Advanced config

In the /integrations subfolder you will find a suggested layout for individual files which can be used to manage advanced settings.

Change OTP maximum uses and login attempts

/etc/miracl-radius/integrations/mfa.yaml

You can make the following additional config to any apps configured in the mfa section (note that this example refers to an app which has been named global for which you should already have specified the client ID and client secret in the core.yaml file):

mfa:
  global:
    otp_endpoint: https://api.mpin.io/otp
    max_uses: 1
    max_attempts: 3

Note that otp_endpoint should always be https://api.mpin.io.otp

max_uses controls the number of times an issued OTP can be used before it expires.

max_attempts controls the number of incorrect attempts a user can make before they are blocked. The maximum recommended value for this is 5.

Change log level

/etc/miracl-radius/integrations/log.yaml

log:
  level: INFO
  network: tcp
  address: 127.0.0.1:514

The level can be set to “EMERGENCY”, “ALERT”, “CRITICAL”, “ERROR”, “WARNING”, “NOTICE”, “INFO” or “DEBUG”.

Note that it should not be set to DEBUG in a production environment.

Stats for system performance

/etc/miracl-radius/integrations/stats.yaml

The program uses StatsD to collect usage metrics which can then be used with a StatsD-compatible client such as Graphite to visually render key system performance information such as session starts, logins, communicating with the authentication server, spikes in 404 statuses etc.

An example config would be:

stats:
  prefix: miracl-radius
  network: udp
  address: :8125

Note that prefix defines the prefix that is given to each bucket of stats. Address can be in the format of ‘url:port’ or just ‘port’.

The above example would be suitable for a Graphite installation, as Graphite https://github.com/etsy/statsd/blob/master/docs/graphite.md listens on port 8125 by default. A useful Docker image for Graphite can be found at https://github.com/hopsoft/docker-graphite-statsd

Session settings

By default the MIRACL Trust RADIUS server uses internal memory to store its collected logged in sessions. Below is the default config.

/etc/miracl-radius/integrations/memory.yaml

store:
  memory:
    cleanup_interval: 60

You could specify Redis as an external storage to improve security or share it between multiple radius server instances. Redis can be used locally or installed on a separate machine. In a production environment, AWS ElastiCache may be used. You could just enable it by including:

/etc/miracl-radius/integrations/redis.yaml

store:
  redis:
    network: tcp
    address: :6379
    password: ""

Return attributes

There are cases when you would want to send predefined attributes from the RADIUS server to the RADIUS client. This could be achieved by the host.return_attributes section.

host:
  172.17.0.1:
    name: docker
    authorize:
    - - ldap: ldap_profile
    mfa: global
    secret: *************
    return_attributes:
      Reply-Message: Hello, from MIRACL
      Acct-Interim-Interval: 600
      Vendor-Specific:
        Fortinet:
          Fortinet-Group-Name: MiraclGroup

The key of the returned attribute should be a valid RADIUS attribute name and its value should be valid type per its specification. Note that it supports vendor-specific attributes as here is the required structure:

return_attributes:
  Vendor-Specific:
    Vendor-ID-Name:
      Vendor-Type1: Value
      Vendor-Type2:
      - Value1
      - Value2

Currently MIRACL RADIUS supports only MS and Fortinet Vendor-IDs.