This guide is intended for those that want to evaluate GreenRADIUS and its features quickly before integrating it with external user directories (such as Active Directory) and external RADIUS clients (such as VPN with Cisco, Palo Alto Networks, SonicWALL, and other devices and applications that authenticate with the RADIUS protocol).
After downloading the GreenRADIUS OVA file, import it into either VMware or Oracle VirtualBox. If DHCP is set up, the appliance will try to find an available IP address. If one is not set up automatically or if you would like to change the IP address later, see our guide for configuring network settings.
After an IP address is assigned, open a new browser tab and go to
https://<IP address of GreenRADIUS>/admin.
The default credentials are:
GreenRADIUS includes a pre-configured, sample domain named
greenradius.demo. (This can be deleted later, and new domains can
be created and configured.) Click on the Domain tab, then click on
greenradius.demo. Five test users are included in this domain
from the onboard OpenLDAP that is included in the virtual appliance. All five test users have a default password of
To access the onboard OpenLDAP, use a third-party LDAP admin tool, such as LDAP Admin. The default credentials are:
By default, this domain has our Gradual Deployment feature enabled, so that all test users are in single-factor mode (meaning only username and password are required for authentication). After a test user successfully authenticates with a security token (such as a YubiKey or Google Authenticator), the single-factor mode for that user will be disabled so that the user must use two-factor authentication (password + security token) going forward.
Click on the GreenRADIUS Virtual Appliance link on the left. Then click on the Troubleshoot tab. The RADIUS Test section at the top can be envisioned to stand in for a client or login page that requires a username and password.
In the username field, enter “user1”. In the password field, enter “GreenRocket!23”. (We will leave the OTP field blank for this single-factor test authentication.) Then click the Send Request button. You should see a response of “Successful”.
In a new browser tab, go to
https://<IP address of GreenRADIUS>
(with nothing else after the IP address). This is the user self-service
portal where a user can self-assign tokens, including Google Authenticator.
Follow these steps to assign Google Authenticator to a user:
- Click the “Assign a Token” button.
- In the Username field, enter “user1”. Then click Proceed.
- In the Password field, enter “GreenRocket!23”. Then click Submit.
- Click on the Google Authenticator radio button at the top.
- Open the Google Authenticator app on your phone. (If you do not already have it installed on your phone, please download and install the free app.)
- In the Google Authenticator app, navigate to set up a new account and click “Scan a barcode”.
- The Google Authenticator app will launch a barcode scanner (like a camera). Scan the barcode on your browser.
- Once the barcode is captured and a new token is displayed (with six numeric characters), click the Proceed button.
- Enter the current six-digit OTP in Google Authenticator (assigned to firstname.lastname@example.org) in the OTP field. Then click the Verify button. You should receive a successful response.
Go back to the Troubleshoot tab. In the RADIUS Test section, enter “user1” in the Username field, enter “GreenRocket!23” in the Password field, and enter the current six-digit OTP in Google Authenticator in the OTP field. Then click the Send Request button. You should see a response of “Successful”. (If you see a response of “Failed”, make sure that the server time is correct by following these steps.)
With this same user (user1), you can try with username and password only, and you will notice that the attempt now fails. Since the user has successfully authenticated with a token (Google Authenticator), this user must use two-factor authentication going forward. (Admins can change this for individual users in the Users/Groups tab in the Domain tab.)
One other note – This RADIUS test section has three separate fields for username, password, and OTP. When RADIUS clients are eventually set up, the default configuration in GreenRADIUS is for users to submit credentials this way:
- Username field of client or login page: username
- Password field: password immediately followed by OTP (no spaces or characters in between)
© 2020 Green Rocket Security Inc. All rights reserved.