RADIUS Authentication

Connector name	`agtradius`
Connector type	Executable
Type (UI field value)	RADIUS Authentication
Connector status / support	Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security.

The agtradius connector allows Bravura Security Fabric to prompt users to enter their RADIUS passcodes and interfaces with the RADIUS server to determine if users should be granted access to Bravura Security Fabric .

A number of systems use RADIUS as a backend to store a security token, including:

SafeWord
RSA Authentication Manager
DUO Security
Unix systems like IBM’s AIX or various Linux systems

In some cases it may be simpler to use challenge-response authentication against the RADIUS backend instead of the main tool, especially in the case of RSA or SafeWord; however the agtradius connector does not support listing, so you must create the list file as described in Creating a list file to support challenge-response authentication .

The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):

challenge response authentication

For a full list and explanation of each connector operation, see connector operations.

Preparation

Before you can target RADIUS Authentication, you must:

Configuring the RADIUS client and shared secret

Bravura Security Fabric uses the RADIUS client configuration as well as the shared secret from the Radius Authentication server for the authentication connections and to perform Bravura Security Fabric operations.

Configure a RADIUS client and shared secret on the Radius Authentication server to allow authentication connections for the Bravura Security Fabric operations.

The shared secret is used for the password for the administrator account for the target configuration.

Creating a list file to support challenge-response authentication

If you are using the RADIUS Authentication as a challenge-response back end, you must have a SQLite database list file to associate users during auto-discovery, so that users can authenticate against the target system.

You can create the file by copying it from another target such as from an Active Directory or RSA Authentication Manager target system.

Refer to Creating a list file and copying data from other targets for how to use the Copy data from these targets, separated by commas, during auto-discovery target system option to be able to copy the listing data from one or more other targets to use for the list file for the target. This also makes use of the Connector execution order auto-discovery list as well as a post psupdate script for the target that you are copying data to.

Alternatively, you can use the List Override target address option to create the list file as noted below.

The List Override target address option along with the listoverride.py sample script is used in this case to automatically copy the list file during auto-discovery from the other target to a new list file for the Radius target.

You can configure this using the following steps:

Copy the listoverride.py script from samples to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.
Set the List Override target address option to one of the examples noted below.
List accounts is checked for the target system settings.
Set the Connector execution order for the targets.

If copying the list file from an RSA Authentication Manager target and where RSAAM is the target id or from another source where the longid is the same as the shortid and therefore doesn’t need to be replaced, set the List Override target address option to the following:

{action=copy;srcTargetId=RSAAM;}

Normally a RADIUS server lists its users from a customer’s directory (Windows AD or some other LDAP).

If copying the list file from another source such as from Active Directory, a postHook specification must be added in order to ensure that the values from the longid fields are replaced with those from shortid. The short IDs match those of users on the RADIUS Authentication target system.

In this case and where ADDN is the target id from the target that you are copying from, set the List Override target address option to the following:

{action=copy;srcTargetId=ADDN;script=listoverride.py;postHook=replaceLongIdWithShortId;}

The source target must list first during auto-discovery. Configure by clicking Maintenance > Auto discovery > Connector execution order and ensuring that the source target is added and is at a higher priority than the target that you are copying to.

The list file must contain accounts for all users who have accounts on Radius, and only those users.

If the RADIUS list file does not contain some accounts from the RADIUS target system, or the account does not associate to the user’s profile, then the option to use the authentication chain described in Adding RADIUS authentication to Bravura Security Fabric will not be shown to that user.
If the RADIUS authentication method is the only one the user can choose at any step in the authentication chain, and there is no account associated, then login will fail.
If the RADIUS list file contains accounts which do not exist on the RADIUS target, users who do not have accounts will be presented with that option for authentication, and if they choose it, it will fail.

The following are further details on each of the KVGroup values that may be used for the List Override target system option:

Option	Value	Description
action	[copy\|move\|augment]	The copy operation copies the source database file from the target list file specified by srcTargetId. The move operation will move the list file. The augment operation runs the list operation in the connector.
srcDbFile	<path>	Provides the ability to override the path to the database list file as either an absolute or relative value. By default, listoverride calculates the path based on the database file path that is passed into the connector, such as the psconfig directory for example. Other paths that may be used could be those such as a directory within psconfig\discovered for an automatically discovered target system or another custom directory path.
script	<Python script name>	The Python script name, for example listoverride.py. See hooks below for additional requirements.
postHook/preHook/perHook		Provides both a "pre" and "post" hook to run before and after the action as well as an override "per" hook that replaces the action functionality. perHook passes in the following json argument: {"objectType": "<objectType>", "operation": "<operation>", dbFile: "dbFile"} postHook/preHook passes in the following: {"dbFile: "dbFile"} Example: specify postHook=replaceLongIdWithShortId; to replace the longid with the shortid in the list file, such as when copying from an ADDN target and to remove the domain name.
doNotLoad		When set to "1", the list file will not be loaded during the auto discovery process. This may be used in some situations such as where the source is a fake target, it can take an exceedingly long time to list, during testing and you do not wish to actually load the data until it is validated, or other scenarios where you may not with to load the data. The default value is empty. Any value that is not "1" will load the database list file.
format	db	Default is db.

Targeting the RADIUS Authentication system

For each RADIUS Authentication system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

Type is RADIUS Authentication .
Address uses options described in the table below
The address is entered as follows:
{[listOverride={action=copy;srcTargetId=<source target id>;script=<script name>;postHook=<hook name>;};]server=<server1[:port]>,<server2[:port]>,<server3[:port]>;[port=<port>;][realm=<security realm>;][timeout=<connection timeout>;]enabledefaultpwd=<true|false>;[defaultpwd=<password>;][attribs=<{key01=value01;key02=value02;}>;]ppphint=<true|false>;boguspkt=<true|false>;}
Administrator ID and Password are the credentials for the RADIUS shared secret. The administrator ID should be specified with any value as it is not used for authentication. The password must be the RADIUS shared secret configured from the Radius Authentication server.

The full list of target parameters is explained in Target system options .

Table 1. RADIUS Authentication address configuration

Option	Description
Options marked with a are required.
Server	The IP address/domain name of one or more authentication servers. Multiple servers may be specified in a comma separated list for failover authentication. Port numbers may also be optionally specified for each individual server in the format server:port. (key: server)
Port	Port to connect to on the authentication server. This value is used when the port number is not specified for an individual server for the Server parameter. Default is 1812. (key: port)
Security realm	RADIUS realm to use. (key: realm)
Timeout for connection	Total amount of time the connector will wait for a response from the authentication server. The time is divided between three tries. (key: timeout)
Skip password authentication?	Select to provide a default password for this target system. When an external factor (such as pressing OK on a mobile phone) is used, typically this is combined with password authentication through another target system to complete a two-factor Log in. (key: enabledefaultpwd)
Placeholder password to use when skipping password authentication	The default password text. This is required when Skip password authentication? is checked. (key: defaultpwd)
Additional RADIUS attributes	This value must be in the format {key01=value01;key02=value02;} for any number of key=value pairs. The key must be from the list in radius_access (which is a subset from http://freeradius.org/rfc/attributes.html) and the values must match the specification for that key. (key: attribs)
Send PPP Hint?	Select if the connection uses a link framing protocol like Point-to-Point protocol. (key: ppphint)
Send additional bogus packet?	Select to send a malformed packet along with a valid one. (key: boguspkt)
List Override	Provides the ability to override the default agent’s list operation functionality. Requires version 12.x or greater. (key: listOverride)

Add RADIUS authentication to Bravura Security Fabric

You can integrate RADIUS authentication in Bravura Security Fabric by configuring a custom authentication chain, using the agent.pss authentication module with the RADIUS Authentication connector agtradius, to perform a challenge-response operation.

The following steps demonstrate how to integrate RADIUS Authentication in Bravura Security Fabric :

Add the RADIUS Authentication target system .
Create a list file to associate users with the target system .
The agtradius connector does not support listing operations. You must create a list file to associate users during auto-discovery, so that users can authenticate against the target system.
Add a new custom authentication chain:
1. Add the Connector package agent (agent.pss) module to the chain.
2. In the module’s settings:
  - Set Target system to use for address and credentials to the target you created.
  - Set Password verification operation to ”Challenge response authentication”.
3. Enable the custom authentication chain.
Add the new custom authentication chain to the DEFAULT_LOGIN chain:
1. Click Policies > Authentication chains > Front-end login.
2. Disable the chain so that you can edit it.
3. Edit the select_chain module to add the new custom authentication chain to the list of Available chains .
4. Update and enable the DEFAULT_LOGIN chain.
Test the authentication by logging in as an end user associated with the target system.
You should be prompted to enter a valid RADIUS passcode.

Troubleshooting

The following are possible errors that may be encountered during configuration of the Radius Authentication target. For each error message, a suggested solution is provided.

Unable to verify response
Likely caused by mismatched shared secret.
or
Received invalid reply digest from server
Ensure that the value for the Radius shared secret is set correctly for the password for Administrator ID.
Unable to find IP for server <server address>
Ensure that the value for Server is specified with the correct IP address or domain name of the Radius Authentication server.
RADIUS server refused connection. : 10054 An existing connection was forcibly closed by the remote host
Ensure that the value for Port is specified as the correct value for the Radius port for authentication as configured from the Radius Authentication server.
RADIUS connection timed out waiting for response
Ensure that the value for Timeout for connection is set to high enough of a value to allow for the radius operations to complete.

In this section: