This guide is intended for those that want to evaluate GreenRADIUS and its features quickly by integrating it with external user directories (such as Active Directory) and external RADIUS clients (such as VPN with Cisco, Palo Alto Networks, SonicWALL, and other devices and applications that authenticate with the RADIUS protocol).
If you would like to evaluate GreenRADIUS before integrating with your user directory and your RADIUS clients, please refer to our GreenRADIUS "Rocket" Evaluation Guide.
After downloading the GreenRADIUS OVA file, import it into either VMware or Oracle VirtualBox. If DHCP is set up, the appliance will try to find an available IP address. If one is not set up automatically or if you would like to change the IP address later, see our guide for configuring network settings.
After an IP address is assigned, open a new browser tab and go to
https://<IP address of GreenRADIUS>/admin.
The default credentials are:
GreenRADIUS includes a pre-configured, sample domain named “greenradius.demo”. (You can keep this or delete it, since a new domain will be created.)
In the Domain tab, enter your domain name in the field, then click the “Add Domain” button. Then click on the newly created domain.
Go to the “Directory Server” tab. Enter the IP address of your Active Directory, OpenLDAP, or 389DS. Then enter the username and password of an administrator’s credentials. Click the “Proceed” button.
Complete the additional fields to import users from your Active Directory or OpenLDAP. Note the following:
- For the “Login Name Identifier”:
- For Active Directory, “sAMAccountName” is common, but other identifiers can also be used.
- For OpenLDAP, use “uid”
- For the "Filter" field, consider importing users from a specific security group. An example filter string would be:
(&(objectClass=person)(memberOf=CN=test_group,OU=Technology,DC=domain,DC=local)). Otherwise, to import all users, the filter string should be:
- The “Set Frequency” drop-down menu sets the scheduled frequency that GreenRADIUS will import/update users from your user directory.
Once all fields have been configured, click the “Save and Import” button to import users.
The import operation should begin. If the import is successful, the end of the message will read “Successfully updated users records. User Import operation completed.” Click “Return to previous page”.
Go to the “RADIUS Clients” tab.
Enter the IP address or hostname of the RADIUS client you want to integrate with GreenRADIUS. (You could also enter a subnet.) Then, enter a shared secret (entirely up to you what you want to use) in the two client secret fields. Then, click the “Add” button.
In the admin/management screen/portal of the RADIUS client you are configuring with GreenRADIUS, make sure to direct authentications to GreenRADIUS as a RADIUS server and use the same shared secret as configured in GreenRADIUS. (If asked, use the PAP protocol. CHAP, MS-CHAP, and MS-CHAPv2 are not supported.)
At this point, you can test single-factor authentications through your normal logon client/page.
GreenRADIUS can make implementation easy with the Gradual Deployment feature. When enabled, GreenRADIUS will automatically enforce two-factor authentication for a user after the user’s first successful authentication with password and token. For users that have yet to use a token, they will remain needing only to use their password to successfully authenticate until they use their token or until the Gradual Deployment feature is disabled.
To enable Gradual Deployment, in the Configuration tab of the domain, set the “Enable Gradual Deployment” setting to “Yes”. Then click the “Update” button.
Note – Changing this setting from “Disable” to “Enable” will set all users to needing only passwords (single factor only) to authenticate, even those users that have tokens assigned or are set to needing tokens to authenticate. You can check each user’s requirement under the “Single Factor Flag” column in the “Users/Groups” tab. A green check mark means the user only needs a password. A red X means the user needs password and token.
Also note that this Gradual Deployment feature is not available for Windows Logon.
Auto-provisioning of YubiKeys to users can be done automatically in GreenRADIUS. When this feature is enabled, users are auto-assigned YubiKeys upon first successful authentication with an unassigned YubiKey. No separate registration of the YubiKey to the user is required.
To enable this feature, in the Configuration tab of the domain, set the “Enable Auto-provisioning For YubiKey Tokens” to “Yes”. Then click the “Update” button. (Make sure this setting is also set to “Yes” in the “General” settings in the Global Configuration tab.)
© 2023 Green Rocket Security Inc. All rights reserved.