Configuring RADIUS Authentication
RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol providing authentication, authorization, and accounting service to configured clients. The client passes user information to configured, designated RADIUS servers, and acts on the returned response. A RADIUS server receives user connection requests, authenticates the user if that user's profile exists on the server, and then returns the configuration information according to which the client can deliver service to the user.
While a proposal is being considered (by the custodians of the RADIUS standard) to switch to TLS communication protocol, RADIUS interaction currently takes place over UDP (User Datagram Protocol).
RADIUS Configuration Summary
Configuration and identification must take place at both ends of the RADIUS transaction. These actions include:
On the RADIUS Server Side
>Identify the client systems from which this server will accept requests and return service (this is recorded in the RADIUS server's configuration file).
>Identify the users who will be covered by the service.
On the RADIUS Client Side (your Luna Network HSM)
>Enable RADIUS.
>Add a RADIUS server, specifying its IP address, and providing the access secret for that server.
>Check the status of Luna Network HSM appliance users.
>Add desired Luna Network HSM appliance users to the RADIUS list, enabling RADIUS authentication for those users.
>Verify that RADIUS is enabled for any user on your Luna Network HSM that needs to use RADIUS.
Configuring RADIUS with Your Luna Network HSM Appliance
Follow these steps on the RADIUS Server:
You can use any standards-compliant RADIUS server, either a commercial server or one of the free/open-source servers, like freeRADIUS or openRADIUS.
1.Add the client to the RADIUS server's configuration file, specifying:
•The address of the Luna Network HSM appliance.
•The secret or password that the client will use when connecting.
•A short, user-friendly or business-relevant name for the client.
You can edit the file directly, for some RADIUS implementations, or use the provided interface.
/etc/raddb/clients.conf: client 192.20.17.174 { ipaddr = 192.20.17.174 secret = testing123 nas = other shortname = sa174 } client 192.20.22.106 { ipaddr = 192.20.22.106 secret = testing321 nas = other shortname = sa22106 }
2.For each client, add the user name and the password for that user to the "users" file of the RADIUS server.
/etc/raddb/users: sauser162 Cleartext-Password := "userpw654" sauser171 Cleartext-Password := "userpw987" sauser172 Cleartext-Password := "userpw789" sauser173 Cleartext-Password := "userpw456" sauser174 Cleartext-Password := "userpw321" nagios Cleartext-Password := "nagiospw" audit Cleartext-Password := "userpin" someguy Cleartext-Password := "userpw" sauser106 Cleartext-Password := "userpw123"
A user can use RADIUS for a Luna Network HSM, only if that appliance is registered as a client, and if that user is registered as a user in the appropriate files on the RADIUS server.
Follow these steps on the Luna Network HSM appliance:
NOTE Without RADIUS, use lunash:> user add -username <name> to add an appliance administrative user on Luna Network HSM. With RADIUS, use the command lunash:> user radiusadd -username <name> to both create the user on the appliance and add that user to the RADIUS list. You cannot use lunash:> user radiusadd to convert an existing user from non-RADIUS to RADIUS.
1.On the Luna Network HSM appliance, enable RADIUS with lunash:> sysconf radius addserver.
2.Add the server (by hostname or IP address), specifying the port to use, and the timeout value in seconds.
[1722022106] lunash:>sysconf radius add -s 192.20.15.182 -p 1812 -t 60 Enter the server secret: Re-enter the server secret: Command Result : 0 (Success)
3.Verify that the desired server has been added.
[1722022106] lunash:>sysconf radius show RADIUS for SSH is enabled with the following deployed servers: server:port timeout ------------- ---------- 192.20.15.182:1812 60 Command Result : 0 (Success)
4.Check the user list to see which users exist, are enabled on the appliance, and are RADIUS enabled.
[1722022106] lunash:>user list Users Roles Status RADIUS -------------------- -------- -------- -------- admin admin enabled no audit audit enabled no monitor monitor disabled no operator operator disabled no Command Result : 0 (Success)
5.Add a user, by name, as a RADIUS user.
[1722022106] lunash:>user radiusAdd -u someguy Creating mailbox file: File exists Stopping sshd: [ OK ] Starting sshd: [ OK ] Command Result : 0 (Success)
6.Add the user's appliance role (in this example, we are giving him admin-level access).
[1722022106] lunash:>user role add -u someguy -r admin User someguy was successfully modified. Command Result : 0 (Success)
7.Verify that the user exists, has the correct role on the appliance, and is a RADIUS user for this appliance.
[1722022106] lunash:>user list Users Roles Status RADIUS -------------------- -------- -------- -------- admin admin enabled no audit audit enabled no someguy admin enabled yes monitor monitor disabled no operator operator disabled no Command Result : 0 (Success)