HAProxy ALOHA Documentation 14.0

RADIUS Authentication

System administrators can authenticate to HAProxy ALOHA through an external RADIUS server for administration or monitoring purposes.

https://cdn.haproxy.com/documentation/aloha/latest/assets/radius-architecture-61a79cd94f6b0018d3d9327eee292c6542af73fc84109e07e0e41a6c2ebace47.png

You can, for example, implement the following list of access rights:

Alice

Bob

Carol

Dave

Web interface

Administration

Administration

Administration

monitor

SSH

Administration

Administration

Serial port

Administration

Administration Administration | Monitoring monitor

Configure the RADIUS server

In this example, we will authenticate users through the traditional RADIUS users file. Alternatively, the RADIUS server can query an LDAP server.

We will use a FreeRADIUS 3.0 server.

  1. Follow the FreeRADIUS Getting Started guide to install FreeRADIUS on a server.

  2. Add your HAProxy ALOHA appliance as a new RADIUS client in the FreeRADIUS client configuration file, /etc/freeradius/3.0/clients.conf.

    client aloha {
       # The ALOHA IP address
       ipaddr = 192.168.1.38
    
       # Secret shared between the RADIUS server and ALOHA
       secret = saUz@w7!iwfa
    
       # Do not require the Message-Authenticator field
       require_message_authenticator = no
    
       # Transport protocol
       proto = udp
    
       # Network Access Server type for ALOHA
       nas_type = other
    }
  3. Add usernames and passwords to the RADIUS user authorization file, /etc/freeradius/3.0/mods-config/files/authorize.

    alice Cleartext-Password := "TmjRDl61NuiA"
    bob   Cleartext-Password := "AIQols16y1R6"
    carol Cleartext-Password := "Jb4cWp70D94u"
    dave  Cleartext-Password := "Jkxv:Qoc;p4@"

    You can also limit how a user can log into HAProxy ALOHA to one of the following methods:

    Login method ID

    Description

    wui

    Log in via the web UI.

    sshd

    Log in via SSH.

    login

    Log in via a local keyboard or serial login.

    Add a NAS-Identifier parameter to set the login allowed, for example:

    carol Cleartext-Password := "Jb4cWp70D94u", NAS-Identifier == "wui"
  4. Restart the RADIUS server.

    $ sudo systemctl restart freeradius

    To test your setup, start the RADIUS server in debug mode.

See also

Configure HAProxy ALOHA

On the HAProxy ALOHA server:

  1. Edit the file /etc/security/pam_radius.conf.

    Select the Tools tab, then use the File manager to browse to the /etc/security folder and edit the file pam_radius.conf.

    Add your RADIUS server. Use the same secret string you specified in the FreeRADIUS client configuration file.

    # RADIUS Server[:Port]  Shared Secret  [Timeout (s)]  [source_ip] [vrf]
    192.168.1.69            saUz@w7!iwfa   60
  2. Edit the file /etc/security/users.conf.

    Select the Tools tab, then use the File manager to browse to the /etc/security folder and edit the file users.conf.

    Add the same users that you defined on the RADIUS server, specifying the following for each:

    • auth_type of radius

    • optional: service set to wui, sshd, or login. This is another way restrict how a user can log in, rather than setting it in the FreeRADIUS authorize file.

    • allow or deny to enable or disable this user's login

    • map_to_user set to either admin for read/write access or monitor for read-only access.

    These directives implement the example access rights listed at the top of this page.

    user=alice      auth_type=radius                  : allow map_to_user admin
    user=bob        auth_type=radius service=wui,sshd : allow map_to_user admin
    user=carol      auth_type=radius service=wui      : allow map_to_user admin
    user=dave       auth_type=radius service=wui      : allow map_to_user monitor
    
    :deny
  3. In the Services tab, click pam setup setup_icon.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/pam_setup-21dd8b5e0b9ebc2d60eba4f01a9e140f5869756bd01f8a726d6b054a94a4cd45.png
  4. Add RADIUS support to the PAM service.

    service pam
        autostart
        radius_auth 1
  5. Apply your changes to the PAM configuration.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/apply-service-pam-255550c4f282f165909d0f8e24371cf29e57e6e2ed0bba2cd281ff41504cb5ec.png
  6. Restart the PAM service.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/restart-service-pam-01319de9b0ea6be010eedb52847410a6a27edc7ed7a9030b36ecc9d1fd42c62e.png
  7. Save your configuration from the Setup tab.

You can now test logging in to the web UI with various credentials.

Reference

RADIUS clients.conf syntax

Attribute

Description

Example

client

Name of your HAProxy ALOHA appliance (the new RADIUS client, or NAS).

aloha

ipaddr

IP address of your HAProxy ALOHA appliance.

192.168.1.38

secret

Shared secret used to encrypt the user's password between your HAProxy ALOHA appliance (the RADIUS client, or NAS) and the Ubuntu VM (the RADIUS server).

You will specify this secret on your HAProxy ALOHA appliance, in /etc/security/pam_radius.conf.

saUz@w7!iwfa

require_message_authenticator

no: allows the RADIUS server to require a Message-Authenticator.

See also

FreeRADIUS client configuration

HAProxy ALOHA pam_radius.conf syntax

Parameter

Description

Default

Requiredness

server[:port]

IP address:port of your RADIUS server, in this case, the Ubuntu VM.

Surround IPv6 addresses with square brackets.

Default port name: radius, looked up from /etc/services/

Mandatory. Port name is optional.

secret

The shared secret you specified in /etc/freeradius/3.0/clients.conf on the Ubuntu VM.

Mandatory

timeout

Number of seconds the module waits for the server to respond. Mandatory. 3 to 60 seconds.

3 seconds.

Mandatory

source_ip

Makes PAM bind the socket that connects to a given server to a given IP address.

none

Optional

vrf

Make PAM bind the socket that connects to a given server to a given VRF.

none

Optional

HAProxy ALOHA users.conf syntax

Each line in the users.conf file comprises at least one filter and one action.

<FILTERS>:<ACTIONS>

You can specify multiple comma-separated filters and actions on the same line.

Filters

user

Value

Description

Comma-separated list of usernames

Example: user=user1,user2

*, or no filter

Actions will apply to all users.

auth_type

Value

Description

radius

Users authenticate against a RADIUS server.

map_to_user

Value

Description

admin

Grant administration rights

monitor

Grant monitor rights

Any Linux user on HAProxy ALOHA

Map user to another user.

service

Value

Description

wui

Login through the web interface.

sshd

Login through SSH.

login

Local keyboard or serial login.

Actions

allow

Grant access.

deny

Forbid access.

map_to_user

Value

Description

admin

Grant administration rights

monitor

Grant monitor rights

Any Linux user on HAProxy ALOHA

Map user to another user.


Next up

High Availability
HAProxyConf 2022 - Call for papers