Auth Proxy
Overview
The RADIUS configurations tab under the Applications menu has been renamed to Auth Proxy. Community administrators can use the Auth Proxy tab in the AdminX interface to authenticate the client server such as Radius or the LDAP, or both. Following are its features:
- Administrators can configure the behavior of go-radius remotely.
- The port can be configured via the command line using
-P <port>
. - The new
-u <uuid>
required parameter uses the configuration from the database.
Supported Authentication Methods
The Auth Proxy server supports the following authentication methods for login and community administrators can configure which methods are permitted:
- Push Authentication
- Interactive Voice Response (IVR)
- Passcodes
- OTP
- Password and OTP
- OTP and Password
Managing Auth Proxy Server
The community administrator can use the Adminx interface to download and configure the Auth Proxy server for managing the Radius/LDAP protocols. This section consists of the following topics:
- Creating Auth Proxy Configuration
- Modifying an Existing Auth Proxy Configuration
- Deleting an Auth Proxy Configuration
Creating Auth Proxy Configuration
The community administrator can use the new Auth Proxy tab under Applications to create a new auth proxy configuration for Radius or LDAP authentications. The Auth Proxy configuration supports the authentication with Push, Interactive Voice Response (IVR), and passcodes.
To create a new auth proxy configuration, follow these steps:
-
In the AdminX interface, navigate to Applications > Auth Proxy. The 1K Auth Proxy for RADIUS / LDAP page is displayed.
-
Click + Add New Configuration. The Create new Auth Proxy Configuration page is displayed.
-
In the Configuration Name field, enter a name for the configuration.
noteIt is required to remember the config ID as it is required to run the Auth Proxy for Radius/LDAP.
-
In the Supported Login Methods section, select the appropriate authentication methods:
-
Login with Push : When enabled, users can authenticate to their Radius/LDAP client by sending a push notification to their mobile device using the BlockID Mobile Application. Instead of entering a password, users enter the keyword push, triggering a push notification to their BlockID mobile. Users will need to authenticate the push notification using their enrolled biometrics, such as a fingerprint or face scan.
- To enable, check the Login with Push box.
- To disable, uncheck the Login with Push box.
-
Login with Interactive Voice Response (IVR) : When enabled, users can authenticate their Radius/LDAP client using Interactive Voice Response (IVR) on their mobile device. They simply provide their username along with the keyword phone in the password field. This initiates a phone call to the user's registered number, where they are prompted to click on a specified button received on the IVR to authorize the authentication process.
-
Login with passcodes : In this section, Administrators can enable and define which One-Time Passcode (OTP) combinations can be used for authentication. Select from the following passcode authentication options:
- Not supported – Select this option if users must not be allowed to login using passcodes.
- Prompt for OTP only – When prompted for a password, the user must only provide the 6-digit passcode to log in.
- Prompt for Password and OTP – When prompted for a password, the user must provide the password with the 6-digit passcode appended to the end of the password.
Example: MyP@ssw0rd873174 - Prompt for OTP and Password - When prompted for a password, the user must provide the password with the 6-digit passcode prepended before the password.
Example: 873174MyP@ssw0rd
-
-
Download the Auth Proxy server for Radius/LDAP specific to the desired OS: Windows, Linux, or Mac machines.
The download link contains a zip archive and comes preconfigured with your community license key. -
After configuring your Auth Proxy server, click Create to save your configuration in AdminX.
Modifying an Existing Auth Proxy Configuration
You can use the AdminX interface to modify an existing Auth Proxy configuration any time. To modify your Auth Proxy configuration, follow these steps:
-
Navigate to the Auth Proxy configuration you want to edit and click the pencil icon, located in the Actions column on the right.
-
Make any desired changes and click Save. You can also download another copy of the modified configurations of the Auth Proxy server if desired. Note: The wait time for these changes to take effect is 10 minutes.
Deleting an Existing Auth Proxy Configuration
The community administrators can use the AdminX interface to delete an existing Auth Proxy configuration.
To delete an existing Auth Proxy configuration, follow these steps:
- Navigate to the Auth Proxy configuration that you want to delete and click the trash icon, located in the Actions column on the right pane.
- In the Delete Configuration pop-up that is displayed, click Yes, delete.
Note: After removing the configuration, users cannot authenticate using the deleted Config ID.
Configuring Community for Radius/LDAP Servers
After downloading the Auth Proxy for Radius/LDAP, copy the archive to your server and extract its contents to a folder of your choosing. The folder will contain the authProxy application, license.json file, and some bash scripts.
You can use the license.json file to configure the details required to connect with 1Kosmos services. The structure of the json file is as follows:
{
"licenseKey":"xxxxxx-997b-xxxx-81f2-46a02be18b83",
"tenantDNS":"acme@1kosmos.net",
"communityId": "5f3d8d0cd866fa61019cf969"
}
The following table provides information on the parameters of the config file:
Parameter | Description | Expected Value | Sample Value |
---|---|---|---|
licenseKey | Contains the license key required to make connection | <licence key> | Xxxxxxx-89d8-xxxx |
tenantDNS | Contains the server to which the connection has to be established | <tenant url> | abc@1kosmos.net |
communityID | Contains the name of the community | <community name> | default |
proxyURL(optional) | URL of the proxy | <proxy url> | http://12.12.12.12:8083/proxy.pac |
ProxyUser(optional) | Username in case of authenticated proxy | <proxy user> | proxyuser |
Open a terminal window and navigate to the folder containing the bash scripts. Execute the following commands from your terminal to run the Radius/LDAP server.
The following examples illustrate how to use the license.json file to configure the tenant details and proxy URLs:
To configure the tenant details:
{
"licenseKey":"xxx-xxxx-xxxxx-xxxx-xxxx-xxxxxxx",
"tenantDNS":"acme.1kosmos.net",
"communityId": "5ffdsnjua61019dww986"
}
To configure the tenant details and a proxy URL:
{
"licenseKey":"xxxx-xxxxxxxx-xxxxx-xxxxxx",
"tenantDNS":"acme.1kosmos.net",
"communityId": "5sxzzzxxxx9879"
"proxyUrl": "http://proxy.example.com"
}
To configure the tenant details, a proxy url, and a proxy user:
{
"licenseKey":"xxxxxx-xxxxx-xxxx-xxxxxx",
"tenantDNS":"acme.1kosmos.net",
"communityId": "5fewwwjjz444544444sfxxxx"
"proxyUrl": "http://proxy.example.com",
"proxyUser": "proxy"
}
Command Line Arguments
Make sure to enter your Config ID from AdminX as your UUID. These strings need to match for the Radius/LDAP server to work.
Common Parameters for Both Radius and LDAP Servers
- -u
<uuid>
(required): Set youruuid
. Use your Config ID from AdminX. - -p
<proxy password>
(optional): Set your proxy password.
The following table provides information on the parameters used specifically for Radius and LDAP servers:
Radius Parameters | LDAP Parameters |
---|---|
-p <port> (optional): Set the port to listen on (default is 1812) -s <secret> (optional): Set RADIUS shared secret (default is secret)-r : required to start the Radius server; no options. This can be used with LDAP/LDAP -l parameter to start both Radius and LDAP servers -p <port> to override default RADIUS port (1812) | -c <common name> (optional): Specify certificate common name. Example syntax to use common name: ./startGoAuthProxy.bsh -P 1813 -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldaps:1389" -b "dc=example,dc=com" -c "test.example.com" -d <dns list> : domain name/DNS names list used in client-side domain validation Example syntax to use domain name: common name: test.example.com dns names: ".example.net,.example.com" ./startGoAuthProxy.bsh -P 1813 -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldaps:1389" -b "dc=example,dc=com" -c "test.example.com" -d "*.example.net,*.example.com" |
Starting the Radius Server Service
To start the go-radius server, run the following commands:
Note that the -u <uuid>
param is required.
cd <INSTALL>
./startRadius.bsh -u 7e9e71aa-3ad3-11ee-be56-0242ac120002
To start the server on port 1815, use the -p <port>
option (default port is 1812)
./startRadius.bsh -p 1815 -u 7e9e71aa-3ad3-11ee-be56-0242ac120002
To start server with a proxy password, use the -p option followed by the password:
./startRadius.bsh -p `<proxy password>` -u 7e9e71aa-3ad3-11ee-be56-0242ac120002
To start the server with a new radius secret, run the following command:
./startRadius.bsh -s `<new secret>` -u 7e9e71aa-3ad3-11ee-be56-0242ac120002
Note: If the radius secret contains bash shell special characters ( $, (,), …), then the secret must be escaped so that the bash does not interpret the characters as shell commands, for example, you can use the secret as secret$pecialchar(12)
.
LDAP/LDAPS Parameters
You can configure the go-authproxy authentication server using the following LDAP parameters. The default LDAP ports: 389 and 636. However, you can also specify the custom LDAP port:1389 or ldaps:2333.
- On Linux and macOS, you need root access to run servers on ports below 1024, including LDAP on port 389 and LDAPS on port 636.
- Currently, a single GoAuthProxy instance does not support multiple LDAP/LDAPS servers simultaneously.
The following table provides details on different examples of LDAP parameters:
Action | Example |
---|---|
Start the LDAP server on the default port 389 If no port number is specified, the default port (389) is considered. | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldap" -b "ou=People,dc=example,dc=com" |
Start the LDAP server on the custom port 1389 | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldaps:1389" -b "ou=People,dc=example,dc=com" |
Start the LDAP and Radius servers on the custom port 1389 and 1812 respectively. | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -r -l "ldaps:1389" -b "ou=People,dc=example,dc=com" |
Following are the examples of both successful and unsuccessful LDAP bind DN (-D) operations using ldapsearch:
Bind success: DN CN=testuser,ou=People,dc=example,dc=com is subordinate to ou=People,dc=example,dc=com
ldapsearch -Z -x -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=example,dc=com" -w "push" ...
Bind fail: DN CN=testuser,ou=People,dc=foo,dc=com is NOT subordinate to ou=People,dc=example,dc=com
ldapsearch -Z -x -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=foo,dc=com" -w "push" ...
ldapsearch example escaping password (-w)
ldapsearch -Z -x -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=foo,dc=com" -w "testPassword123\$238915" ...
Configuring Radius Secret
Your RADIUS client and RADIUS goauthproxy server must be configured with the same shared password or secret. The maximum length of the shared secret is 256 bytes and is case sensitive. It is recommended that the shared secret be at least of the size 16 characters:
Examples:
You can use the following sample commands to initiate the RADIUS server service with a shared secret. The following table provides information on the sample syntax that can be used for performing various actions:
Start the Radius server on... | Syntax |
---|---|
Port 1813 using the default secret | ./startGoAuthProxy.bsh -p 1813 -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -r |
Port 1812 using the default secret | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e - |
Port 1813 using the escaped secret | ./startGoAuthProxy.bsh -p 1813 -u 7e9e71aa-3ad3-11ee-be56-0242ac120002 -s secret\$pecialchar\(12\) -r |
Stopping the Radius/LDAP Servers
To stop the Radius/LDAP servers, execute the stopGoAuthProxy.bsh
command.
The following table outlines the commands required to stop the server:
Port | Command |
---|---|
1636(ldap) | ./stopGoAuthProxy.bsh -P 1636 |
1814(Radius) | ./stopGoAuthProxy.bsh -P 1814 |
Directory Creation for Logs
To create a directory for logs and PIDs using Radius/LDAP port, use the following syntax. The following table provides sample syntax illustrating the same.
Port | Example |
---|---|
1812 | ./startGoAuthProxy.bsh -p 1812 -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -r |
1813 | ./startGoAuthProxy.bsh -P 1813 -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -r |
389 | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldap -b "ou=People,dc=example,dc=com" |
636 | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldaps -b "ou=People,dc=example,dc=com" |
1389 | ./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldap:1389 -b "ou=People,dc=example,dc=com" |