter the LDAP/AD "base_dn" name (e.g. DC=example,DC=com). 9. "User DN" Enter the LDAP/AD admin "user_dn" (e.g. DN=importadmin). 10. "Password" Enter the LDAP/AD admin/importadmin user "password". 11. "Schedule" Select the frequency of (automatic) scheduled imports from AD "Hourly", "Daily", "Weekly" schedule to import users. 12. "Filter" for narrow down what users to import (Group/OU). If you want all users, enter filter as "(objectclass=person)" 13. "Login Name Identifier" For Active Directory this should be entered as "samaccountname" or "cn" and for "OpenLDAP" enter "uid". 14. Click on "Save" and then select "Import Users". For initial testing please follow the steps below: In the FreeRADIUS instance of GreenRADIUS, we need to configure the IP address of the OpenLDAP server to be used for user authentication. As you may know, an OpenLDAP instance is already available and is pre-configured in the GreenRADIUS VA. Please use this OpenLDAP instance for the first test and then you can carry on with your AD/LDAP configuration. 1) Create a new domain: From the GreenRADIUS left menu, go to "Domain" Tab >> enter domain name "test.com" and click on "Add Domain" button 2) Import users from OpenLDAP: Click on the "test.com" (the newly created domain) >>click on "User Import" tab >> click on "Advanced" button 3) Please put the following details for the configuration for Advanced mode please click on the "Advanced" button: Use Secure Connection? => No Directory Type => OpenLDAP LDAP/AD Server Address or Host Name => <<enter the Local VA IP address>> Backup LDAP/AD Server Address or Host Name ==> optional or same as above Port (use 0 or blank to use the default port) ==> 389 LDAP Version ==> 3 Base DN ==> dc=example,dc=com User DN ==> cn=admin,dc=example,dc=com Password ==> GreenRocket (the admin/import user s Admin password) 8 as of October 2014

9 Schedule ==> None (leave empty for manual import) Filter ==> (objectclass=person) Login Name Identifier ==> uid Importing Users Next step is to import users from AD/LDAP. Click on "Import Users". 5. After importing the system will show you some messages regarding if the import was successful or not. If import is successful click on the "Return to previous page" >> "Users/Groups". 6. This will show you all users that was imported. To assign YubiKey to users there are two ways. Determine whether your YubiKey is configured to use the online YubiKey validation server (YubiCloud) or to use the local built in validation server. a. If it is validated by YubiCloud then configure GreenRADIUS to online validation server using steps below. 1) Click on the link "GreenRADIUS Virtual Appliance" on the left hand side of the screen. 2) Go to "Global Configuration" tab >> click on "Validation Server" >> select "YubiCloud - Online Validation Service" and fill in the information as shown below 1. Client ID: "4233" (without quotation) 2. API Key: "H9xX7BeTIbhYK3xCb/PSEeRVNvY=" (without quotation marks) 3. Confirm API Key: "H9xX7BeTIbhYK3xCb/PSEeRVNvY=" (without quotation..) 4. Click on "save". b. If it is validated with local validation server then configure GreenRADIUS with local validation server using the steps below. 1) Click on the link "GreenRADIUS Virtual Appliance" on the left hand side of the screen. 2) Go to "Global Configuration" tab >> click on "Validation Server" >> select "Local validation Server on GreenRADIUS Virtual Appliance" and fill information as shown below. 3) Click on "Generate" button this will generate "API Key" 4) Click on "save". Assigning Security Tokens to Users 7. To manually assign the YubiKey to User, Click on the link "GreenRADIUS Virtual Appliance" on the left hand side of the screen. 8. Go to domain by selecting the domain. 9. Click on the link "Assign a new YubiKey". 10. Give the login name of the user and OTP from the YubiKey. 11. In case of "Local Validation Server" you have first import YubiKeys. Please refer section of "GreenRADIUS configuration guide" available at For testing whether YubiKey is assigned to the user or not we need to use Radtest. Follow the steps below. a. Click on the link "GreenRADIUS Virtual Appliance" on the left hand side of the screen. b. The Client secret is "test" by default. c. Go to "Troubleshoot" tab and enter the username. (If there is only a single domain in your GreenRADIUS instance, you can choose to enter just the username alone (e.g. 9 as of October 2014

10 user1 ) but if you have more than one domain you have to provide a username along with domain name for e.g. user1@domain_name.com.) d. Then enter the LDAP/AD password in the "Password" field. e. YubiKey OTP in the "YubiKey OTP" or "Temporary Token" in the OTP field. f. Click on the "Send Request" 13. If the authentication was successful you will get a "Successful" message on the screen but if the authentication was unsuccessful you will get a "Failure" message (with the reason for the failure) on the screen. Enable Auto-Provisioning Auto-provisioning provides automatic YubiKey assignment to the users. When Auto-provisioning is enabled, the administrator can distribute YubiKeys to end users without any additional work. With Auto Provisioning enabled the end users will be authenticated based on their username + password and a valid OTP on the first login attempt after receiving their YubiKey. After their successful authentication, the corresponding YubiKey ID will be automatically associated with the username (i.e. automatic user name to YubiKey binding). This method greatly simplifies the initial rollout process for administrators and end users. Auto-provisioning configuration is available at the Global configuration level under General Configuration tab of GreenRADIUS web-console >> General option and also under Configuration tab of your domain configuration. It is important to note that the global configuration for Auto-provisioning overrides the domain level configuration for Auto-provisioning. This means that auto-provisioning must be globally enabled in order to be able to enable it for a single domain. If global auto-provisioning is turned off then in is not possible to enable it at the domain level). Configuring a Radius Client VPN and/or access GWs normally have RADIUS support. Please correspond your device manual for setting up RADIUS. The following steps are normally the steps for setting this up. 15. Locate RADIUS setup page on your device 16. Configure the IP address of the GreenRADIUS VA in your device 17. Configure a shared secret that will protect the communication between the client and the GreenRADIUS server. 18. The RADIUS client s IP address and a shared secret must be added in the GreenRADIUS server so that the RADIUS server accepts incoming RADIUS requests coming from the RADIUS client. To add the RADIUS client, please follow the steps given below: 1) Click on the configuration tab as shown in the image below: 10 as of October 2014

11 2) Provide the IP address of the Client and Secret (encryption key) in the section highlighted in the image below and click on the Add button GreenRADIUS Virtual Appliance supports configuration for network clients on a subnet only through configuring for all clients on this subnet. For Example: You can set the Client IP address as /24 which makes the GRVA to accept the request from any of the terminal having IP address to You are now ready to test that it works. Up and running! This concludes the testing and you should now be up and running! 11 as of October 2014