Platform On-PremControl accessAuthenticationRadius

Configure RADIUS authentication

The RADIUS adapter allows Itential Platform to interact with a RADIUS server for authentication. Use this procedure to configure RADIUS-based authentication.

Before you begin

The RADIUS server must include a vendor-specific attribute (VSA), typically placed in the dictionary file. The syntax provided in Configure FreeRADIUS files corresponds with this guide and applies to FreeRADIUS. The syntax for other RADIUS servers may differ — refer to your RADIUS server’s documentation for the exact syntax required. You must also ensure users and groups are correctly configured with the Itential-Group VSA attribute.

Install FreeRADIUS

The following steps provide a basic installation process using FreeRADIUS as an example. IPs, usernames, groups, and passwords will vary with your environment. This sample installation was performed on a CentOS 7 virtual machine in a test environment.

1

Install FreeRADIUS

$sudo yum -y install freeradius freeradius-utils freeradius-mysql freeradius-perl
2

Start, enable, and check the service

$systemctl start radiusd.service
$systemctl enable radiusd.service
$systemctl status radiusd.service

The status command should show as active (running).

FreeRADIUS server status showing active
3

Open required ports

Open ports 1812 and 1813 for both UDP and TCP. The example below uses the firewall command.

FreeRADIUS open ports

Configure FreeRADIUS files

These instructions are provided as an example — your environment will differ.

A vendor-specific attribute (VSA) is required when using FreeRADIUS. Add the VSA information to the dictionary and users files. The RADIUS configuration file at /usr/lib/firewalld/services/radius.xml will most likely not require changes.

1

Add the VSA to the dictionary file

Open /etc/raddb/dictionary in your preferred editor and add the following lines. You may add them to the end of the file.

# itential
VENDOR Itential 47688
BEGIN-VENDOR Itential
ATTRIBUTE Itential-Group 26 string
END-VENDOR Itential
2

Add users to the users file

Open /etc/raddb/users and add the following:

testing Cleartext-Password := "password"
    Itential-Group = "admin"
admin Cleartext-Password := "admin"
    Itential-Group = "pronghorn_admin"
3

Update the clients configuration

Open /etc/raddb/clients.conf. Adjust the localhost client information to reflect the actual IP address for your production environment. The example shown does not need to be changed for a test environment.

FreeRADIUS clients.conf configuration

Test FreeRADIUS

1

Stop FreeRADIUS and start in debug mode

$radiusd -X
2

Run a test authentication command

Open a second terminal window and run the following command:

$radtest admin admin 127.0.0.1 0 testing123

Add a RADIUS adapter

1

Open Admin Essentials

After logging in to Itential Platform, select Admin Essentials in the left navigation menu.

2

Create a new adapter

Click the plus sign in the top toolbar to create a new adapter. The Create dialog opens. Click the dropdown arrow and select Adapter from the menu list.

3

Enter adapter information

Enter a name for the adapter (for example, Local_RADIUS) and select the RADIUS adapter type from the dropdown menu.

Enter adapter name and type
4

Create the adapter

Click Create. The adapter appears in the Adapters collection menu on the left and the Configuration tab displays automatically.

5

Open the Service Config editor

Click the Advanced View toggle in the upper-right to display the Service Config editor and check the adapter’s configuration.

Advanced View toggle
6

Verify the brokers property

Check for aaa (authentication, authorization, and accounting) in the brokers property field. If the field is empty, add the broker.

Brokers property in the Service Config editor

Configure local RADIUS parameters

The configuration below shows the default parameters. You must include the correct groups that will be allowed to access Itential Platform — at a minimum, include the group that will have administrative rights. If a login user and their associated group are not listed, they will not have access to any adapters or apps within Itential Platform.

If you use a name other than Local_Radius, update the "id" property along with the "name" and "group" properties under "radius_groups".

1{
2  "name": "Local_Radius",
3  "model": "@itential/adapter-radius",
4  "type": "Adapter",
5  "properties": {
6    "id": "Local_Radius",
7    "type": "RADIUS",
8    "properties": {
9      "host": "11.11.1.11",
10      "port": 1812,
11      "secret": "password",
12      "radius_groups": [
13        {
14          "name": "admin",
15          "group": "admin"
16        },
17        {
18          "name": "pronghorn_admin_radius",
19          "group": "pronghorn_admin_radius"
20        }
21      ],
22      "healthcheck": {
23        "type": "startup",
24        "frequency": 6000
25      }
26    },
27    "brokers": [
28      "aaa"
29    ],
30    "groups": []
31  },
32  "isEncrypted": true,
33  "redisProps": {
34    "host": "127.0.0.1",
35    "port": 6379
36  },
37  "loggerProps": {
38    "description": "Logging",
39    "log_max_files": 100,
40    "log_max_file_size": 1048576,
41    "log_level": "spam",
42    "log_directory": "/var/log/pronghorn",
43    "log_filename": "RADIUS.log",
44    "console_level": "warn"
45  }
46}

Create a profile for the RADIUS adapter

1

Clone an existing profile

Select an existing profile (usually profile1) from the Profiles collection in the left navbar. Click the stacked dots icon in the upper-right and select Clone from the menu options.

Clone profile option
2

Name the new profile

Enter a name for the new profile (for example, RADIUS) and click Clone. The profile appears in the Profiles collection on the left and the Configure editor displays.

Name the cloned profile
3

Edit the profile

Edit the Profile Services and Profile Properties as needed. Click Save to keep your changes.

Edit profile configuration
4

Activate the profile

Restart theItential Platform service to activate the RADIUS profile. Authorization levels will also need to be set to provide admin group access.

$service pronghorn restart

To encrypt the secret under the adapter properties, refer to Password Encryption.

Troubleshoot the RADIUS adapter

If you encounter issues using the RADIUS adapter:

  1. If you cannot access Itential Platform using the RADIUS profile, revert to the original profile. From a terminal prompt, use root login to edit /opt/pronghorn/current/properties.json and set the active profile to profile1:

    1{
    2  "pathProps": {
    3    "description": "File Path Variables",
    4    "sdk_dir": "/opt/pronghorn-applications",
    5    "encrypted": true
    6  },
    7  "id": "profile1",
    8  "mongoProps": {
    9    "credentials": {
    10      "passwd": "itentialPassword",
    11      "user": "itentialUser"
    12    },
    13    "db": "pronghorn",
    14    "url": "mongodb://127.0.0.1:27017"
    15  }
    16}

  2. Restart the Itential Platform service and attempt to log in again:

    $service pronghorn restart

  3. If problems persist, the issue is usually related to configuration. Check the following:

    RADIUS adapter:

    • Check the RADIUS hostname and port.
    • Check how groups are configured.
    • From a server prompt, stop and restart the associated process for the adapter using the kill command and the PID for the RADIUS adapter.

    RADIUS server:

    • Check the whitelist file to ensure the Itential Platform server address is listed. With FreeRADIUS, check /etc/raddb/clients.conf.
    • Check the users file to confirm the Itential Platform user is correctly defined with the correct username, password, and group in /etc/raddb/users.
    • Verify the VSA is defined correctly in /etc/raddb/dictionary.
    • Check firewall and ACL rules.

See the FreeRADIUS documentation for further instructions on installation, configuration, and troubleshooting.