IBM Verify FreeRadius module for enhanced authentication.
To use this repository, you must have already setup SSH keys to the IBM Github. See a guide here. You must also already have either Vagrant or Docker & Docker Compose installed.
git clone --recursive git@github.com:IBM-Security/IBM-Verify-FreeRADIUS.git
cd IBM-Verify-FreeRADIUS/
For normal production usage:
docker build --no-cache . -t jared/verify-freeradius
docker-compose up -d
or if you want a development environment (See Building from Source for more info):
vagrant up
If you want to use the module for an existing installation of FreeRadius - skip to Existing installation setup.
The easiest way to test the environment is to use the provided test client script. Run through the Shell Test Client section and verify that the setup in the mode you have selected works.
The module is designed to be used in an environment similar to the following:
| Property Name | Type | Description | Default |
|---|---|---|---|
| mode | String | The mode of operation of the Verify FreeRadius module | simple |
| protocol | String | The protocol through which the module will communicate with ISAM | https |
| server | String | The hostname of the ISAM. | "" |
| port | Integer | The port that the module will used for communication. | 443 |
| junction | String | The junction through which the AAC policy is contained. This will be appended after the hostname:port |
/mga |
| resource | String | The PolicyID of the ISAM Radius Authentication Policy | "" |
| apikey | String | The API key used to authenticate the Radius Client to ISAM. | "" |
| client | IP Address | The clients IP address. | 0.0.0.0 |
| simple-format | String | For simple mode, the format of the OTP entry. | "" |
| otp-length | Integer | The length of the OTP | 6 |
| otp-retry | Integer | The number of times a OTP can be tried | 5 |
| reply-message | String | The string to return on a Access-Challenge or Access-Reject response. If on the Policy JSON response, a JSON property called reply_message is defined, then this will be used instead of this configuration parameter. |
This is an ISAM OTP challenge. Please enter your OTP. |
| user-suffix | String | The suffix that will be appeneded to the username on each usage. | "" |
| enabled | String/Boolean | If the module is enabled. | false |
| debug | String/Boolean | Enable debug trace. This will help in initial configuration. | false |
The following is an example configuration stanza with all the configuration parameters used:
verify {
mode = "multi",
junction = "/mga",
protocol = "https",
server = "verify.securitypoc.com",
port = 443,
resource = "urn:ibm:security:authentication:asf:totp_validate",
apikey = "YXBpLWNsaWVudDpwYXNzdzByZA==",
client = 192.168.1.1,
simple-format = "%PASS%:%OTP%",
otp-length = 6,
user-suffix = "@au1.ibm.com",
enabled = "yes",
debug = "yes",
reply-message = "MY CUSTOM TEST MESSAGE"
}
This module will support 3 modes (configurable via the radiusd.conf file) that will determine the functionality for an end user. The module cannot do all these 3 modes at once, however multi can be aliased to be very similar to simple. In addition, some Radius client programs do not support the ability to handle the radius 'Accept-Challenge' response and present information to the user appropriately. This is not a limitation of this module but rather the client.
A user will provide their username, password and OTP combination as a single field like:
username: testuser
password: passw0rd123456
Where the last 4-6 characters is the OTP. If the OTP is correct, then a Access-Accept packet will be issued, otherwise a Access-Reject packet will be issued.
A user will provide their username, password and OTP combination on prompt. An example of this is:
username: testuser
password: passw0rd
otp: 123456
This could change if there was no OTP required (by CBA policy for example). If the OTP is correct, then a Access-Accept packet will be issued. If the user does not provide the otp field in the initial request, or the OTP is wrong, then a Access-Challenge packet will be sent back. An Access-Reject packet will be sent if an error occurs in the response indicating the user hadn't registered for TOTP, the Radius Authentication was incorrect, the user wasn't found or some other internal platform error.
A user will provide their username, password and select from modes of authentication:
username: testuser
password: passw0rd
1. SMS
2. TOTP
3. Verify
verify
Waiting for you to approve on your linked device...
This flow allows a user to select HOW they would like to present their second factor of authentication.
The easiest way to test the Verify Radius module is to use the provided test script. This test script is a shell script that utilises radclient to make the appropriate calls for the different modes of the module. It assists in maintaining the Radius State parameter and challenging appropriately for the OTP when a Access-Challenge packet is recieved.
To use this script, the radclient command line package must be installed. This can usually be installed from popular package managers (like APT, YUM/DNF or Brew).
~/Verify-FreeRadius $ sh test_verify_radius.sh
usage: test_verify_radius.sh <mode> <host> <port> <secret> <user> <otp:OPTIONAL>
Example usage:
sh test_verify_radius.sh multi localhost 1812 example_verify_secret username@address.com
You may use Vagrant to build your development environment as the Quick Start section details, or use the following instructions to construct your own development environment.
- Download necessary compilation packages
The Vagrantfile essentially shows you exactly what you need to do to set up the development environment.
In the
Vagrantfile, if you look at the two scriptsubuntu_scriptandcentos_scriptyou will see what packages you need for development and compilation of FreeRadius and the module through the two different package managersAPTandYUM.
To install required YUM packages:
yum update -y
yum install gcc openssl-devel.x86_64 git libtalloc-devel libcurl-devel -y
To install required APT packages:
apt-get update -y
apt-get install -y git ssl-cert autotools-dev libgdbm-dev libpcap-dev libsqlite3-dev dpkg-dev debhelper quilt libcurl4-openssl-dev libiodbc2-dev libjson-c-dev libjson0-dev libkrb5-dev libldap2-dev libpam0g-dev libperl-dev libmysqlclient-dev libpq-dev
libreadline-dev libsasl2-dev libtalloc-dev libyubikey-dev python-dev
- Download FreeRadius release source code You can download the FreeRadius source page from the Official GitHub Respository. Choose your version carefully, the module supports version 3.0.4 and upward until 3.0.15 which is the current release at the time of publishing. The module also supports version 4.0 of FreeRadius - which is a significant change from version 3.X. To get this version of FreeRadius - you'll need to run:
git clone https://github.com/FreeRADIUS/freeradius-server.git
instead of downloading a package file.
- Make sure you can build the release from source Unzip the folder and run:
cd freeradius-server/
./configure
make clean
make
make install
Ensure the commands succeed.
- Compile with the Verify module included
Copy the
rlm_verifyfolder from this respository into thefreeradius-server/src/modules/folder. Run the following make commands again:
cd freeradius-server/
make clean
make
make install
Ensure the commands succeed.
Once you have a valid Vagrant environment, the following commands can be useful:
-
Copy the binary out of the vagrant box:
cp /home/vagrant/freeradius-server/build/lib/local/.libs/rlm_verify.so /vagrant/output/rlm_verify.so -
Copy the source from your local machine into the vagrant box::
cp /vagrant/src/rlm_verify/rlm_verify.c /home/vagrant/freeradius-server/src/modules/rlm_verify/rlm_verify.c -
Make FreeRadius and run it
cd freeradius-server/; sudo make clean; sudo make; sudo make install; radiusd -X
- Radius Configuration:
/usr/local/etc/raddb/radiusd.conf - Clients Configuration:
/usr/local/etc/raddb/clients.conf - Sites Available
/usr/local/etc/raddb/sites-available/default
The docker setup is very similar to the Existing installation setup section. The Dockerfile simply copies the binary file produced from the section Building from Source and the two configuration files; radiusd.conf and clients.conf. Notice the version of FreeRadius obtained from the Docker build is from the RedHat repositories - you may need to change this if you want a different version.
This section is for those who have an existing FreeRADIUS installation and want to use the Verify FreeRadius module.
- Stop your FreeRADIUS server.
- Copy the provided rlm_verify.so file into your FreeRADIUS installation module path. On CentOS this is at
/usr/lib64/freeradius/. Make sure it has the same permissions and user/group permissions as the files around it. - Add the module into the radiusd.conf /usr/local/etc/raddb/radiusd.conf
verify {
server = "verify.securitypoc.com",
protocol = "https",
resource = "urn:ibm:security:authentication:asf:totp_validate",
junction = "mga",
port = 443,
client = 192.168.1.1,
apikey = "YXBpLWNsaWVudDpwYXNzdzByZA==",
enabled = true,
mode = "multi",
user-suffix = "@au1.ibm.com",
simple-format = "%PASS%:%OTP%",
otp-length = 6,
debug = true
}
- Make sure your client and client secret is in clients.conf /usr/local/etc/raddb/clients.conf. The test scripts provided use the client secret of 'example_verify_secret'.
- In the authorize stanza of the available sites for the radius server (default..by default), add the module 'verify' /usr/local/etc/raddb/sites-available/default in the order you'd like it to be processed. Make sure to remove
any filters (Like
filter-usernamein 3.0.15 that might inhibit the usage.
authorize {
# There will be a bunch of other modules here configured by default - you may remove these.
verify
}
authenticate {
Auth-Type VERIFY {
verify
}
}
- Start your FreeRADIUS server.
Just like any other module in FreeRadius - you can configure the IBM Verify module to run in a highly available manner. Follow the FreeRadius guide on how to do this.
The standard tools for logging can be used for each module. Follow the FreeRadius guide on how to do this.
The following radius clients have been tested against. This is not a exhaustive list, as the module may work with others.
| Client Name | Status | Description |
|---|---|---|
| radclient | TESTED | This is the core utility officially provided by FreeRADIUS to test Radius UDP calls. |
| PAM Radius | TESTED | This is the FreeRadius provided PAM module to communicate with a FreeRadius server. |
| Dell - One Identity | TESTED | The configuration is verify similar to the linked article for Azure MFA. Certain versions of TPAM do not support Access-Challenge packets, so a failed OTP entry results in a failure, and the user is unable to try again. |
| VMWare Horizon | NOT TESTED | This module has not been tested. |
| Radius.NET | NOT TESTED | This module has not been tested. |
See CONTRIBUTING.
See LICENSE.