Home >

Appliance Administration Guide > Configuration without One-step NTLS > [Optional] Configure for RADIUS Authentication

[Optional] Configure for RADIUS Authentication

RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol providing authentication, authorization, and accounting service to configured clients. The client passes user information to configured, designated RADIUS servers, and acts on the returned response. A RADIUS server receives user connection requests, authenticates the user if that user's profile exists on the server, and then returns the configuration information according to which the client can deliver service to the user.

While a proposal is being considered (by the custodians of the RADIUS standard) to switch to TLS communication protocol, RADIUS interaction currently takes place over UDP (User Datagram Protocol).

RADIUS Configuration Summary

Configuration and identification must take place at both ends of the RADIUS transaction. These actions include:

On the RADIUS Server Side

identify the client systems from which this server will accept requests and return service (this is recorded in the RADIUS server's configuration file)

identify the users who will be covered by the service

On the RADIUS Client Side (Your SafeNet Network HSM)

enable RADIUS

add a RADIUS server, specifying it's IP address, and providing the access secret for that server

check the status of SafeNet Network HSM appliance users

add desired SafeNet Network HSM appliance users to the RADIUS list, enabling RADIUS authentication for those users

verify that RADIUS is enabled for any user on your SafeNet Network HSM that needs to use RADIUS

Configuring RADIUS with Your SafeNet Appliance

Follow these steps on the RADIUS Server:

You can use any standards-compliant RADIUS server, either a commercial server or one of the free/open-source servers, like freeRADIUS or openRADIUS.

1.Add the client to the RADIUS server's configuration file, specifying:

the address of the SafeNet Network HSM appliance,

the secret or password that the client will use when connecting, and

a short, user-friendly or business-relevant name for the client.

You can edit the file directly, for some RADIUS implementations, or use the provided interface.


/etc/raddb/clients.conf:

client 192.20.17.174 {
        ipaddr          = 192.20.17.174
        secret          = testing123
        nas             = other
        shortname       = sa174
}
client 192.20.22.106 {
        ipaddr          = 192.20.22.106
        secret          = testing321
        nas             = other
        shortname       = sa22106
}

 

2.For each client, add the user name and the password for that user to the "users" file of the RADIUS server. .


/etc/raddb/users:

sauser162       Cleartext-Password := "userpw654"
sauser171       Cleartext-Password := "userpw987"
sauser172       Cleartext-Password := "userpw789"
sauser173       Cleartext-Password := "userpw456"
sauser174       Cleartext-Password := "userpw321"
nagios          Cleartext-Password := "nagiospw"
audit           Cleartext-Password := "userpin"
someguy         Cleartext-Password := "userpw"
sauser106       Cleartext-Password := "userpw123"

A user can use RADIUS for a SafeNet Network HSM, only if that SafeNet Network HSM is registered as a client, and if that user is registered as a user in the appropriate files on the RADIUS server.

Follow these steps on the SafeNet Network HSM appliance:

Note:  Without RADIUS, use the command user add user somename to add an appliance administrative user on SafeNet Network HSM.

However, with RADIUS, use the command user radiusAdd -u somename to both create the user on the appliance and add that user to the RADIUS list.

You cannot use user radiusAdd to convert an existing user from non-RADIUS to RADIUS. If a named user already exists, with a name you need to employ, then you must user delete that user, before creating it again with user radiusAdd command.

1.On the SafeNet Network HSM appliance, enable RADIUS.


[1722022106] lunash:>sysconf radius enable


Command Result : 0 (Success)
 

2.Add the server (by hostname or IP address), specifying the port to use, and the timeout value in seconds.


[1722022106] lunash:>sysconf radius add -s 192.20.15.182 -p 1812 -t 60

Enter the server secret:
Re-enter the server secret:
Command Result : 0 (Success)

3.Verify that the desired server has been added.

[1722022106] lunash:>sysconf radius show

RADIUS for SSH is enabled with the following deployed servers:

                                                     server:port     timeout
                                                   -------------  ----------
                                              192.20.15.182:1812          60

Command Result : 0 (Success)

4.Check the user list to see which users exist, are enabled on the SafeNet appliance, and are RADIUS enabled.

[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)
 

5.Add a user, by name, as a RADIUS user.


[1722022106] lunash:>user radiusAdd -u someguy

Creating mailbox file: File exists
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Command Result : 0 (Success)
 

6.Add the user's appliance role (in this example, we are giving him 'admin'-level access).


[1722022106] lunash:>user role add -u someguy -r admin


User someguy was successfully modified.


Command Result : 0 (Success)

        

7.Verify that the user exists, has the correct role on the SafeNet appliance, and is a RADIUS user for this appliance.


[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 someguy       admin     enabled         yes
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)
[1722022106] lunash:>