HAProxy Enterprise Documentation 13.0

RADIUS Authentication

The RADIUS network protocol provides centralized management of AAA (Authentication, Authorization, and Accounting) for users who log in and use a network service.

Users can authenticate to an HAProxy ALOHA appliance with admin or monitor rights via an external RADIUS server.

https://cdn.haproxy.com/documentation/aloha/latest/assets/radius-architecture-3773bc5709ce7ad1c0daa0b85248e0d67959a61108de143a87e5342e25cf1089.png

You can also allow access only via:

  • SSH

  • a serial port

  • the web interface

We will set up the following configuration:

https://cdn.haproxy.com/documentation/aloha/latest/assets/radius-architecture-vm-52ce8c148251d1a4408cb0ac5972ad1e7bdfd6a248529a4c88d0544f7bd754a6.png

Warning

Running ALOHA in VirtualBox is not supported. Using VirtualBox is only meant for testing.

We will:

  • Install and configure a FreeRADIUS server on an Ubuntu VM.

  • Configure PAM RADIUS on the ALOHA VM.

  • Test authentication via RADIUS.

Creating virtual machines

Configuring the Ubuntu VM

  1. Launch a new Ubuntu Desktop 20.04 LTS VirtualBox VM.

    Select the Bridged Network mode.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/saml-bridge-vm-b07f9f30348c2a41d7422c9c0d0216e5d7333aede1068d40f51473f1f93676ab.png
  2. Connect to your VM via SSH or PuTTY.

Installing a virtual ALOHA appliance

Warning

Running ALOHA in VirtualBox is not supported. Using VirtualBox is only meant for testing.

  1. Uncompress the aloha-albva-kvm.tgz archive.

    $ tar xzvf aloha-albva-kvm.tgz
  2. Convert the ALOHA image to a VirtualBox image:

    $ cd aloha-albva
    $ VBoxManage convertdd aloha-albva.img aloha-albva.vdi
    Converting from raw image file="aloha-albva.img" to file="aloha-albva.vdi"...
    Creating dynamic image with size 268435456 bytes (256MB)...
  3. Create the ALOHA appliance as a new VirtualBox VM.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/vbox-52cd12c73ea03bf2b2cf459ae0e7c8d3e289eba70f83b65e9ac1c98aa605d77f.png
  4. Select the Bridged Network mode, then launch the VM.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/saml-bridge-vm-b07f9f30348c2a41d7422c9c0d0216e5d7333aede1068d40f51473f1f93676ab.png
    ALOHA - Copyright (C) 2005-2020 HAProxy Technologies
    
    Access WEB User Interface:
    `http://192.168.1.6:4444/`
    
    Warning, keyboard set to QWERTY by default.
    ALOHA1 login:

Configuring the RADIUS server on your Ubuntu VM

ubuntu40 Perform the steps below on the Ubuntu VM.

In this example, we will authenticate users via the traditional RADIUS users file. We will use a FreeRADIUS 3.0 server.

  1. Connect to your Ubuntu VM via SSH or PuTTY.

  2. Install FreeRADIUS:

    ubuntu@vm:~$ sudo apt install freeradius
  3. Create a new variable for your ALOHA appliance's IP address:

    ubuntu@vm:~$ export alohaip=192.168.1.6
  4. Define your HAProxy ALOHA appliance as a new RADIUS client (NAS) in clients.conf:

    We will use the tee utility, but you can of course use any text editor.

    ubuntu@vm:~$ cat <<EOF | sudo tee /etc/freeradius/3.0/clients.conf
    client aloha {
      ipaddr = $alohaip
      secret = Testal0ha
      require_message_authenticator = no
    }
    EOF
    client

    Name of your HAProxy ALOHA appliance (the new RADIUS client, or NAS).

    ipaddr

    IP address of your HAProxy ALOHA appliance.

    secret

    Shared secret used to encrypt the user's password between your HAProxy ALOHA appliance (the RADIUS client, or NAS) and the Ubuntu VM (the RADIUS server).

    You will specify this secret on your HAProxy ALOHA appliance, in /etc/security/pam_radius.conf.

    require_message_authenticator

    no: allows the RADIUS server to require a Message-Authenticator.

Adding user to the authorize file

ubuntu40 Perform the steps below on the Ubuntu VM.

  1. Add users Alice, Carol, Dave, and Bob to the authorize file:

    Warning

    • Do not use usernames as passwords in production.

    • Encrypt passwords for better security.

    ubuntu@vm:~$ for user in {alice,carol,dave,bob};
    do echo "$user Cleartext-Password := \"$user\"" |
    sudo tee -a /etc/freeradius/3.0/mods-config/files/authorize;
    done
  2. Check the content of the file:

    ubuntu@vm:~$ sudo cat /etc/freeradius/3.0/mods-config/files/authorize
    DEFAULT Framed-Protocol == PPP
            Framed-Protocol = PPP,
            Framed-Compression = Van-Jacobson-TCP-IP
    
    DEFAULT Hint == "CSLIP"
            Framed-Protocol = SLIP,
            Framed-Compression = Van-Jacobson-TCP-IP
    
    DEFAULT Hint == "SLIP"
            Framed-Protocol = SLIP
    
    alice Cleartext-Password := "alice"
    carol Cleartext-Password := "carol"
    dave Cleartext-Password := "dave"
    bob Cleartext-Password := "bob"

    Note

    You can filter access by service by specifying NAS-Identifier == "<service>".

    You can also filter access by service on the HAProxy ALOHA appliance (the RADIUS server, or NAS). Make sure your access rules defined on the RADIUS server and on ALOHA do not conflict.

    service can be one of the following:

    login

    Local keyboard or serial console login.

    sshd

    Login via SSH.

    wui

    Login via the web interface.

    alice Cleartext-Password := "alice" NAS-Identifier == "sshd"
    carol Cleartext-Password := "carol" NAS-Identifier == "wui"
    dave Cleartext-Password := "dave" NAS-Identifier == "wui"
    bob Cleartext-Password := "bob" NAS-Identifier == "login"
  3. Start the RADIUS server in debug mode:

    ubuntu@vm:~$ sudo freeradius -X
    [...]
    Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
    Listening on auth address * port 1812 bound to server default
    Listening on acct address * port 1813 bound to server default
    Listening on auth address :: port 1812 bound to server default
    Listening on acct address :: port 1813 bound to server default
    Listening on proxy address * port 40918
    Listening on proxy address :: port 40543
    Ready to process requests

Configuring HAProxy ALOHA

aloha40 Perform the steps below on the ALOHA appliance.

  1. Log in to your HAProxy ALOHA appliance (the RADIUS client, or NAS) via SSH or PuTTY with the following credentials:

    User

    admin

    Password

    admin

    https://cdn.haproxy.com/documentation/aloha/latest/assets/saml-putty-0-5d72b856302c7cc5516eaab0d3205a2063c5f499ca5544474fac0a50ccc58475.png https://cdn.haproxy.com/documentation/aloha/latest/assets/saml-putty-1-13920ab95ff00be9bc33f99fe20eba6dfc21d0498be9a5ea5869a86b6a46f408.png https://cdn.haproxy.com/documentation/aloha/latest/assets/saml-putty-2-ad974baa620456b0a1e9812f11d00ebc708dabb72478b71a6c8cc4bf0239730b.png
  2. Add RADIUS support to PAM:

    :~$ sudo config set pam radius_auth 1
    :~$ sudo config set pam autostart
  3. Define your RADIUS server:

    :~$ cat <<EOF | sudo tee /etc/security/pam_radius.conf
    # Server[:Port]  Shared Secret  [Timeout (s)]  [source_ip] [vrf]
    192.168.1.10     Testal0ha      3
    EOF
    server[:port]

    IP address:port of your RADIUS server, in this case, the Ubuntu VM. The port name or number is optional. Default port name: radius, looked up from /etc/services/

    Surround IPv6 addresses with square brackets.

    secret

    The shared secret you specified in clients.conf on the Ubuntu VM.

    timeout

    Number of seconds the module waits for the server to respond. Mandatory. 3 to 60 seconds. Default: 3 seconds.

    source_ip

    Optional. Default: none. Makes PAM bind the socket that connects to a given server to a given IP address.

    vrf

    Optional. Default: none. Make PAM bind the socket that connects to a given server to a given VRF.

Enabling login

The file /etc/security/users.conf allows you to define users and assign allowed actions.

Using the WUI

  1. In the Services tab, select "advanced mode" (at the bottom of the page).

  2. Go to the pam line and click edit_icon to edit the users.conf file using the options described below.

Using the CLI

  1. Edit users.conf:

    :~$ sudo vi /etc/security/users.conf

users.conf syntax

Each line in the users.conf file contains the following:

<FILTERS>:<ACTIONS>

Multiple filters and actions can be on the same line, and must be separated by a space.

Filter

Value

Description

user

Username

Comma-separated list of usernames

Example: user=user1,user2

*

Matches everything

No user filter

Matches everything

group

Unix group name

auth_type

Authentication type

local

Users authenticate against the ALOHA appliance

ldap

Users authenticate against an LDAP server

radius

Users authenticate against a RADIUS server

map_to_user

admin

Grant administration rights

monitor

Grant monitor rights

service

wui

Login via the web interface.

sshd

Login via SSH.

login

Local keyboard or serial login.

ALOHA stops evaluating the rules as soon as a line is matched, and applies the corresponding actions.

Action

Value

Description

allow

Grant access

deny

Forbid access

map_to_user <USER>

monitor

Map user to another user

We recommend that you remap users to monitor or admin, but you can remap them to any user present on the ALOHA.

admin

Any Linux user on the ALOHA

Setting up login for LDAP users

Using the WUI

  1. In the Services tab, go to the system line and click setup_icon.

  2. Add "dns_domain YOUR_DOMAIN_NAME".

  3. Add "dns_servers DNS_SERVER_IP".

Using the CLI

  1. Check that your DNS resolution works correctly on the ALOHA. If not, run the commands below:

    :~$ sudo config set system dns_domain MYDOMAIN
    :~$ sudo config set system dns_servers xx.xx.xx.xx
    :~$ sudo save-etc
    :~$ sudo reboot
  2. Check that the ALOHA can communicate with the LDAP server. You can do a test query using ldapsearch. If there is no communication, check your network configuration.

  3. Enable PAM and LDAP authentication (see above).

  4. Configure nslcd (nss-pam-ldap daemon). For complete nslcd documentation, see https://arthurdejong.org/nss-pam-ldapd/.

  5. Reload the service:

    :~$ sudo service nslcd restart
  6. Reload the service:

    :~$ sudo service pam restart
  7. Optionally, you can launch nslcd in debug mode to add information for troubleshooting:

    :~$ sudo nslcd -d -n
  8. For better reliability, we recommend the following options:

    • Set log syslog to log nslcd actions to syslog

    • Specify explicitly base dc=exemple,dc=org (according to your LDAP server configuration) to ensure that nslcd does not fail at startup, when the LDAP server is down.

    • Set nss_initgroups_ignoreusers root,admin,monitor to prevent lags when one of these users uses sudo and when the LDAP server is offline.

Results

If nslcd is working correctly, you can see the following:

  • LDAP users: getent passwd

  • Users' LDAP groups (mapped as active directory primary groups): getent group

If these steps fail, please consult the https://arthurdejong.org/nss-pam-ldapd/ documentation.

Now that your LDAP users are known by the system, you can allow them to log in.

Granting rights to users

aloha40 Perform the steps below on the ALOHA appliance.

We are going to create entries for users before the :deny entry, which denies access and must therefore be the last in the file.

We will use the sed utility to insert entries, but you can of course use any text editor.

Warning

Make sure your access rules defined on the RADIUS server and on ALOHA do not conflict.

  1. Grant Alice admin rights:

    :~$ sudo sed -i \
    '/^:deny$/i user=alice auth_type=radius: allow map_to_user admin' \
    /etc/security/users.conf
  2. Grant Bob admin rights, and access via the WUI only:

    :~$ sudo sed -i \
    '/^:deny$/i user=bob auth_type=radius: allow map_to_user admin service=wui' \
    /etc/security/users.conf
  3. Grant Carol and Dave monitor rights:

    :~$ sudo sed -i \
    '/^:deny$/i user=carol,dave auth_type=radius: allow map_to_user monitor' \
    /etc/security/users.conf
  4. Check the content of the file:

    :~$ sudo cat /etc/security/users.conf
    [...]
    # example for LDAP
    # group=aloha-admin   auth_type=ldap: allow map_to_user admin
    # group=aloha-monitor auth_type=ldap: allow map_to_user monitor
    
    user=alice auth_type=radius: allow map_to_user admin
    user=bob auth_type=radius: allow map_to_user admin service=wui
    user=carol,dave auth_type=radius: allow map_to_user monitor
    :deny
  5. Start PAM:

    :~$ sudo service pam start
    # Process pam already stopped, cleaning up...
    ==> stop pam Done.
    # Starting pam ...
    Checking config file /var/state/pam.cfg
    Unknown keyword service=wui in /var/state/pam.cfg at line 21
    Error while parsing config file /var/state/pam.cfg: 29
    
    ==> start pam Done.

Testing the RADIUS configuration

  1. Connect to http://<ALOHA Appliance's IP address>:4444 with credentials alice/alice.

    http://192.168.1.6:4444

    https://cdn.haproxy.com/documentation/aloha/latest/assets/radius-alice-3efec6a95d970d047111183e7360a20619e7a4a88158a3a3f927d99e4d840a73.png

    The WUI appears.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/radius-alice-wui-0038fa83db013a880e3d83e0d671ff0ee1235645fae35d2ddcf09654fc065d67.png

    Alice is granted administration rights.

  2. On the Ubuntu VM, check the output of the command sudo freeradius -X you launched earlier:

    [...]
    Ready to process requests
    (0) Received Access-Request Id 249 from 192.168.1.6:64795 to 192.168.1.10:1812 length 68
    (0)   User-Name = "alice"
    (0)   User-Password = "alice"
    (0)   NAS-Identifier = "wui"
    (0)   NAS-Port = 2099
    (0)   NAS-Port-Type = Virtual
    (0)   Service-Type = Authenticate-Only
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (0)   authorize {
    (0)     policy filter_username {
    (0)       if (&User-Name) {
    (0)       if (&User-Name)  -> TRUE
    (0)       if (&User-Name)  {
    (0)         if (&User-Name =~ / /) {
    (0)         if (&User-Name =~ / /)  -> FALSE
    (0)         if (&User-Name =~ /@[^@]*@/ ) {
    (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (0)         if (&User-Name =~ /\.\./ ) {
    (0)         if (&User-Name =~ /\.\./ )  -> FALSE
    (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (0)         if (&User-Name =~ /\.$/)  {
    (0)         if (&User-Name =~ /\.$/)   -> FALSE
    (0)         if (&User-Name =~ /@\./)  {
    (0)         if (&User-Name =~ /@\./)   -> FALSE
    (0)       } # if (&User-Name)  = notfound
    (0)     } # policy filter_username = notfound
    (0)     [preprocess] = ok
    (0)     [chap] = noop
    (0)     [mschap] = noop
    (0)     [digest] = noop
    (0) suffix: Checking for suffix after "@"
    (0) suffix: No '@' in User-Name = "alice", looking up realm NULL
    (0) suffix: No such realm "NULL"
    (0)     [suffix] = noop
    (0) eap: No EAP-Message, not doing EAP
    (0)     [eap] = noop
    (0) files: users: Matched entry alice at line 12
    (0)     [files] = ok
    (0)     [expiration] = noop
    (0)     [logintime] = noop
    (0)     [pap] = updated
    (0)   } # authorize = updated
    (0) Found Auth-Type = PAP
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0)   Auth-Type PAP {
    (0) pap: Login attempt with password
    (0) pap: Comparing with "known good" Cleartext-Password
    (0) pap: User authenticated successfully
    (0)     [pap] = ok
    (0)   } # Auth-Type PAP = ok
    (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
    (0)   post-auth {
    (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
    (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
    (0)     update {
    (0)       No attributes updated for RHS &session-state:
    (0)     } # update = noop
    (0)     [exec] = noop
    (0)     policy remove_reply_message_if_eap {
    (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (0)       else {
    (0)         [noop] = noop
    (0)       } # else = noop
    (0)     } # policy remove_reply_message_if_eap = noop
    (0)   } # post-auth = noop
    (0) Sent Access-Accept Id 249 from 192.168.1.10:1812 to 192.168.1.6:64795 length 0
    (0) Finished request
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 249 with timestamp +854
    Ready to process requests
  3. Disconnect from the WUI, then reconnect with other credentials, or through SSH or PuTTY.

See also