Generic client setup info

Table of Contents:

When setting up MIRACL Trust RADIUS to work with RADIUS-supporting clients (ssh clients, VPN clients, etc.) there are certain generic points which will apply in all cases. This information should provide all that is needed to configure MIRACL Trust RADIUS to work with any client. It may also be useful to run through our guides to testing MIRACL Trust RADIUS with a simple ssh client or OpenVPN access server, to ensure that you are comfortable with the basics of getting the server running and connected properly.

When changes have been made to your MIRACL Trust RADIUS config file (found at /etc/srv-radius/config.json) it is necessary to run sudo service srv-radius restart to apply the changes

The following points will need addressed in all cases:

Add app client id and secret

First of all open the MIRACL Trust RADIUS config file at /etc/srv-radius/config.json

Then, to establish the connection between your server and the MIRACL Trust authentication server, add the client_id and client_secret (obtained as per the Setup and Installation section of these docs) to the zfa section of the config file:

"zfa": {
  "global": {
    "client_id": "03*******s77bj",
    "client_secret": "ure********************jfwStd_wJFI",
    "otp_endpoint": "",
    "max_uses": 1,
    "max_attempts": 3

Note that otp_endpoint should always be set as

Supported protocols

You must know which RADIUS protocols are supported by the client you are working with, and make sure they are enabled on the MIRACL Trust RADIUS server. This is controlled by the following line in the /etc/srv-radius/config.json file:

"protocols": ["pap", "chap", "mschapv1"]

As default, support for the above protocols is enabled. "peap" can also be enabled by adding it to the above line. It is then also necessary to generate an x.509 private key and public certificate for your RADIUS server and add them to the "peap" config section:

"peap": {
  "private_key": "",
  "public_certificate": ""

To generate a key and certificate, the following terminal command can be used (with the necessary adjustments to your location and domain information). This will create the key and certificate and output them both in single line format, with all the " characters escaped. The terminal output can then be pasted into the config file:

openssl req -x509 -nodes -newkey rsa:2048 -keyout srv-radius.key -out srv-radius.crt -days 1000 -subj /C=UK/ST=London/L=London/O=Development/ \
&& echo -e "\nCONFIG PRIVATE KEY:\n" \
&& echo $(cat srv-radius.key | tr -d '\n' | sed -E 's/-----[^-]+-----//g') \
&& echo $(cat srv-radius.crt | tr -d '\n' | sed -E 's/-----[^-]+-----//g') \
&& echo ""

Add host details and create shared secret

In the host section of /etc/srv-radius/config.json, the IP of your RADIUS server must be added.

A key point here is that you must also add an arbitrary shared secret (a strong and hard to guess string) that is also entered on the RADIUS client application you will be connecting to. Here you can also use the zfa_id parameter to allow for a non-email username (explained in more detail in both the SSH and OpenVPN demo setup pages). You can also use LDAP for more detailed user verification (explained in more detail in the LDAP Configuration page):

"host": {
  "": {
    "name": "openvpn",
    "authorize": [[{"ldap":"global"}]],
    "zfa": "global",
    "secret": "********"

An example of this shared secret being added to a client application is found when using a PAM RADIUS client and editing the /etc/pam_radius_auth.conf file to contain the IP address of your MIRACL Trust RADIUS server, as well as the shared secret:

server[:port] shared_secret      timeout (s)   ********             5

Or in the admin console for OpenVPN Access Server:


Ensure correct ports are listening

As can be seen from the above OpenVPN AS screenshot, the default authentication port for RADIUS is 1812. It is important that port 1812 is open on both the client and the MIRACL Trust RADIUS server, in /etc/srv-radius/config.json:

"ServerAuthenticationAddress": ":1812",

In conjunction with any product-specific documentation for the client you are connecting to, this should give you all the information you need to get set up and begin issuing One Time Passwords to your clients.