Users and passwords

RADIUS authentication

Available since

  • HAProxy ALOHA 12.5

System administrators can authenticate to HAProxy ALOHA through an external RADIUS server for administration or monitoring purposes.

radius architecture

You can, for example, implement the following list of access rights:

Alice Bob Carol Dave
Web interface admin admin admin monitor
SSH admin admin
Serial port admin

Configure the RADIUS server Jump to heading

In this example, we will authenticate users through the traditional RADIUS users file. Alternatively, the RADIUS server can query an LDAP server.

We will use a FreeRADIUS 3.0 server.

  1. Follow the FreeRADIUS Getting Started guide to install FreeRADIUS on a server.

  2. Add your HAProxy ALOHA appliance as a new RADIUS client in the FreeRADIUS client configuration file, /etc/freeradius/3.0/clients.conf.

    /etc/freeradius/3.0/clients.conf
    client aloha { # The ALOHA IP address ipaddr = 192.168.1.38 # Secret shared between the RADIUS server and ALOHA secret = saUz@w7!iwfa # Do not require the Message-Authenticator field require_message_authenticator = no # Transport protocol proto = udp # Network Access Server type for ALOHA nas_type = other }
    /etc/freeradius/3.0/clients.conf
    client aloha { # The ALOHA IP address ipaddr = 192.168.1.38 # Secret shared between the RADIUS server and ALOHA secret = saUz@w7!iwfa # Do not require the Message-Authenticator field require_message_authenticator = no # Transport protocol proto = udp # Network Access Server type for ALOHA nas_type = other }

    Caution

    Change the secret string.

  3. Add usernames and passwords to the RADIUS user authorization file, /etc/freeradius/3.0/mods-config/files/authorize.

    /etc/freeradius/3.0/mods-config/files/authorize
    alice Cleartext-Password := "TmjRDl61NuiA" bob Cleartext-Password := "AIQols16y1R6" carol Cleartext-Password := "Jb4cWp70D94u" dave Cleartext-Password := "Jkxv:Qoc;p4@"
    /etc/freeradius/3.0/mods-config/files/authorize
    alice Cleartext-Password := "TmjRDl61NuiA" bob Cleartext-Password := "AIQols16y1R6" carol Cleartext-Password := "Jb4cWp70D94u" dave Cleartext-Password := "Jkxv:Qoc;p4@"

    You can also limit how a user can log into HAProxy ALOHA to one of the following methods:

    Login method ID Description
    wui Log in via the web UI.
    sshd Log in via SSH.
    login Log in via a local keyboard or serial login.

    Add a NAS-Identifier parameter to set the login allowed, for example:

    /etc/freeradius/3.0/mods-config/files/authorize
    carol Cleartext-Password := "Jb4cWp70D94u", NAS-Identifier == "wui"
    /etc/freeradius/3.0/mods-config/files/authorize
    carol Cleartext-Password := "Jb4cWp70D94u", NAS-Identifier == "wui"
  4. Restart the RADIUS server.

    nix
    sudo systemctl restart freeradius
    nix
    sudo systemctl restart freeradius

    To test your setup, start the RADIUS server in debug mode.

Configure HAProxy ALOHA Jump to heading

On the HAProxy ALOHA server:

  1. Edit the file /etc/security/pam_radius.conf.

  2. Select the Tools tab, then use the File manager to browse to the /etc/security folder and edit the file pam_radius.conf.

  3. Add your RADIUS server. Use the same secret string you specified in the FreeRADIUS client configuration file.

    # RADIUS Server[:Port] Shared Secret [Timeout (s)] [source_ip] [vrf] 192.168.1.69 saUz@w7!iwfa 60
    # RADIUS Server[:Port] Shared Secret [Timeout (s)] [source_ip] [vrf] 192.168.1.69 saUz@w7!iwfa 60
  4. Edit the file /etc/security/users.conf.

  5. Select the Tools tab, then use the File manager to browse to the /etc/security folder and edit the file users.conf.

  6. Add the same users that you defined on the RADIUS server, specifying the following for each:

    • auth_type of radius
    • Optional: service set to wui, sshd, or login. This is another way restrict how a user can log in, rather than setting it in the FreeRADIUS authorize file.
    • allow or deny to enable or disable this user’s login
    • map_to_user set to either admin for read/write access or monitor for read-only access.

    For example, these directives implement the example access rights listed at the top of this page.

    user=alice auth_type=radius : allow map_to_user admin user=bob auth_type=radius service=wui,sshd : allow map_to_user admin user=carol auth_type=radius service=wui : allow map_to_user admin user=dave auth_type=radius service=wui : allow map_to_user monitor :deny
    user=alice auth_type=radius : allow map_to_user admin user=bob auth_type=radius service=wui,sshd : allow map_to_user admin user=carol auth_type=radius service=wui : allow map_to_user admin user=dave auth_type=radius service=wui : allow map_to_user monitor :deny

    Caution

    The :deny entry must be the last in the file. HAProxy ALOHA evaluates entries from top to bottom. All entries after :deny are ignored.

  7. In the Services tab, click pam setup.

    pam setup

  8. Add RADIUS support to the PAM service.

    haproxy
    service pam
    autostart
    radius_auth 1
    haproxy
    service pam
    autostart
    radius_auth 1

    Tip

    To get more verbose logs for easier troubleshooting, specify debug 1 as well.

  9. Apply your changes to the PAM configuration. apply service pam

  10. Restart the PAM service. restart service pam

  11. To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

You can also launch the following commands from a terminal:

nix
sudo config set pam ldap_auth 1
sudo config set pam autostart
sudo service pam restart
nix
sudo config set pam ldap_auth 1
sudo config set pam autostart
sudo service pam restart

You can now test logging in to the web UI with various credentials.

Reference Jump to heading

RADIUS clients.conf syntax Jump to heading

Attribute Description Example
client Name of your HAProxy ALOHA appliance (the new RADIUS client, or NAS). aloha
ipaddr IP address of your HAProxy ALOHA appliance. 192.168.1.38
secret Shared secret used to encrypt the user’s password between your HAProxy ALOHA appliance (the RADIUS client, or NAS) and the Ubuntu VM (the RADIUS server). You will specify this secret on your HAProxy ALOHA appliance, in /etc/security/pam_radius.conf.
require_message_authenticator no: allows the RADIUS server to require a Message-Authenticator.

HAProxy ALOHA pam_radius.conf syntax Jump to heading

Parameter Description Default Requiredness
server[:port] IP address:port of your RADIUS server, in this case, the Ubuntu VM. Surround IPv6 addresses with square brackets. Default port name: radius, looked up from /etc/services/ Mandatory. Port name is optional.
secret The shared secret you specified in /etc/freeradius/3.0/clients.conf on the Ubuntu VM. Mandatory
timeout Number of seconds the module waits for the server to respond. Mandatory. 3 to 60 seconds. 3 seconds. Mandatory
source_ip Makes PAM bind the socket that connects to a given server to a given IP address. none Optional
vrf Make PAM bind the socket that connects to a given server to a given VRF. none Optional

HAProxy ALOHA users.conf syntax Jump to heading

Each line in the users.conf file comprises at least one filter and one action.

<FILTERS>:<ACTIONS>
<FILTERS>:<ACTIONS>

You can specify multiple comma-separated filters and actions on the same line.

Filters Jump to heading

user
Value Description
Comma-separated list of usernames Example: user=user1,user2
*, or no filter Actions will apply to all users.
auth_type
Value Description
radius Users authenticate against a RADIUS server.
map_to_user
Value Description
admin Grant administration rights.
monitor Grant monitor rights.
Any Linux user on HAProxy ALOHA Map user to another user.
service
Value Description
wui Log in via the web UI.
sshd Log in via SSH.
login Log in via a local keyboard or serial login.

Actions Jump to heading

allow

Grant access.

deny

Forbid access.

map_to_user
Value Description
admin Grant administration rights.
monitor Grant monitor rights.
Any Linux user on HAProxy ALOHA Map user to another user.

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?