> RADIUS

RADIUS

One of the possible ways to interact with Protectimus is using the RADIUS protocol.

You need to set up and configure Protectimus RProxy, and then configure the authentication policies on the device or application you want to add Protectimus 2FA to:
  1. You allow the transmission of an authentication request over the RADIUS protocol to Protectimus RProxy;
  2. The Protectimus RProxy component receives and processes the authentication request;
  3. Then Protectimus RProxy contacts the Protectimus authentication server to verify the one-time password entered by the user.

1. Install Protectimus RProxy

1.1. Protectimus RProxy Installation on any OS

To receive the latest version of Protectimus RProxy, contact Protectimus customer service at [email protected].

For RProxy to function, Java 8 must be installed.

RProxy can be started using the following command:
java -jar RProxy.jar

1.2. Protectimus RProxy Installation on Windows

  1. Download the installer here.
  2. Run the installer as administrator.
  3. Check the RProxy checkbox.

    ATTENTION!
    If you plan to use the Protectimus On-Premise Platform, keep the Platform checkbox checked.
    If you plan to use the Protectimus SAAS Service, uncheck the Platform checkbox.

If you plan to use the Protectimus On-Premise Platform

If you use plan to use the Protectimus SAAS Service

How to install Protectimus RProxy and Protectimus Platform How to install Protectimus RProxy is you will use the Protectimus Cloud Service
  1. Java (JDK 7 and above) must be installed on the machine, if not, it will be installed automatically, click Install.
How to install Protectimus RProxy - install Java
  1. When Java is installed, click Next.
How to install Protectimus RProxy - update Java and click Next
  1. Choose the folder to install the Protectimus components and click Install.
How to install Protectimus RProxy - select folder
  1. When the installation is complete, you’ll see this message.
How to install Protectimus RProxy - the installation was successful  

2. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or the Protectimus On-Premise Platform.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Configure Protectimus RProxy

RProxy settings can be configured by specifying them in the rproxy.properties file, which must be located in the same directory as the executable.

Set the following values in the rpoxy.properties file:

3.1. RADIUS settings

radius.secret
The secret to be used by your authentication proxy server and your RADIUS server.
radius.port
The port where the RADIUS server will run.
radius.re-enter-otp
When this property is enabled (radius.re-enter-otp = true), password is not requested after an unsuccessful OTP check.

3.2. Configuring the First Authentication Factor Check (Static Password)

primary-authenticator
This property specifies where exactly the user’s static password will be checked. Possible options:
  1. PROTECTIMUS – the static password verification will be carried out by the PROTECTIMUS system.
primary-authenticator = PROTECTIMUS
  1. LDAP – the static password verification will be carried out on the LDAP (AD) side. To do this, you need to use the appropriate properties:
ldap.url
The hostname or IP address of your domain controller.
ldap.search-base
The LDAP DN of Group or organizational unit containing all of the users you wish to permit to log in.
ldap.account-name
The username of a domain account that has permission to bind to your directory and perform searches.
ldap.account-password
The password corresponding to domain account.
ldap.query-attribute
ldap.principal-attribute
If you want to authenticate user with “sAMAccountName” instead of “userPrincipalName”, specify the attributes “query-attribute” and “principal-attribute” accordingly
  1. If static password verification is not required (for example, the service supports the N factor), leave the property empty. In this case, only the OTP password will be checked.

3.3. Setting up connection to the PROTECTIMUS service

protectimus.login
Your login in PROTECTIMUS system.
protectimus.api-key
Your API key in PROTECTIMUS system.
protectimus.resource-id
ID of the resource that you created in the PROTECTIMUS system.
protectimus.api-url
If you are using the PROTECTIMUS cloud service, specify the following API URL: https://api.protectimus.com/

If you are using the Protectimus on-premise platform, the API URL will be something like: protectimus.api.url=http://127.0.0.1:8080/
protectimus.username.normalization
When normalization is enabled any domain information is stripped from the username, so “username”, “DOMAIN\username”, and “[email protected]” would all resolve to a single “username”.

3.4. An example of Protectimus RProxy configuration file

#------RADIUS Server------
radius.port = 1812
radius.secret = secret
radius.re-enter-otp = true
primary-authenticator = LDAP

#------Protectimus API------
protectimus.login = [email protected]
protectimus.api-key = apikey
protectimus.resource-id = 1
protectimus.api-url = https://api.protectimus.com/
protectimus.username.normalization = true

#------LDAP-----------------
ldap.account-name = cn=user,dc=example,dc=com
ldap.account-password = password
ldap.url = ldap://localhost:389
ldap.search-base = dc=example,dc=com
ldap.query-attribute = sAMAccountName
ldap.principal-attribute = userPrincipalName

Now you need to configure your device or application to communicate with RProxy service over RADIUS protocol.

Use radius.port and radius.secret for configuration.
Last updated on 2022-01-28