> RADIUS 2FA
RADIUS 2FA
The Protectimus RADIUS 2FA solution can be used to enable two-factor authentication for any software or equipment that supports RADIUS authentication protocol.
The Protectimus RADIUS Server connector works as a RADIUS server. It transfers authentication requests from the RADIUS device to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.
Add two-factor authentication (2FA / MFA) to protect your VPN, Wi-Fi, and any other software or device that supports RADIUS. To do that, integrate with Protectimus Cloud MFA Service or On-Premise Platform via RADIUS authentication protocol.
The list of software and devices that can be integrated with Protectimus via RADIUS authentication protocol includes but is not limited to:
- Ubuntu;
- macOS;
- Cisco ACS / ISE / ISR / Catalyst / SSH Network Device Access;
- Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), Citrix Virtual Desktops (XenDesktop), Citrix Virtual Apps (XenApp);
- VMware Horizon View (VDI), VMware Horizon Cloud DaaS (VDI), VMware vCenter Server;
- OpenVPN;
- Juniper and Pulse Secure SSL VPN;
- F5 BIG-IP VPN;
- Palo Alto IPSEC and SSL VPN;
- FortiGate VPN;
- Check Point Remote Access VPN;
- Huawei SSL VPN;
- UserGate VPN;
- Windows VPN;
- Mikrotik;
- SonicWALL TZ, NSA, Aventail series;
- Wi-Fi hotspots, etc.
The Protectimus RADIUS 2FA software is easy to set up. But if you have any questions, our team is always ready to help you with deploying RADIUS two-factor authentication (2FA) even in the most complex infrastructure. Get in touch with our support team here.
To integrate Protectimus 2FA solution with your RADIUS supporting device or software you need to set up and configure Protectimus RADIUS Server, and then configure the authentication policies on the device or application you want to add Protectimus 2FA to:
- You allow the transmission of an authentication request over the RADIUS protocol to Protectimus RADIUS Server;
- The Protectimus RADIUS Server component receives and processes the authentication request;
- Then Protectimus RADIUS Server contacts the Protectimus authentication server to verify the one-time password entered by the user.
1. Install Protectimus RADIUS Server to enable RADIUS 2FA
1.1. Protectimus RADIUS Server Installation on any OS
To receive the latest version of Protectimus RADIUS Server, contact Protectimus customer service at [email protected].For Protectimus RADIUS Server to function, Java 8 must be installed.
Protectimus RADIUS Server can be started using the following command:
java -jar RProxy.jar1.2. Protectimus RADIUS Server Installation on Windows
- Download the installer here.
- Run the installer as administrator.
- Check the RProxy checkbox.
ATTENTION!
If you plan to use the Protectimus On-Premise Platform, keep the Platform checkbox checked.
If you plan to use the Protectimus SAAS Service, uncheck the Platform checkbox.
If you plan to use the Protectimus On-Premise Platform |
If you use plan to use the Protectimus SAAS Service |
 |
 |
- Java (JDK 7 and above) must be installed on the machine, if not, it will be installed automatically, click Install.
- When Java is installed, click Next.
- Choose the folder to install the Protectimus components and click Install.
- When the installation is complete, you’ll see this message.
2. Get Registered and Configure Basic Settings
- Register with the Protectimus Cloud Service and activate API or the Protectimus On-Premise Platform.
- Add Resource.
- Add Users.
- Add Tokens or activate Users’ Self Service Portal.
- Assign Tokens to Users.
- Assign Tokens with Users to the Resource.
3. Configure Protectimus RADIUS Server
Protectimus RADIUS Server settings can be configured by specifying them in the rproxy.properties file, which must be located in the same directory as the executable.Set the following values in the rpoxy.properties file:
3.1. RADIUS settings
|
The secret to be used by your authentication proxy server and your RADIUS server. |
|
The port where the RADIUS server will run. |
|
When this property is enabled (radius.re-enter-otp = true), password is not requested after an unsuccessful OTP check. |
3.2. Configuring the First Authentication Factor Check (Static Password)
|
This property specifies where exactly the user’s static password will be checked.
Possible options:
|
3.3. Setting up connection to the PROTECTIMUS service
|
Your login in PROTECTIMUS system. |
|
Your API key in PROTECTIMUS system. |
|
ID of the resource that you created in the PROTECTIMUS system. |
|
If you are using the PROTECTIMUS cloud service for RADIUS 2FA, specify the following API URL: https://api.protectimus.com/ If you are using the Protectimus on-premise platform for RADIUS 2FA, the API URL will be something like: protectimus.api.url=http://127.0.0.1:8080/ |
|
When normalization is enabled any domain information is stripped from the username, so “username”, “DOMAIN\username”, and “[email protected]” would all resolve to a single “username”. |
3.4. An example of Protectimus RADIUS Server configuration file
#------RADIUS Server------
radius.port = 1812
radius.secret = secret
radius.re-enter-otp = true
primary-authenticator = LDAP
#------Protectimus API------
protectimus.login = [email protected]
protectimus.api-key = apikey
protectimus.resource-id = 1
protectimus.api-url = https://api.protectimus.com/
protectimus.username.normalization = true
#------LDAP-----------------
ldap.account-name = cn=user,dc=example,dc=com
ldap.account-password = password
ldap.url = ldap://localhost:389
ldap.search-base = dc=example,dc=com
ldap.query-attribute = sAMAccountName
ldap.principal-attribute = userPrincipalNameNow you need to configure your device or application to communicate with Protectimus RADIUS Server service over RADIUS protocol.
Use radius.port and radius.secret for configuration.
Last updated on 2022-09-15