Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> RADIUS 2FA

RADIUS 2FA

The Protectimus RADIUS 2FA solution can be used to enable two-factor authentication for any software or equipment that supports RADIUS authentication protocol.


The Protectimus RADIUS Server connector works as a RADIUS server. It transfers authentication requests from the RADIUS device to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.


Protectimus 2FA integration via RADIUS scheme

Add two-factor authentication (2FA / MFA) to protect your VPN, Wi-Fi, and any other software or device that supports RADIUS. To do that, integrate with Protectimus Cloud MFA Service or On-Premise Platform via RADIUS authentication protocol.


The list of software and devices that can be integrated with Protectimus via RADIUS authentication protocol includes but is not limited to:



The Protectimus RADIUS 2FA software is easy to set up. But if you have any questions, our team is always ready to help you with deploying RADIUS two-factor authentication (2FA) even in the most complex infrastructure. Get in touch with our support team here.



To integrate Protectimus 2FA solution with your RADIUS supporting device or software you need to set up and configure Protectimus RADIUS Server, and then configure the authentication policies on the device or application you want to add Protectimus 2FA to:
  1. You allow the transmission of an authentication request over the RADIUS protocol to Protectimus RADIUS Server;
  2. The Protectimus RADIUS Server component receives and processes the authentication request;
  3. Then Protectimus RADIUS Server contacts the Protectimus authentication server to verify the one-time password entered by the user.

1. Install Protectimus RADIUS Server to enable RADIUS 2FA

1.1. How to Install Protectimus RADIUS Server Using a Docker Image

  1. To start installing the Protectimus RADIUS Server, first of all, download and install docker and docker-compose:
 
  1. Then clone the git repository: https://github.com/protectimus/platform-linux.git
 
  1. Go to the platform-linux/radius directory and run:
docker-compose up -d
 
  1. You can monitor the process of Protectimus RADIUS Server deployment using the command:
docker-compose logs -f
 
  1. After the deployment process is complete, the Protectimus RADIUS Server will be available at: https://localhost:8443

1.2. How to Install Protectimus RADIUS Server on Windows

  1. Download the installer at the Platform page.
  2. Run the installer as administrator.
  3. Check the Radius checkbox.

    ATTENTION!
    If you plan to use the Protectimus On-Premise Platform, keep the Platform checkbox checked.
    If you plan to use the Protectimus SAAS Service, uncheck the Platform checkbox.

If you plan to use the Protectimus On-Premise Platform

If you use plan to use the Protectimus SAAS Service

How to install Protectimus RProxy and Protectimus Platform How to install Protectimus RProxy is you will use the Protectimus Cloud Service

  1. Java (JDK 7 and above) must be installed on the machine, if not, it will be installed automatically, click Install.
How to install Protectimus RProxy - install Java

  1. When Java is installed, click Next.
How to install Protectimus RProxy - update Java and click Next

  1. Choose the folder to install the Protectimus components and click Install.
How to install Protectimus RProxy - select folder

  1. When the installation is complete, you’ll see this message.
How to install Protectimus RProxy - the installation was successful

2. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or the Protectimus On-Premise Platform.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Configure Protectimus RADIUS Server

The Protectimus RADIUS Server settings can be configured by specifying them in the radius.yml file, which must be located in the same directory as the executable.


Available properties that you should add to the radius.yml file include:

3.1. Authentication Process Settings

auth:
    providers:
    	- LDAP
		- PROTECTIMUS_OTP
    re-enter-otp: true
    principal-normalization: true
	bypass-otp:
    	ldap-filter: (memberOf=cn=bypass-otp,ou=groups,dc=test,dc=com)
    	usernames:
      		- john
      		- luci
	inline-mode:
		enabled: false
   		separator: ''
   		attributes:
     		NAS-Identifier:
       		- home-nas
       		- work-nas

PROPERTY NAME PROTERTY STANDS FOR
providers:
Could be:
  • LDAP
  • AD
  • PROTECTIMUS_PASSWORD
  • PROTECTIMUS_OTP
  • RADIUS_PROXY
  • PROTECTIMUS_PUSH

  • LDAP: Authentication with LDAP provider performs an LDAP bind operation to validate user credentials. It searches for the user’s DN based on a specified filter and then attempts to bind using the provided password, ensuring the credentials are valid.
  • AD: Authentication with the AD provider performs an LDAP bind operation using the userPrincipalName. The full username is in email-like format (e.g., [email protected]), where the @example.com part is retrieved from a configuration file.
  • PROTECTIMUS_PASSWORD: The first factor will be verified using a password of the user created in Protectimus Service/Platform.
  • PROTECTIMUS_OTP: The second factor will be verified via Protectimus Service/Platform using OTP.
  • RADIUS_PROXY: current installation will be used as a proxy server only for the first factor, second factor requests will not be redirected (that’s why you should specify PROTECTIMUS_OTP provider in current configuration as well, if you need 2FA).
re-enter-otp:
When re-enter-otp is enabled, password is not requested after unsuccessful OTP check.
principal-normalization:
When normalization is enabled any domain information is stripped from the username, so “username”, “DOMAIN\username” and “[email protected]” would all resolve to a single “username”
bypass-otp:
When bypass-otp is enabled, OTP is not requested for specified users.
inline-mode:
Inline mode allows you to use 2FA in case when Access-Challenge is not supported.

Inline mode can be activated with ‘enabled: true’ or using request attributes that match.

In this case password must be in following format ‘password,otp’, if using separator: ‘,’.
 

3.2. RADIUS Settings

radius:
  secret: secret
  clients:
    - name: vpn-client
      secret: secret
      ips:
        - 10.0.0.0/24
  auth-port: 1812
  listen-address: 0.0.0.0
  dictionaries:
    - file:<some_path>/<some_name>.dat
  attributes:
    copy-state: true
    defaults:
      Service-Type: NAS-Prompt-User
    for-users:
      john:
        Service-Type: Login-User
    ldap:
      memberOf:
        '[cn=admins,ou=groups,dc=test,dc=com]':
          Service-Type: Administrative
      uid:
        john_wick:
          Class: Pro
    conditional:
      '[ldapUser.attributes["uid"] == "john"]':
        Service-Type:
          - Login-User
      '[request.getAttributeValue("User-Name") == "john"]':
        Class:
          - RDP_HeadOffice_GP
  ip-attributes:
    - NAS-IP-Address
    - NAS-IPv6-Address

PROPERTY NAME PROPERTY STANDS FOR
secret:
The secret to be used by your RADIUS server.
clients:
Clients with specific secrets (Clients are resolved based on IP address).
Each client MUST have a unique name.
auth-port:
The port where the RADIUS server will run.
listen-address:
The IP address the server listens on.
dictionaries:
Attribute list extension for RADIUS. Find an example of the dictionary extension here.
attributes:
Attributes that will be returned in response on successful authentication.
copy-state:
Copies each returned attribute into the response.
defaults:
Attributes for all users.
for-users:
Attributes for specific users.
ldap:
Attributes for specific user or group of users in LDAP.
conditional:
When conditional is enabled, it allows to specify a script that will check the condition under which the attribute will be returned.
ip-attributes:
Attributes that will return an IP address of the incoming request using the specified attribute.
 

3.3. PROTECTIMUS API Settings (setting up connection to the PROTECTIMUS service )

Configuration for PROTECTIMUS_PASSWORD/PROTECTIMUS_OTP auth provider.

protectimus-api:
    login: 
    api-key: 
    url: https://api.protectimus.com/
    resource-id:

PROPERTY NAME PROTERTY STANDS FOR
login:
Your login in the PROTECTIMUS system.
api-key:
Your API key in the PROTECTIMUS system.
url:
If you are using the PROTECTIMUS cloud service, specify the following API URL: https://api.protectimus.com/

If you are using the Protectimus on-premise platform, the API URL will be something like: protectimus.api.url=http://127.0.0.1:8080/
resource-id:
ID of the resource that you created in the PROTECTIMUS system.
 

3.4. LDAP Settings

Configuration for LDAP auth provider.

ldap:
  base: dc=test,dc=com
  urls:
    - ldap://127.0.0.1:389
  username: [email protected]
  password: secret
  principal-attribute: userPrincipalName
  custom-filter: (memberof=cn=managers,ou=groups,dc=test,dc=com)

PROPERTY NAME PROTERTY STANDS FOR
base:
The LDAP DN of Group or organizational unit containing all of the users you wish to permit to log in.
urls:
The hostname or IP address of your domain controller.
principal-attribute:
Is used for LDAP authentication by defined attribute.

If you want to authenticate user with “sAMAccountName” instead of “userPrincipalName”, specify the attributes “query-attribute” and “principal-attribute” accordingly
custom-filter:
Is used to restrict which users are allowed to authenticate.
 

3.5. RADIUS_PROXY Authentication Provider Configuration

Configuration for RADIUS_PROXY auth provider.

proxy:
  secret: secret
  auth-port: 1812
  remote-address: 192.168.1.1

PROPERTY NAME PROTERTY STANDS FOR
secret:
The secret to be used by your RADIUS_PROXY server.
auth-port:
The port where the RADIUS server will run.
remote-address:
IP address of the PROXY_RADIUS server.
 

3.6. AD Authentication Provider Configuration

Configuration for AD auth provider.

ad:
  urls:
    - ldap://127.0.0.1:389
  domain: test.com

3.7. An Example of radius.yml file

radius:
  secret: secret
  clients:
    - name: vpn-client
      secret: secret
      ips:
        - 10.0.0.0/24
  auth-port: 1812
  listen-address: 0.0.0.0
  dictionaries:
    - file:/.dat
  attributes:
    copy-state: true
    defaults:
      Service-Type: NAS-Prompt-User
    for-users:
      john:
        Service-Type: Login-User
    ldap:
      memberOf:
        '[cn=admins,ou=groups,dc=test,dc=com]':
          Service-Type: Administrative
      uid:
        john_wick:
          Class: Pro
    conditional:
      '[ldapUser.attributes["uid"] == "john"]':
        Service-Type:
          - Login-User
      '[request.getAttributeValue("User-Name") == "john"]':
        Class:
          - RDP_HeadOffice_GP
  ip-attributes:
    - NAS-IP-Address
    - NAS-IPv6-Address

auth:
  providers:
    - LDAP
    - AD
    - PROTECTIMUS_PASSWORD
    - PROTECTIMUS_OTP
    - RADIUS_PROXY
  bypass-otp:
    ldap-filter: (memberOf=cn=bypass-otp,ou=groups,dc=test,dc=com)
    usernames:
      - john
      - luci
    ips:
      - 10.0.0.0/24
      - 1::/64
  re-enter-otp: true
  principal-normalization: true
  inline-mode:
    enabled: false
    separator: ''

ldap:
  base: dc=test,dc=com
  urls:
    - ldap://127.0.0.1:389
  username:
  password:
  principal-attribute: userPrincipalName
  custom-filter: (memberof=cn=managers,ou=groups,dc=test,dc=com)

ad:
  urls:
    - ldap://127.0.0.1:389
  domain: test.com

protectimus-api:
  login: [email protected]
  api-key: secret
  url: https://api.protectimus.com/
  resource-id: 1

proxy:
  secret: secret
  auth-port: 1812
  remote-address: 192.168.1.1

3.6. Dictionary example

VENDOR      12356   fortinet 

VENDORATTR  12356   Fortinet-Group-Name         1   string 
VENDORATTR  12356   Fortinet-Access-Profile     6   string


Now you need to configure your device or application to communicate with Protectimus RADIUS Server service over RADIUS protocol.

Last updated on 2025-02-11