AuthAnvil RADIUS Server Installation
- Download the installer from here.
- ClickRunto start the install immediately orSaveto manually start the installer.
- When the wizard opens pressNextto start the installation.
- ClickNexton the welcome installer dialog after ensuring the recommendations are met.
- Review the license agreement and when satisfied enable theI Agreecheckbox and clickNext.
- Select the path to which the RADIUS Agent will be installed then select Next. The default isC:\Program Files\Scorpion Software
- The install configuration is now complete, clickNextto install.
- Once the installation completes, clickFinishto close the installation wizard and to optionally launch theAuthAnvil RADIUS Server Configuration Wizard.
Note:If you are running any flavor of Windows Server 2008, you may have process blocking issues at startup, preventing the RADIUS Server Service from starting. The solution to this is to set the AuthAnvil RADIUS Server Service to Automatic (Delayed Start) in the Services console.
Authentication Service URL and Site ID
This configuration wizard allows the user to adjust the settings of the RADIUS Server. Once the AuthAnvil RADIUS Server has been installed, access the settings by opening the Configuration Wizard from the start menu.Start > All Programs > Scorpion Software > AuthAnvil RADIUS Server > Configure AuthAnvil RADIUS Server.
Step 1 -Enter in theRADIUS PortandAuthAnvil Two Factor Auth Service URLyou wish to use for this server. The default port for RADIUS is UDP 1812. If Microsofts IAS or NPS are installed, a different port will need to be used to avoid a conflict.Please note: all RADIUS clients must use the port set in this step.
The AuthAnvil Service URL and Site ID point to the AuthAnvil Two Factor Auth Web Service that will be used to authenticate requests; in this guide we will usehttp://localhost/AuthAnvil/SAS.asmx
Step 2 -Test that you can reach the AuthAnvil SAS URL by clickingVerifyURL. ClickNextwhen finished. If verification fails confirm the address is actually valid by opening it in a web browser. If you find a certificate error in the browser, then you need to configure the system to trust the certificate.After completing the settings, clickNextto proceed.
Configure Active Directory RADIUS Group Support
Note:When using Active Directory RADIUS Group Support, Windows authentication is available in PAP mode only.It is not available when using MSCHAP2.
Security Group for RADIUS Access
Select an existing Active Directory or Workgroup security group whose members will be required to use an AuthAnvil passcode to authenticate.
Note:The AuthAnvil RADIUS Server does not support cascading security groups. Users need to be direct members to match the access condition.
Attempt Windows authentication if user is not a member of the RADIUS group
Enabling this will tell the server to attempt authentication via Active Directory if they are not a member of the group in the drop down above. Disabling it will allow only users that are included in the group to authenticate with 2FA.This option is ignored in MSCHAP2 requests.
Check if User is enabled in Active Directory
When enabled the RADIUS server will verify that the user making the request is active and enabled.
Check if User has Dial-in Privileges in Active Directory
If enabled the RADIUS server will verify that the user has the Remote Access Permission Dial-In privilege enabled in the properties of their user account.
In order to use the Active Directory RADIUS Group you will need to use a user account that has privileges to query the domain or Workgroup. Add the username, password and select your domain from the drop down. If this is a stand-alone system and not domain joined, use the Workgroup name of your network. Use theVerifybutton to confirm that the account has the appropriate privileges.
After completing the settings, clickNextto proceed.
Add RADIUS Clients
Enter theIP addressalong with aShared Secretfor each remote server. Once you have entered the information, clickAdd.
Note:The recommended configuration is to use the loopback IP, 127.0.0.1 as the RADIUS client IP. There is no guarantee that the RADIUS client will work properly with NPS on any other IP address.
ClickFinishto apply the settings and add the clients to the AuthAnvil RADIUS Server.
Once the installation is complete, you should test that everything is working as expected. This can be accomplished by confirming that the windows service is running properly and that it is has loaded the settings for the appropriate RADIUS clients.
Note:All RADIUS authentication requests are logged both in the servers application event log as well as the AuthAnvil Manager log.
To verify that the service is properly running, check the Application Event log and ensure that the service started correctly and has loaded the proper client IPs.
Using the AuthAnvil RADIUS Test Tool
This tool is used to simulate a client requesting authentication via RADIUS to an 2FA Server.
Step 1-Open a command window to the following directory:C:\Program Files\Scorpion Software\AuthAnvil RADIUS Server
Step 2 -Run the authentication test by typing
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <Username> <PIN+OTP>
If youre using the Active Directory RADIUS settings use the following format:
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <AD Username> <AD Password>
If youre using a different RADIUS port use the following format:
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <Username> <PIN+OTP> <RADIUS PORT>
Separate each value with a space. The IP Address and Secret will be the same as what was added during the RADIUS Server configuration wizard which should coincide with the RADIUS client settings.
Binding an IP Address
If you are running another RADIUS based server on the same machine, you may need to explicitly define the IP address you wish to bind the AuthAnvil RADIUS Server to so they can coexist. A practical example of this would be to run Microsofts Network Policy Server (NPS) along side the AuthAnvil RADIUS Server. To do this, you will need to manually modify the application configuration file.
- Using notepad,openup the configuration file at%PROGRAMFILES%\Scorpion Software\AuthAnvil RADIUS Server\AuthAnvilRADIUSServer.exe.config
- Adda new key called BindIP and set it to the IP address you wish to bind the AuthAnvil RADIUS Server to.
<add key="BindIP" value="192.168.1.1"/>
- Savethe file.
- Restartthe AuthAnvil RADIUS Server service.
Trimming Text from Username Data
AuthAnvil RADIUS Server forwards authentication directly to AuthAnvil Two Factor Auth. This means the username used to log into your RADIUS-enabled device must match the username in your 2FA server. Sometimes LDAP and Windows authentication requests can have extra information added to them, such as a full UPN or domain text (e.g. DOMAIN\Username).
AuthAnvil RADIUS Server v220.127.116.11 (released Sept 10, 2013) includes a new feature to customize how the text is parsed by the RADIUS Server. The default authentication method is to parse DOMAIN\Username as Username, by only selecting the text after the backslash (\) character. Here is how these settings are configured.
There are 2 variables:ParseCharandParseElement. These settings are defined at the configuration file in C:\Program Files\Scorpion Software\AuthAnvil RADIUS Server\AuthAnvilRadius.exe.config. The default values are:
<add key=ParseChar value=\ />
<add key=ParseElement value=2 />
The ParseChar value means that the backslash (\) will be the separating character, so the text DOMAIN\Username will be separated into 2 parts: DOMAIN and Username. The ParseElement value determines whether we pick the first, second, third, or other result from the list of parts. In this case, RADIUS will select the second element which is just theUsernameinstead ofDOMAIN. The end result is that just theUsernamevalue is forwarded to AuthAnvil 2FA. If we changed ParseElement to 1, it would send only theDOMAINvalue.
There may be circumstances where these values need to change for non-standard authentication. For example, a networking device may submit a workgroup authentication in the format of Username@Workgroup\Machine. If we only want the username value here, we want to only take the text that shows up before the @ symbol. These would be the new settings:
<add key=ParseChar value=@ /><add key=ParseElement value=1 />
The end result splits Username@Workgroup\Machine into 2 parts: Username and Workgroup\Machine. We select just the first part and submit that to AuthAnvil.
If you have any questions or need some help, we would be happy to assist. Open a case atkaseya.zendesk.com.