AuthAnvil RADIUS Server Installation
- Download the installer from here.
- Click Run to start the install immediately or Save to manually start the installer.
- When the wizard opens press Next to start the installation.
- Click Next on the welcome installer dialog after ensuring the recommendations are met.
- Review the license agreement and when satisfied enable the I Agree checkbox and clickNext.
- Select the path to which the RADIUS Agent will be installed then select Next. The default is C:\Program Files\Scorpion Software
- The install configuration is now complete, click Next to install.
- Once the installation completes, click Finish to close the installation wizard and to optionally launch the AuthAnvil RADIUS Server Configuration Wizard.
Note: If you are running any flavor of Windows Server 2008, you may have process blocking issues at startup, preventing the RADIUS Server Service from starting. The solution to this is to set the AuthAnvil RADIUS Server Service to Automatic (Delayed Start) in the Services console.
Authentication Service URL and Site ID
This configuration wizard allows the user to adjust the settings of the RADIUS Server. Once the AuthAnvil RADIUS Server has been installed, access the settings by opening the Configuration Wizard from the start menu. Start > All Programs > Scorpion Software > AuthAnvil RADIUS Server > Configure AuthAnvil RADIUS Server.
Step 1 - Enter in the RADIUS Port and AuthAnvil Two Factor Auth Service URL you wish to use for this server. The default port for RADIUS is UDP 1812. If Microsoft’s IAS or NPS are installed, a different port will need to be used to avoid a conflict. Please note: all RADIUS clients must use the port set in this step.
The AuthAnvil Service URL and Site ID point to the AuthAnvil Two Factor Auth Web Service that will be used to authenticate requests; in this guide we will use http://localhost/AuthAnvil/SAS.asmx
Step 2 - Test that you can reach the AuthAnvil SAS URL by clicking Verify URL. Click Next when finished. If verification fails confirm the address is actually valid by opening it in a web browser. If you find a certificate error in the browser, then you need to configure the system to trust the certificate. After completing the settings, click Next to proceed.
Configure Active Directory RADIUS Group Support
Note: When using Active Directory RADIUS Group Support, Windows authentication is available in PAP mode only. It is not available when using MSCHAP2.
Security Group for RADIUS Access
Select an existing Active Directory or Workgroup security group whose members will be required to use an AuthAnvil passcode to authenticate.
Note: The AuthAnvil RADIUS Server does not support cascading security groups. Users need to be direct members to match the access condition.
Attempt Windows authentication if user is not a member of the RADIUS group
Enabling this will tell the server to attempt authentication via Active Directory if they are not a member of the group in the drop down above. Disabling it will allow only users that are included in the group to authenticate with 2FA. This option is ignored in MSCHAP2 requests.
Check if User is enabled in Active Directory
When enabled the RADIUS server will verify that the user making the request is active and enabled.
Check if User has “Dial-in Privileges” in Active Directory
If enabled the RADIUS server will verify that the user has the “Remote Access Permission” Dial-In privilege enabled in the properties of their user account.
In order to use the Active Directory RADIUS Group you will need to use a user account that has privileges to query the domain or Workgroup. Add the username, password and select your domain from the drop down. If this is a stand-alone system and not domain joined, use the Workgroup name of your network. Use the Verify button to confirm that the account has the appropriate privileges.
After completing the settings, click Next to proceed.
Add RADIUS Clients
Enter the IP address along with a Shared Secret for each remote server. Once you have entered the information, click Add.
Note: The recommended configuration is to use the loopback IP, 127.0.0.1 as the RADIUS client IP. There is no guarantee that the RADIUS client will work properly with NPS on any other IP address.
Click Finish to apply the settings and add the clients to the AuthAnvil RADIUS Server.
Once the installation is complete, you should test that everything is working as expected. This can be accomplished by confirming that the windows service is running properly and that it is has loaded the settings for the appropriate RADIUS clients.
Note: All RADIUS authentication requests are logged both in the server’s application event log as well as the AuthAnvil Manager log.
To verify that the service is properly running, check the Application Event log and ensure that the service started correctly and has loaded the proper client IPs.
Using the AuthAnvil RADIUS Test Tool
This tool is used to simulate a client requesting authentication via RADIUS to an 2FA Server.
Step 1- Open a command window to the following directory: C:\Program Files\Scorpion Software\AuthAnvil RADIUS Server
Step 2 - Run the authentication test by typing
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <Username> <PIN+OTP>
If you’re using the Active Directory RADIUS settings use the following format:
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <AD Username> <AD Password>
If you’re using a different RADIUS port use the following format:
AARADIUSTest.exe <Anvil Server IP Address> <Secret> <Username> <PIN+OTP> <RADIUS PORT>
Separate each value with a space. The IP Address and Secret will be the same as what was added during the RADIUS Server configuration wizard which should coincide with the RADIUS client settings.
Binding an IP Address
If you are running another RADIUS based server on the same machine, you may need to explicitly define the IP address you wish to bind the AuthAnvil RADIUS Server to so they can coexist. A practical example of this would be to run Microsoft’s Network Policy Server (NPS) along side the AuthAnvil RADIUS Server. To do this, you will need to manually modify the application configuration file.
- Using notepad, open up the configuration file at %PROGRAMFILES%\Scorpion Software\AuthAnvil RADIUS Server\AuthAnvilRADIUSServer.exe.config
- Add a new key called “BindIP” and set it to the IP address you wish to bind the AuthAnvil RADIUS Server to.
<add key="BindIP" value="192.168.1.1"/>
- Save the file.
- Restart the AuthAnvil RADIUS Server service.
Trimming Text from Username Data
AuthAnvil RADIUS Server forwards authentication directly to AuthAnvil Two Factor Auth. This means the username used to log into your RADIUS-enabled device must match the username in your 2FA server. Sometimes LDAP and Windows authentication requests can have extra information added to them, such as a full UPN or domain text (e.g. DOMAIN\Username).
AuthAnvil RADIUS Server v188.8.131.52 (released Sept 10, 2013) includes a new feature to customize how the text is parsed by the RADIUS Server. The default authentication method is to parse “DOMAIN\Username” as “Username”, by only selecting the text after the backslash (\) character. Here is how these settings are configured.
There are 2 variables: ParseChar and ParseElement. These settings are defined at the configuration file in C:\Program Files\Scorpion Software\AuthAnvil RADIUS Server\AuthAnvilRadius.exe.config. The default values are:
<add key=”ParseChar” value=”\” />
<add key=”ParseElement” value=”2″ />
The ParseChar value means that the backslash (\) will be the separating character, so the text “DOMAIN\Username” will be separated into 2 parts: “DOMAIN” and “Username”. The ParseElement value determines whether we pick the first, second, third, or other result from the list of parts. In this case, RADIUS will select the second element which is just the Usernameinstead of DOMAIN. The end result is that just the Username value is forwarded to AuthAnvil 2FA. If we changed ParseElement to “1″, it would send only the DOMAIN value.
There may be circumstances where these values need to change for non-standard authentication. For example, a networking device may submit a workgroup authentication in the format of “Username@Workgroup\Machine”. If we only want the username value here, we want to only take the text that shows up before the @ symbol. These would be the new settings:
<add key=”ParseChar” value=”@” /><add key=”ParseElement” value=”1″ />
The end result splits “Username@Workgroup\Machine” into 2 parts: “Username” and “Workgroup\Machine”. We select just the first part and submit that to AuthAnvil.