Configuring RADIUS Authentication

RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol providing authentication, authorization, and accounting service to configured clients. The client passes user information to configured, designated RADIUS servers, and acts on the returned response. A RADIUS server receives user connection requests, authenticates the user if that user's profile exists on the server, and then returns the configuration information according to which the client can deliver service to the user.

While a proposal is being considered (by the custodians of the RADIUS standard) to switch to TLS communication protocol, RADIUS interaction currently takes place over UDP (User Datagram Protocol).

RADIUS Configuration Summary

Configuration and identification must take place at both ends of the RADIUS transaction. These actions include:

On the RADIUS Server Side

>Identify the client systems from which this server will accept requests and return service (this is recorded in the RADIUS server's configuration file).

>Identify the users who will be covered by the service.

On the RADIUS Client Side (your Luna Network HSM)

>Enable RADIUS.

>Add a RADIUS server, specifying its IP address, and providing the access secret for that server.

>Check the status of Luna Network HSM appliance users.

>Add desired Luna Network HSM appliance users to the RADIUS list, enabling RADIUS authentication for those users.

>Verify that RADIUS is enabled for any user on your Luna Network HSM that needs to use RADIUS.

Configuring RADIUS with Your Luna Network HSM Appliance

Follow these steps on the RADIUS Server:

You can use any standards-compliant RADIUS server, either a commercial server or one of the free/open-source servers, like freeRADIUS or openRADIUS.

1.Add the client to the RADIUS server's configuration file, specifying:

The address of the Luna Network HSM appliance.

The secret or password that the client will use when connecting.

A short, user-friendly or business-relevant name for the client.

You can edit the file directly, for some RADIUS implementations, or use the provided interface.

/etc/raddb/clients.conf:

client 192.20.17.174 {
        ipaddr          = 192.20.17.174
        secret          = testing123
        nas             = other
        shortname       = sa174
}
client 192.20.22.106 {
        ipaddr          = 192.20.22.106
        secret          = testing321
        nas             = other
        shortname       = sa22106
}

2.For each client, add the user name and the password for that user to the "users" file of the RADIUS server.

/etc/raddb/users:

sauser162       Cleartext-Password := "userpw654"
sauser171       Cleartext-Password := "userpw987"
sauser172       Cleartext-Password := "userpw789"
sauser173       Cleartext-Password := "userpw456"
sauser174       Cleartext-Password := "userpw321"
nagios          Cleartext-Password := "nagiospw"
audit           Cleartext-Password := "userpin"
someguy         Cleartext-Password := "userpw"
sauser106       Cleartext-Password := "userpw123"

A user can use RADIUS for a Luna Network HSM, only if that appliance is registered as a client, and if that user is registered as a user in the appropriate files on the RADIUS server.

Follow these steps on the Luna Network HSM appliance:

NOTE   Without RADIUS, use lunash:> user add -username <name> to add an appliance administrative user on Luna Network HSM. With RADIUS, use the command lunash:> user radiusadd -username <name> to both create the user on the appliance and add that user to the RADIUS list. You cannot use lunash:> user radiusadd to convert an existing user from non-RADIUS to RADIUS.

1.On the Luna Network HSM appliance, enable RADIUS with lunash:> sysconf radius addserver.

2.Add the server (by hostname or IP address), specifying the port to use, and the timeout value in seconds.

[1722022106] lunash:>sysconf radius add -s 192.20.15.182 -p 1812 -t 60

Enter the server secret:
Re-enter the server secret:
Command Result : 0 (Success)

3.Verify that the desired server has been added.

[1722022106] lunash:>sysconf radius show

RADIUS for SSH is enabled with the following deployed servers:

                                                     server:port     timeout
                                                   -------------  ----------
                                              192.20.15.182:1812          60

Command Result : 0 (Success)

4.Check the user list to see which users exist, are enabled on the appliance, and are RADIUS enabled.

[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)

5.Add a user, by name, as a RADIUS user.

[1722022106] lunash:>user radiusAdd -u someguy

Creating mailbox file: File exists
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Command Result : 0 (Success)

6.Add the user's appliance role (in this example, we are giving him admin-level access).

[1722022106] lunash:>user role add -u someguy -r admin

User someguy was successfully modified.

Command Result : 0 (Success)

7.Verify that the user exists, has the correct role on the appliance, and is a RADIUS user for this appliance.

[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 someguy       admin     enabled         yes
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)