Authenticating via RADIUS

The RADIUS network protocol provides centralized management of AAA (Authentication, Authorization, and Accounting) for users who log in and use a network service.

Users can authenticate to an HAProxy ALOHA appliance with admin or monitor rights via an external RADIUS server.

../../_assets/images/radius-architecture.png

You can also allow access only via:

SSH
a serial port
the web interface

We will set up the following configuration:

../../_assets/images/radius-architecture-vm.png

Warning

Running ALOHA in VirtualBox is not supported. Using VirtualBox is only meant for testing.

We will:

Install and configure a FreeRADIUS server on an Ubuntu VM.
Configure PAM RADIUS on the ALOHA VM.
Test authentication via RADIUS.

Creating virtual machines

Configuring the Ubuntu VM

Launch a new Ubuntu Desktop 20.04 LTS VirtualBox VM.

Select the Bridged Network mode.
Connect to your VM via SSH or PuTTY.

Installing a virtual ALOHA appliance

Warning

Running ALOHA in VirtualBox is not supported. Using VirtualBox is only meant for testing.

Uncompress the aloha-albva-kvm.tgz archive.
```
$ tar xzvf aloha-albva-kvm.tgz
```

Convert the ALOHA image to a VirtualBox image:

$ cd aloha-albva

$ VBoxManage convertdd aloha-albva.img aloha-albva.vdi

Converting from raw image file="aloha-albva.img" to file="aloha-albva.vdi"...
Creating dynamic image with size 268435456 bytes (256MB)...

Create the ALOHA appliance as a new VirtualBox VM.

Select the Bridged Network mode, then launch the VM.

ALOHA - Copyright (C) 2005-2020 HAProxy Technologies

Access WEB User Interface:
http://192.168.1.6:4444/

Warning, keyboard set to QWERTY by default.
ALOHA1 login:

Configuring the RADIUS server on your Ubuntu VM

ubuntu40 Perform the steps below on the Ubuntu VM.

In this example, we will authenticate users via the traditional RADIUS users file. We will use a FreeRADIUS 3.0 server.

Connect to your Ubuntu VM via SSH or PuTTY.

Install FreeRADIUS:

ubuntu@vm:~$ sudo apt install freeradius

Create a new variable for your ALOHA appliance's IP address:
```
ubuntu@vm:~$ export alohaip=192.168.1.6
```
Define your HAProxy ALOHA appliance as a new RADIUS client (NAS) in clients.conf:

We will use the tee utility, but you can of course use any text editor.
```
ubuntu@vm:~$ cat <<EOF | sudo tee /etc/freeradius/3.0/clients.conf
client aloha {
  ipaddr = $alohaip
  secret = Testal0ha
  require_message_authenticator = no
}
EOF
```
client

Name of your HAProxy ALOHA appliance (the new RADIUS client, or NAS).

ipaddr

IP address of your HAProxy ALOHA appliance.

secret

Shared secret used to encrypt the user's password between your HAProxy ALOHA appliance (the RADIUS client, or NAS) and the Ubuntu VM (the RADIUS server).

You will specify this secret on your HAProxy ALOHA appliance, in /etc/security/pam_radius.conf.

require_message_authenticator

no: allows the RADIUS server to require a Message-Authenticator.

Adding user to the authorize file

ubuntu40 Perform the steps below on the Ubuntu VM.

Add users Alice, Carol, Dave, and Bob to the authorize file:

Warning

Do not use usernames as passwords in production.
Encrypt passwords for better security.

ubuntu@vm:~$ for user in {alice,carol,dave,bob};
do echo "$user Cleartext-Password := \"$user\"" |
sudo tee -a /etc/freeradius/3.0/mods-config/files/authorize;
done

Check the content of the file:

ubuntu@vm:~$ sudo cat /etc/freeradius/3.0/mods-config/files/authorize

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

alice Cleartext-Password := "alice"
carol Cleartext-Password := "carol"
dave Cleartext-Password := "dave"
bob Cleartext-Password := "bob"

Note

You can filter access by service by specifying NAS-Identifier == "<service>".

You can also filter access by service on the HAProxy ALOHA appliance (the RADIUS server, or NAS). Make sure your access rules defined on the RADIUS server and on ALOHA do not conflict.

service can be one of the following:

login: Local keyboard or serial console login.
sshd: Login via SSH.
wui: Login via the web interface.

alice Cleartext-Password := "alice" NAS-Identifier == "sshd"
carol Cleartext-Password := "carol" NAS-Identifier == "wui"
dave Cleartext-Password := "dave" NAS-Identifier == "wui"
bob Cleartext-Password := "bob" NAS-Identifier == "login"

Start the RADIUS server in debug mode:

ubuntu@vm:~$ sudo freeradius -X

[...]
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 40918
Listening on proxy address :: port 40543
Ready to process requests

Configuring HAProxy ALOHA

Perform the steps below on the ALOHA appliance.

Log in to your HAProxy ALOHA appliance (the RADIUS client, or NAS) via SSH or PuTTY with the following credentials:

User

admin

Password

admin

Add RADIUS support to PAM:

:~$ sudo config set pam radius_auth 1

:~$ sudo config set pam autostart

Define your RADIUS server:
```
:~$ cat <<EOF | sudo tee /etc/security/pam_radius.conf
# Server[:Port]  Shared Secret  [Timeout (s)]  [source_ip] [vrf]
192.168.1.10     Testal0ha      3
EOF
```
server[:port]

IP address:port of your RADIUS server, in this case, the Ubuntu VM. The port name or number is optional. Default port name: radius, looked up from /etc/services/

Surround IPv6 addresses with square brackets.

secret

The shared secret you specified in clients.conf on the Ubuntu VM.

timeout

Number of seconds the module waits for the server to respond. Mandatory. 3 to 60 seconds. Default: 3 seconds.

source_ip

Optional. Default: none. Makes PAM bind the socket that connects to a given server to a given IP address.

vrf

Optional. Default: none. Make PAM bind the socket that connects to a given server to a given VRF.

Enabling login

The file /etc/security/users.conf allows you to define users and assign allowed actions.

Using the WUI

In the Services tab, select "advanced mode" (at the bottom of the page).
Go to the pam line and click to edit the users.conf file using the options described below.

Using the CLI

Perform the steps below on the ALOHA appliance.

Edit users.conf:
```
:~$ sudo vi /etc/security/users.conf
```

users.conf syntax

Each line in the users.conf file contains the following:

<FILTERS>:<ACTIONS>

Multiple filters and actions can be on the same line, and must be separated by a space.

Filter	Value	Description
user	Username
	Comma-separated list of usernames	Example: `user=user1,user2`
	`*`	Matches everything
	No user filter	Matches everything
group	Unix group name
auth_type		Authentication type
	`local`	Users authenticate against the ALOHA appliance
	`ldap`	Users authenticate against an LDAP server
	`radius`	Users authenticate against a RADIUS server
map_to_user	`admin`	Grant administration rights
map_to_user	`monitor`	Grant monitor rights
service	`wui`	Login via the web interface.
	`sshd`	Login via SSH.
	`login`	Local keyboard or serial login.

ALOHA stops evaluating the rules as soon as a line is matched, and applies the corresponding actions.

Action	Value	Description
allow		Grant access
deny		Forbid access
map_to_user <USER>	`monitor`	Map user to another user We recommend that you remap users to monitor or admin, but you can remap them to any user present on the ALOHA.
	`admin`
	Any Linux user on the ALOHA

Setting up login for LDAP users

Using the WUI

In the Services tab, go to the system line and click .
Add "dns_domain YOUR_DOMAIN_NAME".
Add "dns_servers DNS_SERVER_IP".

Using the CLI

Check that your DNS resolution works correctly on the ALOHA. If not, run the commands below:

:~$ sudo config set system dns_domain MYDOMAIN

:~$ sudo config set system dns_servers xx.xx.xx.xx

:~$ sudo save-etc

:~$ sudo reboot

Check that the ALOHA can communicate with the LDAP server. You can do a test query using ldapsearch. If there is no communication, check your network configuration.
Enable PAM and LDAP authentication (see above).
Configure nslcd (nss-pam-ldap daemon). For complete nslcd documentation, see https://arthurdejong.org/nss-pam-ldapd/.
Reload the service:
```
:~$ sudo service nslcd restart
```
Reload the service:
```
:~$ sudo service pam restart
```
Optionally, you can launch nslcd in debug mode to add information for troubleshooting:
```
:~$ sudo nslcd -d -n
```
For better reliability, we recommend the following options:
- Set log syslog to log nslcd actions to syslog
- Specify explicitly base dc=exemple,dc=org (according to your LDAP server configuration) to ensure that nslcd does not fail at startup, when the LDAP server is down.
- Set nss_initgroups_ignoreusers root,admin,monitor to prevent lags when one of these users uses sudo and when the LDAP server is offline.

Results

If nslcd is working correctly, you can see the following:

LDAP users: getent passwd
Users' LDAP groups (mapped as active directory primary groups): getent group

If these steps fail, please consult the https://arthurdejong.org/nss-pam-ldapd/ documentation.

Now that your LDAP users are known by the system, you can allow them to log in.

Granting rights to users

Perform the steps below on the ALOHA appliance.

We are going to create entries for users before the :deny entry, which denies access and must therefore be the last in the file.

We will use the sed utility to insert entries, but you can of course use any text editor.

Warning

Make sure your access rules defined on the RADIUS server and on ALOHA do not conflict.

Grant Alice admin rights:

:~$ sudo sed -i \
'/^:deny$/i user=alice auth_type=radius: allow map_to_user admin' \
/etc/security/users.conf

Grant Bob admin rights, and access via the WUI only:

:~$ sudo sed -i \
'/^:deny$/i user=bob auth_type=radius: allow map_to_user admin service=wui' \
/etc/security/users.conf

Grant Carol and Dave monitor rights:

:~$ sudo sed -i \
'/^:deny$/i user=carol,dave auth_type=radius: allow map_to_user monitor' \
/etc/security/users.conf

Check the content of the file:

:~$ sudo cat /etc/security/users.conf

[...]
# example for LDAP
# group=aloha-admin   auth_type=ldap: allow map_to_user admin
# group=aloha-monitor auth_type=ldap: allow map_to_user monitor

user=alice auth_type=radius: allow map_to_user admin
user=bob auth_type=radius: allow map_to_user admin service=wui
user=carol,dave auth_type=radius: allow map_to_user monitor
:deny

Start PAM:

:~$ sudo service pam start

# Process pam already stopped, cleaning up...
==> stop pam Done.
# Starting pam ...
Checking config file /var/state/pam.cfg
Unknown keyword service=wui in /var/state/pam.cfg at line 21
Error while parsing config file /var/state/pam.cfg: 29

==> start pam Done.

Testing the RADIUS configuration

Connect to http://<ALOHA Appliance's IP address>:4444 with credentials alice/alice.

http://192.168.1.6:4444

The WUI appears.

Alice is granted administration rights.

On the Ubuntu VM, check the output of the command sudo freeradius -X you launched earlier:

[...]
Ready to process requests
(0) Received Access-Request Id 249 from 192.168.1.6:64795 to 192.168.1.10:1812 length 68
(0)   User-Name = "alice"
(0)   User-Password = "alice"
(0)   NAS-Identifier = "wui"
(0)   NAS-Port = 2099
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Authenticate-Only
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "alice", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry alice at line 12
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 249 from 192.168.1.10:1812 to 192.168.1.6:64795 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 249 with timestamp +854
Ready to process requests

Disconnect from the WUI, then reconnect with other credentials, or through SSH or PuTTY.

See also

ALOHA 10.5 Documentation

Searching ALOHA 10.5

Creating virtual machines

Configuring the Ubuntu VM

Installing a virtual ALOHA appliance

Configuring the RADIUS server on your Ubuntu VM

Adding user to the authorize file

Configuring HAProxy ALOHA

Granting rights to users

Testing the RADIUS configuration