Adding a RADIUS agent

RADIUS

RADIUS is an acronym for Remote Access Dial-In User. An instance of the RADIUS service installation to which different devices may connect to for network authentication or access.

RADIUS Client

RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers. This entry area shows the name and device IP.

RADIUS Server

RADIUS Servers are an agent (Windows-based RADIUS Agent) that can host RADIUS Clients and create the integration point between your Passly Tenant and your appliance. 

Prerequisites

  • Visual C++ 2015 - This update can be downloaded here.
  • Microsoft .NET v4.6 This update can be downloaded here.
  • Windows Server Support.
    - Server 2016
    - Server 2019
    - Server 2022

Before you start

  • Ensure that you have Administrative Role access to your Passly tenant.
  • You have Administrator/Domain Administrator access to a Windows Server that will host the RADIUS Client
  • You have Administrator access to your desired VPN capable device and are familiar with the configuration.

Adding a RADIUS Agent

Below are the steps to follow to add a RADIUS Agent that includes at least one RADIUS Client.
Note: Most RADIUS deployments will have 2 clients minimum. One client for the appliance, one client for localhost to be used for testing authentication. 

Installation Steps

  1. Log into your Passly tenant https://(companyname).my.passly.com 
  2. Select the Auth Manager area on the left side to reveal the Agents area.
  3. Select Agents/Clients. 
  4. Select the Plus sign at the bottom right corner to select and add a new Agent.
    blue.PNG
  5. Select RADIUS Server from the list
    mceclip0.png
  6. Ensure the agent is Enabled.
    mceclip1.png
  7. Enter a name for the Agent that will identify its’ uniqueness from the other agents.
    mceclip3.png
    Note: We recommend naming the agent based on the Windows server it is installed on.
  8. Select how often the agent will check in (Sync Frequency). By Default this will be set to 1 hour, you can slow this down if you choose.
    Note: We recommend using the default settings for new deployments. 
    mceclip4.png
    Note: The 1 hour default is the recommend setting however you can slow down this sync should you need to reduce network traffic. 
  9. Update WLA 2FA Timeout (Seconds) if needed. 
    Note: 180 seconds is the default recommendation. 
  10. Select the desired Authentication Policy to be in place for the Client.
    mceclip5.png
  11. Select the RADIUS Configuration tab
    mceclip6.png
  12. Select the port you wish to use for communication (default port is 1812)
    mceclip7.png
    Note: This port must be open bidirectionally between the RADIUS Agent and the Appliance you are connecting with. 
  13. Select the “Add RADIUS Client” button.
    mceclip8.png
  14. In the “Add RADIUS Client” screen, perform the following:
    Note: The following should be gathered from the appliances RADIUS configuration you are connecting to.

    1. Add a Friendly name for the client. 
      Note: This should be easy to identify and match the appliance in use. 
      Example: Acme SonicWALL 
    2. Add the Client IP Address.
      Note: This is the IP Address of the appliance you are connecting to. 
    3. Add a Client Shared Secret.
      Note: The Shared Secret is set in the appliance you are connecting to. 
    4. Confirm Shared Secret (Formerly Confirm Password) for the Client.
      Select the Authentication Policy you would like to use. 
      Note: This is usually the same policy you have selected in Step 10. 
    5. Enable Require message-authenticator attribute.
      Note: Once enabled this option blocks “BLAST-RADIUS”.
    6. Select the Add RADIUS Client.
      Note: if you would like to add more than one client, select the “add another” check box prior to selecting the Add RADIUS client button.
      Note: We would recommend that you add a client for 127.0.0.1 with a simple shared secret like 1234abc. This can be used with the Passly RADIUS Test tool to confirm if you can authenticate via RADIUS with your Passly tenant. Please see this guide for help using the test tool. 
  15. Select Add Agent to close the “Add New Agent Screen.”
  16. Copy down the following as you will be prompted to enter this information when you run the RADIUS installer. 
    Note: This information is to be used ONLY at the time of installing the service
    1. ID: The unique ID of the agent. (formerly Client ID)
    2. Key: The auto-generated secret value of the agent. (formerly Client Secret)
    3. Home Realm: The home realm / URL (https://(CompanyName).my.passly.com) used for the organization your agent is deployed from.

RADIUS Server/ Agent installation steps

  1. Select the newly created agent. 
  2. Select Download Installer. 
  3. Copy the installation file, or copy the link to the installer https://passlyprodwuappsa.blob.core.windows.net/files/PasslyRadius.Setup.exe 
    Note: The installer must be copied to the local drive in Windows. Attempting to install from a network connected drive will cause unexpected errors during installation. 
  4. Access the Windows Server using a Windows Administrator or Domain Administrator pending on stand-alone Server or Domain joined server. 
  5. Ensure the prerequisite software is installed as noted above. 
  6. Run the installer elevated (Run As Administrator).
    Note: This will help ensure that UAC (Universal Account Controls) do not interfere with installation.  
  7. Select Install. 
  8. Select Next
  9. Select I Accept on the terms of use to continue with installation. 
  10. Select Next. 
  11. Enter the information you collected earlier. 
    1. ID: The unique ID of the agent. (formerly Client ID)
    2. Key: The auto-generated secret value of the agent. (formerly Client Secret)
    3. Home Realm: The home realm / URL https://(CompanyName).my.passly.com is entered for your Passly tenant.

    Note: The Home Realm for the specific organization you are working on should be used. 
    Example: I am deploying an agent for the Support parent organization, we would use  https://support.my.passly.com for the home realm.
    Example: I am deploying an agent for a client organization Acme, we would use  https://acme-support.my.passly.com for the home realm.
  12. Select Next
  13. Select Install
  14. Select Finish to complete the agent installation. 

This completes the Passly agent installation and configuration. You will also need to complete configuring your chosen appliance for RADIUS,

Configuring Appliances for RADIUS

In general you will be setting the following in the appliance you are connecting with RADIUS. These settings will be housed in the appliance you are configuring. 

  1. Outbound IP Address: This is the actual IP Address of the Windows server that hosts the Passly RADIUS Server/Agent.
  2. Shared Secret: This is a password used to authenticate the authentication between the appliance & the RADIUS Server. 
  3. RADIUS Port. By default this is 1812. 
    Note: This port need bidirectional access and must be open. 
    Note: If you install the RADIUS Server on a Microsoft Network Policy Server (NPS) you might need to use another port like 1814 as NPS reserves 1812.

Customers will need to consult their specific OEM (Original Equipment Manufacturer) appliance guides / documentation for the specific steps for each different possible appliance that you would like to configure for RADIUS.

Some possible appliance examples:  

Configuring & working with End-User clients

Users

  • Users need to be in Active status in Passly. See this guide for enrolling users.
  • The users need to have a UPN (User principal Name) or APN (Alternate Principal Name) that matches what the appliance is expecting to be used for the username. 

Expectations

  • Pre-RADIUS users would connect to the appliance using username/password or perhaps Domain username/Domain password.
  • Post-RADIUS users will connect using their Passly Password and be prompted for 2FA via their Passly authenticator. Your assigned authentication policy will determine PUSH/Authentication code acceptance. 
    Note: Passly users could be sync'd via Azure or Active Directory. Please see the following guide for Passly's Active Directory assistance

More Information

PAP Protocol

Passly uses PAP exclusively. This is why we recommend that the appliance and Server/Agent be located on the same network to reduce any possible interception externally. 

The main difference between PAP and CHAP is that PAP uses a Two-Way Handshake and sends the password in text form, whereas CHAP uses a Three-Way Handshake and never sends the password between the parties. As a result, CHAP is much more secure than PAP.

  1. PAP is old (RFC 1334 was published in 1992) so it used to be pretty much the only standardized choice. Even after newer (and arguably better) standards were released (such as CHAP in 1996 and EAP in 1998 with updates in 2004), companies could still use the already-written PAP code in existing products and just move it to their new products.
  2. PAP is easy to implement - no need to understand complex encryption mechanisms.
  3. There is an easy way to add another layer of security, so there is no incentive to fix it. (See final paragraph below)

In truth though, PAP as used by RADIUS does not actually send the password in plaintext. Instead, it XORs the password with an MD5 hash based on a shared secret. 

The best practical answer for safe use of PAP is to tunnel the RADIUS traffic through a VPN (IPSec tunnel or similar). This is becoming standard practice when dealing with RADIUS connections as there could also be other sensitive user data besides the password that has to be secured.

What is BLAST-RADIUS?

BLAST-RADIUS is a known vulnerability in RADIUS that allows for an attack to occur from within the network. You can learn more about BLAST-RADIUS via https://www.blastradius.fail/ & https://www.inkbridgenetworks.com/web/content/2557

Have more questions?

Contact us

Was this article helpful?
1 out of 2 found this helpful

Provide feedback for the Documentation team!

Browse this section