Also available in other languages: Русский
multifactor-radius-adapter is a RADIUS server for Linux. It allows you to quickly add multifactor authentication through RADIUS protocol to your VPN, VDI, RDP, and other resources.
The component is a part of MultiFactor 2FA hybrid solution.
See documentation at https://multifactor.pro/docs/radius-adapter/linux/ for additional guidance on integrating 2FA through RADIUS into your infrastructure.
Windows version of the component is available in our MultiFactor.Radius.Adapter repository.
- Background
- Prerequisites
- Installation
- Configuration
- Start-Up
- Logs
- Limitations of Active Directory Integration
- Use Cases
- License
Remote Authentication Dial-In User Service (RADIUS) — is a networking protocol primarily used for remote user authentication.
The protocol has been around for a long time and is supported by major network devices and services vendors.
Key features:
- Receive authentication requests through the RADIUS protocol;
- Verify the first authentication factor — user login and password in Active Directory (AD) or Network Policy Server (NPS);
- Verify the second authentication factor on the user's secondary device (usually, mobile phone).
Additional features:
- Inline enrollment within VPN/VDI client;
- Conditional access based on the user's group membership in Active Directory;
- Activate second factor selectively based on the user's group membership in Active Directory;
- Use user's phone number from Active Directory profile for one-time SMS passcodes;
- Configure RADIUS response attributes based on user's Active Directory group membership;
- Proxy Network Policy Server requests and responses.
- Component is installed on a Linux server, tested on CentOS, Ubuntu, Debian;
- Minimum server requirements: 1 CPU, 2 GB RAM, 8 GB HDD (to run the OS and adapter for 100 simultaneous connections — approximately 1500 users);
- Port 1812 (UDP) must be open on the server to receive requests from Radius clients;
- The server with the component installed needs access to
api.multifactor.ruvia TCP port 443 (TLS) directly or via HTTP proxy; - To interact with Active Directory, the component needs access to the domain server via TCP port 389 (LDAP scheme) or 636 (LDAPS scheme);
- To interact with the Network Policy Server, the component needs access to NPS via UDP port 1812.
The component uses the ASP.NET Core runtime environment version 3.1, which is free, open-source, developed by Microsoft and the open-source community. The runtime environment does not impose any restrictions on its use.
To install, run the commands:
$ sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
$ sudo yum install aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos
$ sudo dnf install aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos
$ wget https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt-get update; \
sudo apt-get install -y apt-transport-https && \
sudo apt-get update && \
sudo apt-get install -y aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-ubuntu
$ wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt-get update; \
sudo apt-get install -y apt-transport-https && \
sudo apt-get update && \
sudo apt-get install -y aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-debian
Create a folder, download and unzip the current version of the component from GitHub:
$ sudo mkdir /opt/multifactor /opt/multifactor/radius /opt/multifactor/radius/logs
$ VER=1.0.16
$ sudo wget https://github.com/MultifactorLab/multifactor-radius-adapter/releases/download/${VER}/release_linux_x64.zip
$ sudo unzip release_linux_x64.zip -d /opt/multifactor/radiusCreate a system user mfa and give it rights to the application:
$ sudo useradd -r mfa
$ sudo chown -R mfa: /opt/multifactor/radius/
$ sudo chmod -R 700 /opt/multifactor/radius/Create a service
$ sudo vi /etc/systemd/system/multifactor-radius.service[Unit]
Description=Multifactor Radius Adapter
[Service]
WorkingDirectory=/opt/multifactor/radius/
ExecStart=/usr/bin/dotnet /opt/multifactor/radius/multifactor-radius-adapter.dll
Restart=always
# Restart service after 10 seconds if the service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=multifactor-radius
User=mfa
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
# How many seconds to wait for the app to shut down after it receives the initial interrupt signal.
# If the app doesn't shut down in this period, SIGKILL is issued to terminate the app.
# The default timeout for most distributions is 90 seconds.
TimeoutStopSec=30
[Install]
WantedBy=multi-user.targetEnable autorun:
$ sudo systemctl enable multifactor-radiusThe component's parameters are stored in /opt/multifactor/radius/multifactor-radius-adapter.dll.config in XML format.
<!-- The address and port (UDP) on which the adapter will receive authentication requests from clients -->
<!-- If you specify 0.0.0.0, then the adapter will listen on all network interfaces -->
<add key="adapter-server-endpoint" value="0.0.0.0:1812"/>
<!-- Shared secret to authenticate RADIUS clients -->
<add key="radius-shared-secret" value=""/>
<!-- How to check the first factor: Active Directory, RADIUS or None (do not check) -->
<add key="first-factor-authentication-source" value="ActiveDirectory"/>
<!-- Multifactor API address -->
<add key="multifactor-api-url" value="https://api.multifactor.ru"/>
<!-- NAS-Identifier parameter to connect to the Multifactor API (found in user profile) -->
<add key="multifactor-nas-identifier" value=""/>
<!-- Shared Secret parameter to connect to the Multifactor API (found in user profile) -->
<add key="multifactor-shared-secret" value=""/>
<!-- Use this option to access the Multifactor API via HTTP proxy (optional)-->
<!--add key="multifactor-api-proxy" value="http://proxy:3128"/-->
<!-- Logging level: 'Debug', 'Info', 'Warn', 'Error' -->
<add key="logging-level" value="Debug"/>To check the first factor in the Active Directory domain, the following parameters apply:
<!--ActiveDirectory authentication settings: for example domain.local on host 10.0.0.4 -->
<add key="active-directory-domain" value="ldaps://10.0.0.4/DC=domain,DC=local"/>
<!--Give access to users from specified group only (not checked if setting is removed)-->
<add key="active-directory-group" value="VPN Users"/>
<!--Require the second factor for users from a specified group only (second factor is required for users if the setting is removed)-->
<add key="active-directory-2fa-group" value="2FA Users"/>
<!--Use your users' phone numbers listed in Active Directory to send one-time SMS codes (not used if settings are removed)-->
<!--add key="use-active-directory-user-phone" value="true"/-->
<!--add key="use-active-directory-mobile-user-phone" value="true"/-->When the use-active-directory-user-phone option is enabled, the component will use the phone recorded in the General tab. The format of the phone can be anything.
When the use-active-directory-mobile-user-phone option is enabled, the component will use the phone recorded in the Telephones tab in the Mobile field. The format of the phone can also be any format.
To check the first factor in RADIUS, for example in Network Policy Server, the following parameters are applicable:
<!--Address (UDP) from which the adapter will connect to the server -->
<add key="adapter-client-endpoint" value="192.168.0.1"/>
<!--Server address and port (UDP) -->
<add key="nps-server-endpoint" value="192.168.0.10:1812"/>You can specify attributes the component will pass further upon successful authentication, including verification that the user is a member of a security group.
<RadiusReply>
<Attributes>
<!--This is an example, any attributes can be used-->
<add name="Class" value="Super" />
<add name="Fortinet-Group-Name" value="Users" when="UserGroup=VPN Users"/>
<add name="Fortinet-Group-Name" value="Admins" when="UserGroup=VPN Admins"/>
</Attributes>
</RadiusReply>After configuring the configuration, run the component:
$ sudo systemctl start multifactor-radiusYou can check the status with the command:
$ sudo systemctl status multifactor-radiusThe logs of the component are located in the /opt/multifactor/radius/logs folder as well as in the system log.
- The Linux version of the Adapter can't yet handle multiple domains with trust established between them;
- A simple user's password authentication is used with Active Directory. We strongly recommend using the LDAPS scheme to encrypt traffic between the adapter and the domain (AD server must have a certificate installed, including a self-signed one).
Use Radius Adapter Component to implement 2FA in one of the following scenarios:
- Two-factor authentication for VPN devices Cisco, Fortigate, CheckPoint, Mikrotik, Huawei and others;
- Two-factor authentication for Windows VPN with Routing and Remote Access Service (RRAS);
- Two-factor authentication for Microsoft Remote Desktop Gateway ;
- Two factor authentication for VMware Horizon;
- Citrix Gateway two-factor authentication;
- Apache Guacamole two-factor authentication;
- Two-factor authentication for Wi-Fi hotspots;
and many more...
Please note, the license does not entitle you to modify the source code of the Component or create derivative products based on it. The source code is provided as-is for evaluation purposes.