RADIUS Overview

MIRACL Trust SSO RADIUS allows you to configure one or more RADIUS-supporting clients for which One Time Passwords (OTPs) can be generated. Once you have set up and connected MIRACL Trust SSO RADIUS to a client, it is possible to generate an OTP with the PIN pad - either by visiting your saved OTP url in your web browser or by going to your mobile app. This OTP will be valid for a default of 90 seconds. It can then be used to login to your RADIUS-supporting client.

Once installed, the use of MIRACL Trust SSO RADIUS involves managing a set of config files which are located in the /etc/srv-radius/ directory. In the config, it is possible to enable usage of the Microsoft PEAP protocol in order to allow using authentication protocols like MS-CHAPv2 with a secure tunnel.

The steps involved are:

  1. Create a new MIRACL Trust RADIUS app in the MIRACL Trust authentication portal to receive the Client ID and Client Secret needed to set up the connection between your instance and the authentication portal, and to generate a url at which your end users can register

  2. Install your MIRACL Trust SSO RADIUS server

  3. Configure your MIRACL Trust SSO RADIUS server and RADIUS client / VPN server (simple ssh client, OpenVPN, Cisco Anyconnect etc.)

  4. End users can then visit the OTP generation url in their browser or use the MIRACL Trust mobile app to generate One Time Passwords (associated with the same email they registered with in step 2) which allow them to login to the RADIUS client / VPN server

Server configuration

Once installed, MIRACL Trust RADIUS is configured for use by YAML configuration files stored in the /etc/srv-radius/ directory (note that the example layout and naming of the config files is only for guidance, and you can choose a different structure and naming system):

├── config.yaml
├── core.yaml
├── hosts
│   └── example.yaml
│   └── openvpn.yaml
│   └── sshtest.yaml
└── integrations
    ├── ldap.yaml
    ├── log.yaml
    ├── peap.yaml
    ├── redis.yaml
    ├── stats.yaml
    └── mfa.yaml

The config.yaml file simply lists the other files to be included. The following example shows that you are only including core.yaml hosts/openvpn.yaml and integrations/ldap.yaml:

  - core.yaml
#  - hosts/example.yaml
  - hosts/openvpn.yaml
#  - hosts/sshtest.yaml
#  - integrations/log.yaml
  - integrations/ldap.yaml
#  - integrations/mfa.yaml
#  - integrations/peap.yaml
#  - integrations/redis.yaml
#  - integrations/stats.yaml

core.yaml contains the basic details of your MIRACL Trust RADIUS installation, plus the Client ID and Client Secret obtained from the admin portal.

In the hosts/ subfolder, you can configure multiple hosts for OTP access (ssh clients, VPN clients, etc.)

LDAP and other advanced settings can be configured in the integrations/ subfolder. More information on this can be found in the LDAP and authorization section and in the Advanced config section.

Note that settings in files lower down the list of includes will override settings in those higher in the list. For example if you include a file which specifies a server port number, this will override a server port number set in a file higher in the list of includes.

When changes have been made to your MIRACL Trust RADIUS config files (in the /etc/srv-radius/ directory) it is necessary to run sudo service srv-radius restart to apply the changes.

An explanation of making necessary configurations is found in the Generic client setup info and SSH demo and OpenVPN demo pages.

Component diagram

The following diagram gives a high-level overview of the components involved: