In the /integrations subfolder you will find a suggested layout for individual files which can be used to manage advanced settings.
Change OTP maximum uses and login attempts
You can make the following additional config to any apps configured in the mfa section (note that this example refers to an app which has been named global for which you should already have specified the client ID and client secret in the core.yaml file):
mfa: global: otp_endpoint: https://api.mpin.io/otp max_uses: 1 max_attempts: 3
Note that otp_endpoint should always be
max_uses controls the number of times an issued OTP can be used before it expires.
max_attempts controls the number of incorrect attempts a user can make before they are blocked. The maximum recommended value for this is 5.
Change log level
log: level: INFO network: tcp address: 127.0.0.1:514
level can be set to “EMERGENCY”, “ALERT”, “CRITICAL”, “ERROR”, “WARNING”, “NOTICE”, “INFO” or “DEBUG”.
Note that it should not be set to DEBUG in a production environment.
Stats for system performance
The program uses StatsD to collect usage metrics which can then be used with a StatsD-compatible client such as Graphite to visually render key system performance information such as session starts, logins, communicating with the authentication server, spikes in 404 statuses etc.
An example config would be:
stats: prefix: miracl-radius network: udp address: :8125
Note that prefix defines the prefix that is given to each bucket of stats. Address can be in the format of ‘url:port’ or just ‘port’.
The above example would be suitable for a Graphite installation, as Graphite https://github.com/etsy/statsd/blob/master/docs/graphite.md listens on port 8125 by default. A useful Docker image for Graphite can be found at https://github.com/hopsoft/docker-graphite-statsd
By default the MIRACL Trust RADIUS server uses internal memory to store its collected logged in sessions. Below is the default config.
store: memory: cleanup_interval: 60
You could specify Redis as an external storage to improve security or share it between multiple radius server instances. Redis can be used locally or installed on a separate machine. In a production environment, AWS ElastiCache may be used. You could just enable it by including:
store: redis: network: tcp address: :6379 password: ""
There are cases when you would want to send predefined attributes from the RADIUS server to the RADIUS client. This could be achieved by the
host: 172.17.0.1: name: docker authorize: - - ldap: ldap_profile mfa: global secret: ************* return_attributes: Reply-Message: Hello, from MIRACL Acct-Interim-Interval: 600 Vendor-Specific: Fortinet: Fortinet-Group-Name: MiraclGroup
The key of the returned attribute should be a valid RADIUS attribute name and its value should be valid type per its specification. Note that it supports vendor-specific attributes as here is the required structure:
return_attributes: Vendor-Specific: Vendor-ID-Name: Vendor-Type1: Value Vendor-Type2: - Value1 - Value2
Currently MIRACL RADIUS supports only MS and Fortinet Vendor-IDs.