GreenRADIUS v5.2 Admin Guide

Green Rocket Security

Green Rocket Security's GreenRADIUS is a complete two-factor authentication solution supporting a variety of tokens, such as YubiKeys (OTP, OATH, FIDO U2F, and FIDO2), other FIDO tokens, Google Authenticator, our own Green Rocket 2FA mobile app, and much more. It validates traditional RADIUS logins as well as offering a modernized Web API for web applications. GreenRADIUS can also enforce 2FA for Windows Logon, whether PCs are domain-joined or not, online or offline, and for both desktop and RDP logins.

This guide describes how to configure and operate your GreenRADIUS instance. Administrators will find the guide has been arranged by topic, making it easy to refer to specific sections for information.

Web Analytics Made Easy -
StatCounter

Updated 2024-01-31
© 2024 Green Rocket Security Inc. All rights reserved.

Overview of GreenRADIUS

What is GreenRADIUS?

GreenRADIUS is a two-factor authentication platform. It augments the traditional username/password security model by requiring users to provide a second factor to prove their identity. This helps secure users and organizations against various password-related attacks.

GreenRADIUS takes the form of a multi-protocol server. GreenRADIUS validates each user/password/second-factor login attempt and responds with either ACCEPTED or DENIED.

GreenRADIUS supports the traditional RADIUS protocol, which has wide industry acceptance and is used by a considerable amount of existing client software.

In addition, GreenRADIUS also exposes a modern web API, which makes the development of modern web-centric applications (or browser-based 2FA validations) very easy.

GreenRADIUS can also enforce 2FA for Windows Logon, whether PCs are domain-joined or not, online or offline, and for both desktop and RDP logins. Contact us today to learn more.

Distribution

GreenRADIUS v5.1 is distributed as a virtual machine (VM) packaged in the Open Virtualization Format (OVA). It is available as a free preview download from our website at http://www.greenrocketsecurity.com/greenradius

If you would prefer an AWS instance of GreenRADIUS, please contact us, and we would be happy to share our GreenRADIUS AWI with you.

Minimum Requirements

GreenRADIUS is a lightweight virtual appliance, and, at a minimum, requires the following:

  • 2 CPUs
  • 4 GB RAM (8 GB RAM is recommended)
  • 80 GB hard drive space

Web Analytics Made Easy -
StatCounter

Updated 2023-10-16
© 2024 Green Rocket Security Inc. All rights reserved.

Default Login Information

By default, the login information for GreenRADIUS is:

  • Username: gradmin
  • Password: GreenRocket!23

This username and password are used to log in to the command line. Most configurations for GreenRADIUS are performed through the web admin interface, served at https://<IP address of GreenRADIUS>/admin.

Note: The web admin interface is only accessible after the network has been set up. See the next section for information on how to do this.

We would recommend changing the password, both for the console and the web admin interface. The password for each is stored separately.

To change the command line password, run the passwd command from the command line in the terminal console.

To change the web admin interface password, go to the "Webmin Users" link (found under the Webmin menu in the left panel), and click the username whose password you would like to change.

Changing a Webmin password

Make sure the password mode is "Set to ..", then type the new password into the field to the right. Click Save to record your changes. The next time you log into the web admin interface, the new password will be required.

This username and password are used to log in to the command line. Most configurations for GreenRADIUS are performed through the web admin interface, served at https://<IP address of GreenRADIUS>/admin.

Web Analytics Made Easy -
StatCounter

Updated 2021-09-13
© 2024 Green Rocket Security Inc. All rights reserved.

Authenticator 2FA For Web Admin Interface

The GreenRADIUS web admin interface itself can be secured with two-factor authentication (2FA). This is easy to do with any Authenticator app, such as Google Authenticator and Microsoft Authenticator.

  1. Open the Webmin Configuration link (found under the Webmin menu in the left panel.)

  2. You will be presented with a grid of configuration menus. Select Two-Factor Authentication.

  3. From the two-factor authentication options, select Google Authenticator:

enabling 2FA for web admin interface

Click Save to commit your changes. This will require the server to restart, so there will be a slight delay.

  1. Open the Webmin Users link (also located under the Webmin menu in the left panel).

Webmin users

  1. Select the user for whom you would like to enable two-factor authentication. You will be presented with a series of configuration dropdowns. Select "Security and limits options":

security and limits

  1. Click the "Enable Two-Factor for User" button.

  2. Select "Enroll for Two-Factor Authentication":

Enroll for two-factor authentication

  1. A QR code will be generated which you can scan with your authenticaton app of choice.

  2. The next time you attempt to log into the web admin interface, an OTP dialog will appear. Input the six-digit Authenticator code here:

Log in with OTP

2FA is now enabled for the web admin interface.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Automatic Logout for Web Admin Interface

To mitigate session reuse attacks, the web admin interface can be configured to log users out after a certain period of inactivity.

  1. Log into the web admin interface.
  2. From the left panel, select Webmin→Webmin Configuration.
  3. A series of options will be displayed. Select "Authentication". Authentication option in Webmin Configuration
  4. A page of configuration settings will appear. Edit the setting labeled "Auto-logout after [ ] minutes of inactivity". When finished, select the "Save" button at the bottom of the page to commit your changes. Editing the timeout value
  5. Users will now be automatically logged out after a period of inactivity.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Network Configuration

Before GreenRADIUS can be accessed, the network settings must be configured.

Log into the command line. Then run the following commands:

cd /opt/grs/greenradius/scripts/ip-configuration-scripts
sudo python configure_ip.py

Example: Network configuration

You will be presented with a series of prompts. Select either DHCP or static IP address. If you select DHCP, GreenRADIUS will communicate with your routing device and automatically choose an IP address for you. If you select static IP, you will need to choose an IP address yourself, as well as configuring the network access point and DNS server.

WARNING: If you opt for Static IP Address, ensure that the IP address chosen does not conflict with any existing devices on the network.

Ports

The following ports need to be open for proper communication to and from GreenRADIUS:

PortDescription
22SSH for remote administration
389LDAP
443access to the web admin interface, self-service portal, use of the GreenRADIUS Web API, for Windows Logon, for mobile app
636LDAPS
1812 UDPRADIUS authentication
9443for Windows Logon, mobile app

Once the network setup is complete, your GreenRADIUS instance is ready to use.

Web Analytics Made Easy -
StatCounter

Updated 2021-08-21
© 2024 Green Rocket Security Inc. All rights reserved.

Domains

Domains hold collections of users in GreenRADIUS. They are independent and their configurations are separate from one another.

The Domains view

You can freely create and remove domains. There is no limit to the number of domains a GreenRADIUS instance can hold. Domain names may only contain alphanumeric characters, periods, and underscores.

Clicking on a domain in the web admin interface brings up a set of domain-specific tabs:

Domain specific tabs

Each domain has configuration specific to it, accessed through the Configuration tab in the main menu page. There is also a set of configuration options which apply to all domains. This is found under the Global Configuration tab.

The Default Domain

If multiple domains exist, there must be a way to disambiguate which domain a request is intended for. When there are multiple domains and no default domain is selected, all authentication requests to GreenRADIUS must specify the user in 'canonical' format: user@domain, for example jdoe@greenradius.demo.

If a domain has been set as the default domain, requests which do not explicitly specify a domain (that is, a login with a username only) will assume the default domain.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Users

Importing users

GreenRADIUS imports users from different LDAP servers:

  1. Active Directory
  2. OpenLDAP (there is also an onboard OpenLDAP which can be used as the user store)
  3. 389 DS
  4. FreeIPA

The LDAP server must remain reachable for GreenRADIUS to work, as authentication requests to GreenRADIUS involve a subsidiary request to the LDAP server.

LDAP configuration is found under the Directory Server tab.

LDAP configuration

Set the IP address/hostname/FQDN to point to a running LDAP server. The credentials must have the correct permission(s) to allow GreenRADIUS to log into the LDAP server and fetch (read) the user list.

Complete the additional fields to import users from your Active Directory or OpenLDAP. Note the following:

  • For the "Login Name Identifier"
    • For Active Directory, sAMAccountName is common, but other identifiers can also be used
    • For OpenLDAP, use uid
  • For the "Filter" field, consider importing users from a specific security group. An example filter string would be: (&(objectClass=person)(memberOf=CN=test_group,OU=Technology,DC=domain,DC=local)) Otherwise, to import all users, the filter string should be: (&(objectCategory=person)(objectClass=user))
  • The " Set Frequency" drop-down menu sets the scheduled frequency that GreenRADIUS will import/update users from your directory server

Next, click "Save and Import" to import the users into the selected domain.

The Users Tab

When a domain has been selected, the Users/Groups tab displays a list of users:

Users tab

From here you can perform administrative actions at the user level. These are covered in more detail in subsequent sections.

Groups

Group membership can be configured to be returned in the RADIUS response for each login attempt.

  1. Navigate to Configuration tab of the domain
  2. Set "Return User's Group Membership In RADIUS Response" to "Yes"
  3. Use the default "Response Format" unless the RADIUS clients require any specific text to be returned
  4. Set "Group Return Information" to "Only Group Name"
  5. Set "Return All Groups" as desired
  6. Click the Update button to save the settings

Group Membership Configuration

  1. Navigate to the Groups tab.
  • A group setting of "0" means the group is not prioritized
  • A group setting of "1" is the highest priority
  • A group setting of "2" is the next highest priority, and so on

Group Membership Prioritization

  1. The group(s) with the highest priority to which the user belongs will be returned in the RADIUS response. This can be tested in the RADIUS Test of the Troubleshoot tab

Group Membership Troubleshoot Test

Web Analytics Made Easy -
StatCounter

Updated 2023-03-03
© 2024 Green Rocket Security Inc. All rights reserved.

Onboard OpenLDAP

GreenRADIUS comes equipped with an onboard OpenLDAP server, in case an external LDAP is not desired. A third-party LDAP admin tool can be used to manage the onboard OpenLDAP, such as LDAP Admin.

The onboard OpenLDAP, by default, is configured with a sample domain (greenradius.demo) with five test users (user1 through user5). Each of the users has a default password of GreenRocket!23

To overwrite the default OpenLDAP domain with a new OpenLDAP domain, follow these steps:

Pre-requisites

A resolvable hostname/FQDN and a corresponding certificate must be configured in GreenRADIUS.

  1. Global Configuration tab > General
  2. Set the value of the Server Hostname/FQDN field
  3. Click the Save button to save the configuration
  4. Global Configuration tab > Certificate
  5. Under the Generate a CSR/Upload the Certificate section, click Upload a certificate and provide the server certificate, private key, and CA chain. Then click the Install Certificate button.
  • To install a self-signed certificate, in the Create Certificate section, enter a common name matching the hostname/FQDN configured earlier. Click the Create and Install button.

Changing the Onboard OpenLDAP Domain

  1. Global Configuration tab > On-board LDAP Server
  2. Provide the following inputs:
  • DNS Domain Name
  • Organization Name
  • Current Admin Password (default password is GreenRocket!23)
  • Enable Secure Connection for Replication
  • Server ID
  1. Click the Update button to save the new configuration

Changing the OpenLDAP Admin Password

To change the onboard OpenLDAP password of the admin user, follow these steps:

  1. Global Configuration tab > On-board LDAP Server
  2. Provide the following inputs:
  • Current Admin Password (default password is GreenRocket!23)
  • New Admin Password
  • Confirm Admin Password
  1. Click the Update button to change the admin password

Users Changing Their Own Onboard OpenLDAP Password

Users can change their own onboard OpenLDAP password.

Pre-requisites

  • A RedHat, CentOS, or Ubuntu machine that has OpenLDAP utilities installed:
  • In RedHat/CentOS, openldap-clients should be installed
  • In Ubuntu, ldap-utils should be installed
  • The above Linux machine must be able to reach GreenRADIUS

Steps

  1. On the command line of the Linux machine, run the following command: ldappasswd -h <ip address of GreenRADIUS> -p 389 -x -D "uid=<username>,ou=<user's OU>,dc=<domain component 1>,dc=<domain component 2>,dc=<domain component etc>" -W -A -S
  2. The user enters his current password twice
  3. Then the user enters his new password twice
  4. Then the user enters his current/old password once again
  5. A successful password change is silent. If there is an error, an error message will appear.

OpenLDAP password change screen

Setting Up OpenLDAP Password Policies

The onboard OpenLDAP comes with an optional module which can enforce certain password policies, such as password expiration and minimum password lengths.

All commands must be performed in the terminal of GreenRADIUS, either directly or via SSH.

For simplicity, the domain shown in the steps below is always greenradius.demo, represented as dc=greenradius,dc=demo. If your own domain varies, you will need to make the appropriate substitutions.

Several of the commands below will prompt for multiple lines of text. Simply enter the text into your terminal. When everything has been input, press Ctrl-D on a blank line to finish the entry and execute the command.

First, you must load the appropriate module:

sudo docker exec -it GRS-OPENLDAP ldapmodify -Q -Y EXTERNAL -H ldapi:///

This will prompt for LDAP data to insert. Use the following:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

As mentioned above, press Ctrl-D on a blank line when done. The command should report success with a message:

modifying entry "cn=module{0},cn=config"

Next, load the ppolicy schema. To do this, you will need to download the schema from here and upload it to GreenRADIUS. Copy it into the /var/lib/docker/volumes/grs-docker-compose_gras-config/_data directory. (This will require root permissions.)

To load the schema into LDAP, execute this command:

sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/grs/greenradius/ppolicy.ldif

This will load the stored ppolicy schema. You should receive a message upon success.

Now the ppolicy module must be enabled:

sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:///

Input the following data to the command, pressing Ctrl-D when done as said above:

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=greenradius,dc=demo

As mentioned, replace dc=greenradius,dc=demo with the LDAP-formatted specification for your own domain, and press Ctrl-D on a blank line when finished.

Now add the object which will hold your password policies:

sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W

You will be prompted for your administrative password. Once this is entered, the command takes the following data:

dn: ou=policies,dc=greenradius,dc=demo
objectClass: organizationalUnit
ou: policies

Press Ctrl-D on a blank line when finished, as before, to add the policy container. The final step is to create the password policy. Shown below is a simple, example policy that requires the following:

  • passwords must have a minimum of eight (8) characters
  • passwords expire after 60 days (or 5,184,000 in seconds)

Complete documentation on the available password settings can be here.

Run this command:

sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W

As before, you will be prompted for your password, and once this is entered you will need to input the following:

dn: cn=default,ou=policies,dc=greenradius,dc=demo
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMinLength: 8
pwdMaxAge: 5184000

Replace pwdMinLength: 8 and pwdMaxAge: 5184000 with your own custom configurations as desired. Press Ctrl-D to save the changes as before. You should see a success message and find that your password policies are now enforced.

Web Analytics Made Easy -
StatCounter

Updated 2023-06-09
© 2024 Green Rocket Security Inc. All rights reserved.

Token Types

GreenRADIUS supports several different types of second factor, called tokens:

YubiKey OTP

The YubiKey OTP protocol emits a 44-character One-Time Password (OTP). Once one OTP has been used, it cannot be used again. Another must be generated from the YubiKey. Thus to compromise a YubiKey-secured device, a malicious party would have to gain access to the YubiKey device itself. YubiKeys can be assigned to users in three ways:

  1. By the administrator in the Users/Groups tab of the GreenRADIUS domain
  2. With auto-provisioning
  3. By the user in the GreenRADIUS Self-Service Portal https://<IP address of GreenRADIUS>

YubiKey OTPs come in two variants: pre-programmed and custom. By default, YubiKeys ship with a pre-programmed secret. OTPs generated using this pre-programmed secret can only be validated using Yubico's YubiCloud servers. You can re-program and overwrite this secret, however, and import that secret into GreenRADIUS. Please refer to our Document Library to see our YubiKey programming guide.

The Global Configuration→Validation Server setting allows you to select whether YubiKey OTPs will be validated by the YubiCloud or locally by GreenRADIUS. If using pre-programmed keys, select YubiCloud. If you are using custom secrets, use local validation.

YubiKey OATH-HOTP

The OATH protocol is similar to the OTP protocol. OATH OTPs are shorter than the traditional YubiKey OTP, which may make OATH OTPs desirable for situations where password fields have a character-lenght limitation. This option is available for customers with a license for our premium OATH Module.

Please refer to our Document Library to see our guide on programming YubiKeys in OATH-HOTP mode.

Google Authenticator (Authy, Microsoft Authenticator, and similar soft tokens)

GreenRADIUS supports Google Authenticator and other similar soft tokens as a second factor for users for those customers with a license for our premium OATH Module. Users sign in to the GreenRADIUS Self-Service Portal, select Google Authenticator, and scan a QR code with the phone app. Once the user clicks Proceed on the Self-Service Portal, the soft token is registered to his user account in GreenRADIUS, and a six-digit code is regenerated every 30 seconds, providing a secure second factor.

Mobile Apps - "Green Rocket 2FA" Apps

The "Green Rocket 2FA" app is available for iOS or Android. Once the app is installed, there is a simple, one-time registration process. This feature is available for customers that have a GreenRADIUS license for our mobile app. (The app is free to download for users.)

In addition to a GreenRADIUS license enabling the use of our mobile app, make sure of the following:

  • A valid certificate should be installed in GreenRADIUS. See our Certificate guide for more details.
  • Ports 443 and 9443 should be open for communication to and from GreenRADIUS.

When an authentication request reaches GreenRADIUS, and a user has our mobile app installed and registered with GreenRADIUS, a push request will be sent to the user's phone, appearing as a notification in which they can either approve or deny the request.

U2F

The U2F function of the YubiKey (or any other FIDO U2F token) is used with our 2FA for Windows Logon solution. When users log in to Windows, the U2F token flashes, prompting the user to touch the token button and complete the login. No pre-registration of the token is required.

Temporary Token

A temporary token is a static per-user text string which is valid for a limited time and a limited number of logins only. Temporary tokens can be created from the Users/Groups tab.

Web Analytics Made Easy -
StatCounter

Updated 2023-02-22
© 2024 Green Rocket Security Inc. All rights reserved.

Authenticator Registration

Prerequisites

  1. Users must have an Authenticator app installed on their devices that can scan a QR code (such as Google Authenticator, Microsoft Authenticator, or Authy)
  2. Make sure the GreenRADIUS server time is accurate. Refer to our date and time configuration guide.
  3. In GreenRADIUS, in the Global Configuration tab > User Portal screen, make sure the following settings are configured under the "OATH Software tokens" section:
    • Allow token self-registration: "Yes"
    • Token status on assignment: "Enabled"
    • OATH algorithm for soft tokens: "TOTP"

User Portal configuration

  1. It is recommended to configure a token label in GreenRADIUS so that users can distinguish their Authenticator app token from other tokens they may have in their app (for personal accounts, etc.). To configure the token label, navigate to the Configuration tab under the GreenRADIUS domain, then enter the token label in the "Token Label Prefix for Google Authenticator" field.

Authenticator App Token Registration Steps

  1. In a web browser, navigate to the Self Service Portal at https://<ip address of GRVA>/.

Self service portal

  1. Click the "Assign a Token" button. You will then be prompted to log in with your username and password. (If you already have a token assigned, you will be prompted to log in with your assigned token as well.)

  2. Once you have logged in, select the "Authenticator app" option at the top of the screen.

Authenticator

  1. Using your Authenticator app of choice, scan the QR code. Once you do, it will be displayed as a token in the app:

Token in app

  1. In the browser, click Proceed. (This is an extremely important step, as clicking Proceed registers the token in GreenRADIUS.) You will be prompted to verify your new Authenticator token by entering the current OTP:

Verifying OTP

  1. Once the token is assigned, you will see a success message:

Registration successful

  1. You can now use your Authenticator token as a second factor.

Web Analytics Made Easy -
StatCounter

Updated 2023-02-14
© 2024 Green Rocket Security Inc. All rights reserved.

"Green Rocket 2FA" Mobile App Registration

NOTE: In order to successfully register our mobile app on iOS devices, you will need to have a valid certificate from a recognized CA installed. This does not apply to Android devices. Also, make sure ports 443 and 9443 are open for communication between GreenRADIUS and the public internet. (Green Rocket Security uses a cloud service for push notifications.)

  1. Download and install the Green Rocket 2FA mobile app from the App Store (on iOS) or the Play Store (on Android):

Installing the app

  1. Launch the app. A registration screen will be displayed:

Registering

  1. Enter the IP address or hostname of the GreenRADIUS to connect to, along with the domain the user is in, the username, and password:

Registering

  1. Tap the Register button. The registration process may take a few seconds, after which you will see a completion message:

Success

  1. A PIN will need to be set. This PIN will only be required during login attempts if the phone itself does not already have a lock screen secure setting (PIN, pattern, password, etc.)

  2. The token will now be displayed in the app.

Tokens list in app

  1. You can now use the app as a second factor. When a login request is made and no other token is specified (by appending an OTP to the password or other ways), a push request will be sent to the app:

Push request

You can tap Approve or Reject on the prompt to verify or deny the authentication attempt.

NOTES:

  • For the app on Android, whenever the Android device is rebooted, the Green Rocket 2FA app must be launched once for push notifications to be received.
  • Users should make sure devices have notifications enabled for both the device and the Green Rocket 2FA app itself.
  • Unlike other tokens supported by GreenRADIUS, the Green Rocket 2FA app token does not sync to other GreenRADIUS instances in a GreenRADIUS High Availability cluster.

Web Analytics Made Easy -
StatCounter

Updated 2022-04-06
© 2024 Green Rocket Security Inc. All rights reserved.

Token Settings

Numerous settings apply to tokens:

Per-user Settings

Single Factor Flag

When set (green checkmark in the Single Factor Flag column), the user can log in without a second factor. This setting is most useful in conjunction with the Auto Provisioning and Gradual Deployment settings described below.

Temporary Token

Selecting a user and clicking "Temporary Token Settings" will bring you to a page where you can add a temporary token to a user. You must specify an expiration date and the maximum number of logins for the temporary token.

Users with valid temporary tokens will have a green checkmark in the Temporary Token column.

Per-domain Settings

Domain configuration can be found under the "Configuration" tab in each GreenRADIUS domain.

Auto Provisioning

Auto provisioning for domain

When Auto Provisioning is enabled, the first time a user logs in with a YubiKey OTP, that YubiKey will be automatically assigned to the user. The token assignment will appear on the Users/Groups tab.

The "Enable Auto Provisioning for Multiple Tokens Per User" options allow users to provision multiple tokens to themselves by this method. By default, only users with no tokens already assigned can auto provision.

The per-domain Auto Provisioning setting has no effect if it is not also enabled at a global level in the Global Configuration→General tab. (See below.)

Gradual Deployment

Gradual deployment

Gradual Deployment allows administrators to roll out the deployment of two-factor authentication gradually, without requiring every user to switch and register a second factor at once. When Gradual Deployment is enabled, the first time a user logs in successfully with a token, his Single Factor Flag is automatically disabled, thus requiring two-factor authentication from that point forward. Gradual Deployment is most useful in conjunction with Auto Provisioning, described above.

Important: Changing this setting from Disable to Enable will set all users to needing only passwords (single factor only) to authenticate, even those users that have tokens assigned or are set to needing tokens to authenticate. You can check each user's requirement under the Single Factor Flag column in the Users/Groups tab. A green check mark means the user only needs a password. A red X means the user needs password and token.

Note: This Gradual Deployment feature is not available for Windows Logon.

Token Label Prefix

Token label prefix

The Token Label Prefix is a text string which appears in Google Authenticator and other similar soft token apps to signify which Authenticator token is for GreenRADIUS integrated logins. This text string is configurable, but must not contain spaces.

Global Configuration

Token-related global configuration settings are found under the Global Configuration tab→General heading.

OTP Input Method

OTP input method

This setting controls where users input the OTP during login attempts. It is described in more detail in the Authentication Requests section.

Enable Auto Provisioning

Global auto provisioning

The Global Auto Provisioning settings must be enabled for any of the domain settings to have an effect. If Auto Provisioning is disabled in Global Configuration, no domain will have auto provisioning, irrespective of their domain settings.

Web Analytics Made Easy -
StatCounter

Updated 2023-03-10
© 2024 Green Rocket Security Inc. All rights reserved.

Token Management

You can view which tokens are assigned to each user from the Users/Groups tab of a GreenRADIUS domain or you can view which users are assigned to which tokens on the List Tokens screen.

Importing Secrets

Programmed YubiKeys (whether programmed in traditional Yubico OTP mode or OATH-HOTP mode) have secrets associated with each YubiKey. These secrets files must be imported into GreenRADIUS before the YubiKeys can be used.

Secrets can be imported under the Import Secrets tab:

Import Secrets tab

You must select the correct format option depending on which token type you are importing. If importing YubiKey OTP secrets, select the Cross-Platform option. If importing OATH token secrets, select Import OATH Tokens.

Once you have chosen a file format, you will be prompted to select the file containing the secrets.

The List Tokens tab

You can view all locally saved tokens in the List Tokens tab. This tab displays every token saved in the GreenRADIUS database (this does not include pre-programmed YubiKeys, as their secrets are stored in the YubiCloud). It also lists the user assigned to each token andthe user's domain.

Token Assignment

There are several ways to assign tokens to users in GreenRADIUS:

Auto Provisioning

Auto provisioning

Auto Provisioning, described in the previous section, enables users to simply log in with a YubiKey and have it auto-assigned. This is the simplest way to assign YubiKeys (whether OTP or OATH).

Self-Service Portal

Self service portal

The Self-Service Portal allows users to add tokens to themselves manually. It is accessible at https://<ip address of GRVA>/. From the Self-Service Portal, users register YubiKeys or Google Authenticator (or similar soft tokens) by scanning a displayed QR code with their phone.

Administrator Assignment

The GreenRADIUS administrator can manually assign tokens to users from the web admin console in either the List Tokens tab or in the Users/Groups tab of the GreenRADIUS domain.

Assigning a token to a user

You will need to enter the user's name in the canonical user@domain format.

Other

Some other methods have their own ways of assigning tokens. U2F tokens are automatically assigned as part of the login process with our 2FA for Windows Logon solution. Our "Green Rocket 2FA" mobile apps have a simple registration process.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Authentication Requests

Request Methods

There are a number of ways GreenRADIUS can integrate with your applications or services including the following:

RADIUS

The RADIUS protocol is a standardized and widely-used authentication request protocol in the security industry. It uses UDP on port 1812.

RADIUS uses a configured shared secret between the client and the server. You can add RADIUS clients and shared secrets in the RADIUS Clients tab:

RADIUS Clients tab

Note: The following RADIUS protocols are supported by GreenRADIUS:

  • PAP
  • PEAP
  • EAP-TTLS-GTC

CHAP, MS-CHAP, and MS-CHAPv2 are not supported.

Web API

GreenRADIUS provides a modern, REST-style Web API for use in applications that are constrained (e.g. browser applications which don't have direct access to the TCP/UDP stack.)

The Web API is accessed using a simple HTTP POST request with the following parameters:

https://<ip address of GRVA>/wsapi/ropverify.php?user=<username>&password=<password+OTP>

Windows Login

Green Rocket Security provides a Windows agent which allows Windows logins to enforce two-factor authentication. Any supported token can be used as the second factor (YubiKey, Google Authenticator, "Green Rocket 2FA" mobile apps, etc.) Contact us today for more details.

OTPs

Some token types require an OTP to be submitted (i.e. OTP, OATH, and Authenticator tokens.) By default, the OTP is to be appended to the password.

However, this configuration can be changed in the Global Configuration tab. The OTP Input Method setting allows you to change whether the OTP should be appended to the username, appended to the password, or have a separate field to prompt for the OTP. (The Prompt For OTP option is only available for RADIUS clients that support this feature.)

OTP Input Method

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

2FA for Windows Logon

GreenRADIUS can enforce two-factor authentication for Windows Logon. Our Windows Logon solution works with:

  • Windows PCs (Windows 10 and 11)
  • Windows Servers (2016, 2019, and 2022)
  • domain-joined
  • non-domain-joined
  • desktop/physical logon
  • RDP logon
  • online logons
  • offline logons

During configuration, make sure GreenRADIUS is reachable from your Windows machines over ports 443 and 9443. Also, make sure GreenRADIUS has an active license that enables our U2F Module. (You can check this in the GreenRADIUS web admin interface on the License tab.)

Also, if you are adding 2FA to domain-joined Windows machines, make sure GreenRADIUS has a domain whose name matches exactly with the name of the domain that the Windows machines are joined to.

On each Windows machine, a small Green Rocket Security Windows agent will need to be installed when logged in as an administrator. (Contact us for our latest Windows agents.)

Windows Agent Configuration

  • Enable 2FA: This should be checked to enforce 2FA with GreenRADIUS. If unchecked, 2FA will not be enforced.
  • Disable 2FA for Administrator Accounts: If checked, all administrator accounts will bypass 2FA and will only need passwords to log in.
    • NOTE: If an offline login is attempted for a domain account, the login will always require 2FA, even if this checkbox is checked and the user is a domain administrator.
  • Disable 2FA for User Account Control: If checked, User Account Control (UAC) logins will bypass 2FA and will only need passwords to log in.
  • Disable 2FA in Windows Safe Mode: If checked, when Windows is booted in Safe Mode, 2FA will be disabled. (NOTE: In Safe Mode, the agent cannot be uninstalled, but the "Enable 2FA" checkbox can be unchecked.)
  • GreenRADIUS Server IP/Hostname for Online Authentication: Enter the IP address or hostname of GreenRADIUS. (The "https://" and ":9443/" will automatically be inserted.)
  • User Domain: Enter the GreenRADIUS domain where LDAP users have been imported. (Only one GreenRADIUS domain can be configured.)

After the above has been configured, click the Test button. You should see a successful message appear. If not, double check the GreenRADIUS IP address/hostname and the GreenRADIUS domain, and then try the Test button again.

The Custom... button will allow for more granular 2FA policies on the Windows machine. These policies will override policies in GreenRADIUS. (For example, if user1 has 2FA enforced in GreenRADIUS, but in the Custom... button, user1 is configured to bypass 2FA, user1 will only need a password to log in.)

After configuration, save the settings. You may be asked to restart in order for changes to take effect.

Online Authentication Attempts (GreenRADIUS is reachable)

After entering the username and password, users may use the following tokens for online authentication attempts:

  • YubiKey OTP: Insert the YubiKey in a USB port, and with the cursor in the OTP field, touch the YubiKey button.
  • YubiKey OATH-HOTP: Insert the YubiKey in a USB port, and with the cursor in the OTP field, touch the YubiKey button.
  • FIDO U2F tokens: Insert the FIDO U2F token in a USB port, leave the OTP field blank, and after entering the password, press the Enter key on your keyboard or click the login arrow on the screen. Then touch the FIDO U2F button after it starts to flash. The FIDO U2F token used the first time successfully to log in by the user will automatically be assigned to the user in GreenRADIUS. This auto-provisioning of FIDO U2F tokens is the only way these tokens can be assigned to users.
  • Authenticator app: Enter the current OTP from the Authenticator app into the OTP field. Then press Enter.
  • Green Rocket 2FA Mobile App: With no token inserted in a USB port, and after entering the password, press Enter. A push notification will be sent to the user's phone to approve or reject the logon attempt. Tap Approve on the app to log in.

Windows Logon Screen

Important Note: For local Windows user accounts, corresponding user accounts with the same usernames as the local user accounts must be present in the LDAP being used with GreenRADIUS. Then, those user accounts will need to be imported into GreenRADIUS. Also important, if tokens using OTPs are going to be used, the LDAP password for these users must be set to Pa$$word@123. This password is not necessary for users using FIDO U2F tokens and the Green Rocket 2FA Mobile App. Local users would still use their local Windows passwords to log in to Windows. (This fixed password will never be used for a Windows login.)

RDP Logon

To log in via RDP, launch the mstsc.exe application. After selecting the IP address or hostname, on the RDP logon screen, enter username and password only.

RDP Logon

Once that is successful, users will see the Windows Logon screen. The following tokens can be used:

  • YubiKey OTP: Insert the YubiKey in a USB port, and with the cursor in the OTP field, touch the YubiKey button.
  • YubiKey OATH-HOTP: Insert the YubiKey in a USB port, and with the cursor in the OTP field, touch the YubiKey button.
  • Authenticator app: Enter the current OTP from the Authenticator app into the OTP field. Then press Enter.
  • Green Rocket 2FA Mobile App: With no token inserted in a USB port, and after entering the password, press Enter. A push notification will be sent to the user's phone to approve or reject the logon attempt. Tap Approve on the app to log in.

Note: FIDO U2F tokens cannot be used for RDP logon attempts.

Offline Authentication Attempts (GreenRADIUS is not reachable)

Only FIDO U2F tokens can be used when the Windows machine cannot reach GreenRADIUS. The logon experience will be the same when using FIDO U2F tokens, whether the Windows machine is online or offline. Users will insert the FIDO U2F token in a USB port, leave the OTP field blank, and after entering the password, press the Enter key on the keyboard or click the login arrow on the screen. Then touch the FIDO U2F button after it starts to flash.

The FIDO U2F token used to successfully log in the first time in offline mode will automatically be assigned to the user. Offline FIDO U2F tokens are managed on the Windows agent on the PC or Server, not in GreenRADIUS. To unassign an offline FIDO U2F token, open the agent as an administrator, select the user, and click the "Unassign" button.

Token Type By Login

Token TypeOnline LoginOffline LoginRDP
YubiKey OTPYesNoYes
YubiKey OATHYesNoYes
YubiKey FIDO U2FYesYesNo
Authenticator AppYesNoYes
Green Rocket 2FA Mobile AppYesNoYes

Note: ARM64-based Windows devices are not yet supported by our Windows agent

Web Analytics Made Easy -
StatCounter

Updated 2024-01-23
© 2024 Green Rocket Security Inc. All rights reserved.

GreenRADIUS Windows 2FA - GPO Deployment Guide

Prerequisites

You must have the following for the GreenRADIUS two-factor authentication solution for Windows to be deployed properly via GPO.

  • GreenRADIUS v4.3.3.3 or later
  • Active Directory users imported into GreenRADIUS
  • Shared folder on your machine or network containing MSI setups
  • Windows 2FA GPO bundle

Pre-deployment configuration file

  1. Extract the Windows 2FA GPO bundle into a shared folder on your Domain Server:
    • GreenRADIUS 2FA for Windows Logon.msi
    • grs_settings.reg
    • grs_cleaner.reg
  2. Right click on grs_settings.reg. Choose Open With → Notepad and you will see multiple key-value pairs to set in the Windows registry.

Some of the values for the given keys need to be changed depending on your desired configuration. Please see the following list of parameters (keys), what they mean, and when you should modify (or not) the values corresponding to these keys.

Legend

  • grsAddress
    This points to your GreenRADIUS server, and it can be an IP address or hostname.
  • grsDomain
    This points to your target domain in GreenRADIUS.
  • grsErrorLevel
    This is used to set the verbosity level of logging, and the default value is dword:00000004. It is advised to leave it as is.
  • enabled
    This is the flag that decides whether Windows two-factor authentication (Win2FA) must be enabled or not on your machine. Set it to dword:00000001 to enable Windows two-factor authentication on your machine.
  • byPassAdministrators
    This is the flag that decides if Windows 2FA should be enabled for users that fall under the Administrator role. If enabled, administrative accounts won’t be prompted for two-factor authentication. It is set by default and we recommend to leave it as is.
  • safemodeEnabled
    This is the flag that decides if two-factor authentication should happen when a user boots into safe mode on a Windows machine. By default it is set to (0) and we recommend to leave it as is.
  • safemodeBypassAdmin
    This is the flag that decides if an Administrative account will be prompted for a two-factor authentication on a Windows machine. By default it is set and we recommend to leave it as is.

MST file

To install Windows Installer SDK v.2.0:

  1. Download and install the Windows Installer SDK v. 2.0.

  2. Navigate to the installation location and launch Orca.msi from the \bin folder.

  3. The Orca.msi launches the Orca setup program. Once the setup program is complete, an Orca shortcut is added to the Start Menu.

To generate the MST file:

  1. Open GreenRADIUS 2FA for Windows Logon.msi in Orca (or any other .msi file for which we need the .mst file).

  2. On the main toolbar, navigate to Transform > New Transform.

  3. In the Property table of the new transform, add a row. The values for the fields are:

    • Property: PASSWORD
    • Value: Admin@456 (or any password you want to set)
  4. On the main toolbar, navigate to Transform > Generate Transform and save the file. (This file will be used later).

Group Policy Objects

GreenRADIUS 2FA settings and custom preferences

If custom settings will be configured (such as custom policies for particular AD groups or users), a GPO can be used for these custom settings.

Create a GPO for grs_settings.reg:

  1. In your Domain Server, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here...”

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. In the New GPO window, type any name for this new policy e.g. “GRS 2FA config” and then click OK.

"New GPO" dialog with OK highlighted

  1. On the Group Policy Management console, right click the new “GRS 2FA config” GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Policies, and then expand Windows Settings.

  2. Choose Scripts (Startup/Shutdown) and click Startup.

In the Group Policy Management Editor, "Scripts (Startup/Shutdown)" is highlighted in the left pane, and "Startup" is highlighted in the right pane

  1. Click on Show Files and copy/paste “grs_settings.reg” from your shared folder.

"Show Files" highlighted in the Startup Properties dialog

  1. In the Startup Properties window, click on Add and apply the following:
    • Script Name: regedit.exe
    • Script Parameters: /s grs_settings.reg

Add a Script dialog

  1. Click OK.

  2. In the Startup Properties window, click OK and close this Group Policy Management Editor.

GreenRADIUS 2FA installer

Create a GPO for software installation:

  1. In your Domain Server, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here…”.

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. In the New GPO window, type any name for this new policy e.g. “GRS 2FA installer 64bit” and then click OK.

"New GPO" dialog with OK highlighted

  1. On the Group Policy Management console, right click the new “GRS 2FA installer 64bit” GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Policies, and then expand Software Settings.

  2. Right click Software installation. From the context menu, click New, and then click Package.

New -> Package" highlighted in the context menu

  1. In the Open dialog box, browse to \your_server_ip\shared_folder, click on “GreenRADIUS 2FA for Windows Logon.msi”, and then click Open.

Open dialog with \192.168.10.57\share in the Address bar

  1. On Select deployment method, select Advanced. If you select another option, you won't be able to apply the MST file you created.

  2. Open Modifications tab.

  3. Select your MST file from the network share.
    Note: Again it is very important to use a UNC to the file (to the network share), rather than a local / network drive path.

  4. Click OK to complete the setup.

  5. Wait for a few seconds and verify that GreenRADIUS 2FA for Windows Logon is listed in the Group Policy Management Editor.

Group Policy Management Editor with "Software Installation" selected in the left pane

  1. Close this Group Policy Management Editor

Group Policy Link Order

Click on your target Domain/OU/Group, the GPOs should reflect the following link order:

Group Policy Management window with "GRSOU" selected in the left pane, and the "Linked Group Policy Objects" tab open in the right pane

  1. GRS 2FA cleaner (optional – needed when updating from 1.0.8 or below)
  2. GRS Offline token unassignment (optional)
  3. GRS 2FA config
  4. GRS 2FA installer 64bit

The installer looks for the GRS 2FA config provided, however a system reboot is required to fully enable GreenRADIUS 2FA for Windows.

GRS Offline Token Unassignment

GreenRADIUS offline U2F token assignments can unassigned via GPO. (This can be done per user to multiple machines.) Create a GPO for offline U2F token unassignment.

  1. On your Domain Controller, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here…”.

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. On the Group Policy Management console, right click the newly created GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Preferences, and expand Windows Settings then Registry.

  2. Add new entry, Action should be Delete then specify key path accordingly.

Group Policy Management Editor with the following highlighted: the entire Computer Configuration in the left panel, the Registry section in the right panel, and the Delete action for a user open in a dialog view

For Domain Users:
KeyPath: SYSTEM\CurrentControlSet\Software\GRS\OfflineUsers\DomainUsers\username

For Local Users:
KeyPath: SYSTEM\CurrentControlSet\Software\GRS\OfflineUsers\LocalUsers\username

Updated 2023-12-12
© 2024 Green Rocket Security Inc. All rights reserved.

LDAP Authenticator Module

The GreenRADIUS LDAP Authenticator Module enables a way to implement two-factor authentication for applications and services that support authentication requests over the LDAP protocol. At times, it is advantageous to integrate third-party applications and services over LDAP instead of RADIUS, Web APIs, or other ways.

Prerequisites

  • GreenRADIUS v4.0.2.2 or above
  • GreenRADIUS license that enables the LDAP Authenticator Module
  • If GreenRADIUS has multiple domains configured on the Domain tab, only the users in the default domain will be able to log in
  • Certificate installed in GreenRADIUS from a trusted CA
  • Third-party application that supports authentication requests over the LDAP protocol

Steps To Configure the LDAP Authenticator Module

  1. Click on the Global Configuration tab. Then click the LDAP Authenticator Module icon.

  2. Enter the following configuration parameters:

  • DNS Domain Name: This name needs to be distinct from your Active Directory/LDAP domain name. It should not contain a space nor any special characters except hyphen or period. This domain is a proxy domain which is used to forward authentication requests received from third-party applications or services to GreenRADIUS.
  • Organization Name: This could be your organization or any name of your choice. It should not contain a space nor any special characters except hyphen or period.
  • Current Admin Password: Enter the current admin password. (By default, the current admin password is Admin456.)
  • New Admin Password: Enter a new password
  • Confirm Admin Password: Re-enter the new password

LDAP Authenticator Module screen

  1. Click the Update button. You should see a success message like the one below.

LDAP Authenticator Module confirmation screen

Steps To Configure Your Third-Party Application

Typically, the following configuration parameters need to be specified:

  • Base DN: Use the same DNS domain name configured in the GreenRADIUS LDAP Authenticator Module, for example, dc=example,dc=com
  • Bind DN: For example, cn=admin,dc=example,dc=com
  • Password: Enter the same admin password configured in the GreenRADIUS LDAP Authenticator Module.

Web Analytics Made Easy -
StatCounter

Updated 2022-03-22
© 2024 Green Rocket Security Inc. All rights reserved.

PIN Authentication

GreenRADIUS offers the ability to use a PIN instead of an LDAP password or as an additional authentication factor when this premium feature is enabled. PINs can be set per user, and the policy to use a PIN can be configured for each RADIUS client served by GreenRADIUS.

The first step is to enable PIN authentication for the desired RADIUS client. On the RADIUS Clients tab in the web admin interface, when adding a new RADIUS client or when editing an existing one, the "Multi-Factor Policy" can be selected from the dropdown list:

Authentication mode

From this list, admins can select to use standard LDAP password authentication ("Password + OTP"), to use the PIN in addition to the LDAP password ("Password + PIN + OTP"), or to exclude the LDAP password entirely and use PIN authentication alone ("PIN + OTP").

When the PIN feature is enabled, an extra column labelled "PIN Status" will display next to each user in the Users/Domains tab:

User view with PIN

From here, admins can select a user and click "Set/Update PIN" to change the PIN for the user:

Pin setting

Users can also set their own PINs from the Self-Service Portal by clicking the "Assign/Change PIN" button. Once authenticated, users will be prompted to enter a new PIN:

Self service pin setting

Note that PINs must have a certain length based on a PIN length policy. This is set to 8 digits by default, but can be changed in the Global Configuration tab under the General heading:

Pin length config

Note: This PIN feature is only available for applications and services configured as RADIUS clients in GreenRADIUS.

[NGS](./non-gui-settings.md)

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Date and Time Configuration

Basic Configuration

By default, GreenRADIUS uses the hardware clock to provide the system time.

The date command allows you to access and edit the system time relative to the current timezone:

~$ date
Mon Jun 10 22:10:31 UTC 2019

The timezone can be changed using the timedatectl command:

sudo timedatectl set-timezone <timezone>

A complete list of timezone specifiers can be obtained by running:

sudo timedatectl list-timezones | less

Once the timezone has been correctly set, use these commands to edit the system date and time.

sudo timedatectl set-time YYYY-MM-DD

and

sudo timedatectl set-time HH:MM:SS

(Time synchronization may be enabled, which may prevent manually updating the date and time. This can be disabled with this command: sudo timedatectl set-ntp 0. To re-enable time synchronization: sudo timedatectl set-ntp 1.)

If the system clock is already set when the timezone is changed, setting the timezone adjusts the system clock to remain temporally consistent. For example, the UTC tiemzone is 7 hours ahead of PDT. Therefore if the system clock registers ‘08:15 UTC’ and then timezone is changed to PDT, the system will now display ‘01:15 PDT’, which is the equivalent time.

Setting the clock back in time often has disastrous consequences for long-running programs which depend on the clock always moving forward. This should be avoided whenever possible.

Network Time Protocol

NTP (Network Time Protocol) allows you to synchronize the clocks of multiple servers to a single canonical source over the network. NTP is designed to correct for network latency and ensure that all server clocks are synchronized and monotonic (they never move backwards while adjusting to synchronize with each other.) This section explains how to configure the NTP client on your GreenRADIUS instances, providing greater consistency in timestamps and logging data.

Out of the box, GreenRADIUS comes with NTP synchronization available but not activated. To use NTP, first ensure that NTP is enabled with the sudo timedatectl set-ntp true command. Next, configure NTP sources by editing the /etc/systemd/timesyncd.conf file. You can add NTP servers by adding lines of the form NTP=<IP address or hostname of server> at the marked location in the file. Once the file is edited and saved, you'll need to restart the time server by running sudo systemctl restart systemd-timesyncd.

If NTP servers are configured and NTP is enabled, sudo timedatectl show-timesync --all will display detailed synchronization info for the configured NTP providers.

Web Analytics Made Easy -
StatCounter

Updated 2023-09-06
© 2024 Green Rocket Security Inc. All rights reserved.

Certificates

The GreenRADIUS web admin interface GreenRADIUS's Web API are served exclusively over HTTPS. GreenRADIUS supports both self-signed certificates and certificates from certificate authorities.

The Global Configuration→Certificates tab will allow you to upload new certificates into your GreenRADIUS instance.

The Certificates tab

The Server Certificate Information segment displays the credentials of the certificate being served and the Certificate Authority. The Create Certificate segment will allow you to generate and upload your own self-signed certificate (CSR).

To upload a certificate from a trusted provider, open the Upload a certificate segment and select Upload a certificate created with the CSR generated externally.

Uploading a certificate

You will need to copy and paste the certificate, the complete trust chain extending back either to a Certificate Authority or to yourself (if the certificate is self- signed), and the private key. If the certificate was created with a passphrase, you'll need to provide that too.

Once uploaded, the GreenRADIUS instance will display a completion message. From this point on the certificate will be served as the SSL security for all web admin interface and Web API accesses.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Debugging and Reports

The Troubleshooting tab

Troubleshooting tab

If you need to troubleshoot your GreenRADIUS configuration, the Troubleshooting tab offers several tests you can perform to triage the problem:

  • The RADIUS test allows you to send a RADIUS request, bypassing the RADIUS IP address/secret filter.
  • The OTP test allows you to validate an OTP. This will help ensure that the secrets are correctly uploaded, the OTP is synced (if it is an OATH token), and the validation settings are correct.
  • The Ping test helps to ensure that an IP address or hostname is accessible by GreenRADIUS and that there is something on the other end.
  • The LDAP test performs an authentication using LDAP only without a second factor.

The Reports tab

Reports tab

Three types of report can be generated by GreenRADIUS. These reports list all events of a certain type. They can be filtered by date, time, and other filters to produce more informative results.

Authentication Requests

Authentication requests

An authentication request report lists all authentication attempts that have reached GreenRADIUS, whether they were successful or rejected. The report can be filtered by date, user, token type, and other filters.

Token Assignment

Token assignment

The token assignment report lists the time at which each token was assigned to a user. Like the authentication request report, it supports filtering by token type and token status.

Support Package

If you have a problem and contact GreenRADIUS support, you may be asked to generate a support package. This is an archive containing a copy of GreenRADIUS internal state and log files which provide more insight into any configurations and login attempts.

Generating a support package is done in the Global Configuration→Logging tab:

The Logging tab

Click the Generate button to create a new support package. This may take time. When the package is ready, it will be displayed along with the 15 most recent packages for download:

Package ready for download

You can then download the package and send it to Green Rocket Security to enable the Support team to better assist you.

Please note - If the issue is related to login attempts, it will be very helpful if detailed logging is enabled during the login attempts. These will then be captured in the support package and give the Support team more details to review.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Maintenance

License Files

GreenRADIUS licenses grant you a certain number of user-token assignments for a certain period of time. When the current license file expires, it is necessary to install a new one. Licenses can be obtained by emailing sales@greenrocketsecurity.com.

License installation is done from the License tab.

The License tab

The license tab displays the licensee, the expiration date of the currently installed license, and the number of user-token assignments of each type used out of the maximum allowed. To install a new license, click the Choose File button and select a license file to upload.

Once the new license is installed, you will see a completion message, and the license information will be updated.

Updates

GreenRADIUS updates are generally released monthly. Updates and release notes (including steps to apply the updates) are distributed to customers via email.

Updates include enhancements and security patches for the entire GreenRADIUS VM, from the operating system to the containers. There is no need to update any GreenRADIUS component manually or individually, outside of the updates provided by Green Rocket Security.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Appendix

Web Analytics Made Easy -
StatCounter

Updated 2022-06-14
© 2024 Green Rocket Security Inc. All rights reserved.

Configuring Our GRS PAM Module for 2FA for RedHat, CentOS, or Ubuntu

Introduction

GreenRADIUS can be used to enforce two-factor authentication for access to RedHat, CentOS or Ubuntu machines. One way to do this is with our custom GRS PAM Module. Our GRS PAM Module uses HTTPS communication instead of RADIUS, avoiding the need to manage each machine as a RADIUS client.

The following login methods can be protected with the GRS PAM Module:

  • SSH
  • console
  • sudo
  • GNOME

Contact us today to evaluate GreenRADIUS with our custom GRS PAM Module.

Prerequisites

  1. GreenRADIUS with users imported and reachable from the client machine running RedHat/CentOS 6, 7, or 8, or Ubuntu 16, 18, 20, or 22
    • Users imported into GreenRADIUS from your LDAP must have matching usernames with local user accounts on the Linux machine
  2. GRS PAM Module from Green Rocket Security (at least v2.2.2).
  3. If SELinux is installed on the client machine (it is usually installed by default on RedHat/CentOS), then you will need to do one of the following:
    • Set SELinux to disabled or permissive mode. You can change this setting in the /etc/selinux/config file. After editing the file, reboot your system for the changes to take effect.
    • After you have unpacked the files from the module archive (step 2 below), run sudo chcon system_u:object_r:lib_t:s0 grs_pam.so in your terminal to set the appropriate security context on the module.
  4. You will need a version of Python (Python 3 on every system except RedHat 6 or CentOS 6) and the corresponding Requests module.
    • RedHat/CentOS 6: sudo yum install python and sudo yum install python-requests
    • RedHat/CentOS 7: sudo yum install python3 and sudo pip3 install requests
    • RedHat/CentOS 8: sudo yum install python3 and sudo pip3 install requests
    • Ubuntu 16: sudo apt install python3 python3-requests
    • Ubuntu 18: sudo apt install python3 python3-requests
    • Ubuntu 20: sudo apt install python3 python3-requests
    • Ubuntu 22: sudo apt install python3 python3-requests

Steps

  1. Run sudo su - to enter super user mode
  2. Unpack the provided module archive. You should have three files: make_request.py, config, and grs_pam.so.
    • The make_request-centos6.py file is the make_request file for RedHat/CentOS 6. If you are using this OS, delete make_request.py and rename make_request-centos6.py to make_request.py.
  3. Run chmod +x make_request.py
  4. Run chmod +x grs_pam.so
  5. Run mkdir /etc/grs-pam
  6. Run mv make_request.py /etc/grs-pam
  7. Run mv config /etc/grs-pam
  8. If and only if your OS is RedHat 6 or CentOS 6: Edit the /etc/grs-pam/make_request.py file and change #!/usr/bin/python3 to #!/usr/bin/python. If the first line already reads #!/usr/bin/python, this step can be skipped.
  9. Move the grs_pam.so to the appropriate location depending on your OS:
    • RedHat/CentOS 6: /lib64/security
    • RedHat/CentOS 7: /lib64/security
    • RedHat/CentOS 8: /lib64/security
    • Ubuntu 16: /lib/x86_64-linux-gnu/security
    • Ubuntu 18: /lib/x86_64-linux-gnu/security
    • Ubuntu 20: /lib/x86_64-linux-gnu/security
    • Ubuntu 22: /lib/x86_64-linux-gnu/security
  10. Edit the /etc/grs-pam/config file to update the following:
    • SERVER: the IP address/hostname of the GreenRADIUS instances or a list of IP addresses/hostnames
      • e.g. [SERVER:greenradius]
    • VERIFY_SSL: flag to enable/disable peer certificate verification
      • [VERIFY_SSL:YES] - for enforcing certificate verification
      • [VERIFY_SSL:NO] - for disabling certificate verification
    • CERT: the absolute path to a CA_BUNDLE file or directory of trusted CA certs to be used to verify the GreenRADIUS certificate
      • e.g. [CERT:/etc/ssl/certs/ca-bundle.crt]
      • NOTE: If a directory is specified with CERT, it must have been processed using the c_rehash utility supplied with OpenSSL.
    • TIMEOUT: the number of seconds the PAM module will wait for GreenRADIUS to respond
      • e.g. [TIMEOUT:10]

It is possible to configure multiple GreenRADIUS servers by using a set of SERVER directives. Timeout and certificate settings must be configured separately for each server with the appropriate TIMEOUT, VERIFY_SSL, and CERT directives. In this configuration, the PAM module will attempt to contact each server in turn. If one server fails to respond, the next is tried. This is useful for high availability configurations.

GRS PAM Module Configuration

  1. Edit one of the following files depending on which login method(s) you want to protect:
    • SSH: /etc/pam.d/sshd
    • console: /etc/pam.d/login
    • sudo: /etc/pam.d/sudo
    • GNOME: /etc/pam.d/gdm-password
    • GNOME Screen Lock: /etc/pam.d/gnome-screensaver
  2. Add this line at the top of the file: auth required grs_pam.so.
  3. Add a # in front of the following line to comment it out:
    • RedHat/CentOS 6: auth include password-auth
    • RedHat/CentOS 7 or 8: auth substack password-auth
    • Ubuntu: @include common-auth
  4. Try a test login attempt with a user. In the password field, enter Password+OTP (append OTP to the end of the password), then hit Enter.

If you have any questions during your evaluation or configuration, please do not hesitate to contact us!

Updated 2023-01-13
© 2024 Green Rocket Security Inc. All rights reserved.

Integration Guide for FortiGate VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your FortiGate

Configuring GreenRADIUS for FortiGate VPN

In the GreenRADIUS web admin interface, add the FortiGate VPN as a RADIUS client.

  1. Click the Domain tab
  2. Click the domain name where you want to add the FortiGate VPN as a RADIUS client
  3. Click the RADIUS Clients tab
  4. Enter the IP address of the FortiGate. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring the FortiGate VPN

Add GreenRADIUS as a RADIUS Server

  1. Log in to FortiGate
  2. Open the User & Authentication menu, select RADIUS Servers, and click the "+ Create New" button

RADIUS Server Configuration

  1. Configure the following fields

    • Name: GreenRADIUS
    • Authentication method: Specify PAP
    • Primary Server IP/Name: [the IP address of GreenRADIUS]
    • Primary Server Secret: [the same RADIUS secret configured in GreenRADIUS for the FortiGate RADIUS client]
  2. Use the Test Connectivity and Test User Credentials buttons to verify the above settings

  3. Click OK

RADIUS Server Configuration

Create a user group

  1. From the User & Authentication menu, select User Groups, and click the "+ Create New" button

New user group

  1. Configure the following fields:
    • Name: [as desired, for example, "GRS Authentication"]
    • Type: Firewall
    • Members: [leave this field empty]
    • Remote Groups: Click the "+ Add" button, set Remote Server as "GreenRADIUS" and Groups as "Any"

New user group

  1. Click OK
  2. The new user group should now be listed

New User Group

IPsec VPN Configuration

  1. From the VPN menu, select IPsec Tunnels, and click the "+ Create New" button

New IPsec tunnel

  1. Configure the following fields:
    • Name: [as desired]
    • Template type: Remote Access
    • Remote device type: FortiClient
  2. Click Next

IPsec tunnel config

  1. Configure the following fields:
    • Incoming Interface: [your WAN interface]
    • Authentication method: Pre-shared Key
    • Pre-shared key: [This is a credential for the VPN and should differ from any user password]
    • User Group: [select the one created above]
  2. Click Next

IPsec tunnel config

  1. Configure the following fields:
    • Local Interface: LAN
    • Local Address: [the local network address]
    • Client Address Range: [as desired]
    • Subnet Mask: [your subnet mask]
    • DNS Server: [as desired]
    • Enable IPv4 Split Tunnel: [as desired]
    • Allow Endpoint Registration: [as desired]
  2. Click Next

IPsec tunnel config

  1. In the Client Options section, set as desired, but we recommend not saving passwords especially if OTPs will be used as the second factor

IPsec tunnel config

  1. Review the configuration, then create.

IPsec tunnel config

  1. The IPsec integration with GreenRADIUS is now complete. In the FortiClient, the required settings are:
  • VPN: IPsec VPN
  • Remote Gateway: IP address or hostname of your FortiGate
  • Authentication Method: Pre-shared key, and enter the key configured above
  • Username: [username of the user logging in]

IPsec FortiClient login

  1. Try a login on the FortiClient

FortiClient IPsec login

SSL VPN Configuration

Note: The same group configured above can be used

  1. From the VPN menu, select SSL-VPN Settings
  2. Configure the following fields:
    • Enable SSL VPN: Yes (green)
    • Listen on Interface(s): [as desired, for example, WAN]
    • Listen on Port: [as desired, for example, 10443]
    • Server Certificate: [If you have a server certificate, set it to the authentication certificate]
    • Under Authentication/Portal Mapping:
      • Edit "All Other Users/Groups" and set the Portal to "full-access"
      • Click "+ Create New" and create a mapping for the desired user group, setting the Portal to "full-access"

SSL VPN configuration

New mapping

  1. Click Apply
  2. On the FortiClient, configure the required details below:
    • VPN: SSL VPN
    • Remote Gateway: [IP address or hostname of your FortiGate]
    • Customize port: [the port configured above]

SSL VPN on FortiClient

  1. Try a login on the FortiClient

SSL VPN login

Web Analytics Made Easy -
StatCounter

Updated 2023-09-02
© 2024 Green Rocket Security Inc. All rights reserved.

Integration Guide for NetMotion Mobility

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your NetMotion Mobility Server

Configuring GreenRADIUS for NetMotion Mobility

In the GreenRADIUS web admin interface, add the NetMotion Mobility Server as a RADIUS client.

  1. Click the Domain tab
  2. Click the domain name where you want to add the NetMotion Mobility Server as a RADIUS client
  3. Click the RADIUS Clients tab
  4. Enter the IP address of the NetMotion Mobility Server. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring the NetMotion Mobility Server

Add GreenRADIUS as a RADIUS Server

  1. Log in to the NetMotion Mobility Server console
  2. In the main menu, click on the Configure tab > "Authentication Settings"
  3. Under the "Authentication" section, click "User Authentication Protocol"
  4. In the "Global Authentication Setting" section, select "RADIUS - EAP (PEAP and EAP-TLS)". Then click "Apply".

RADIUS Authentication Setting

  1. Under the "RADIUS: Device Authentication" section, click "Servers"
  2. In the "RADIUS Servers" section, click the "Add..." button

Add RADIUS Server

  1. Enter the following:
  • Host Address: [IP address or hostname of GreenRADIUS]
  • Port: 1812
  • Shared secret: [enter the same RADIUS secret as configured in GreenRADIUS]
  • Confirm shared secret: [enter the same RADIUS secret as configured in GreenRADIUS]
  • Load balancing zone: 0

Add GreenRADIUS

  1. Click OK
  2. The GreenRADIUS entry should now be listed
  3. Under the "RADIUS: User Authentication" section, click "Servers"
  4. Repeat Steps 6 - 8 above

Add GreenRADIUS

  1. Under the "EAP-GTC" section, click "Auto-Response Mode"
  2. Uncheck the checkbox for "Auto-response mode" and click Apply

Auto-response mode setting

  1. In the main menu, click on the Configure tab > "Server Settings"
  2. Under the "Virtual Address" section, click "Allocation Method IPv4"
  3. In the "Global Setting" section, set the Method as "DHCP". Then click "Apply.

DHCP setting

  1. In the main menu, click on the Configure tab > "Client Settings"
  2. Under the "Logon" section, click "Default Credentials"
  3. In the "Global Setting" section, set as "Windows user"

Windows user setting

  1. In the main menu, click on the Configure tab > "Authentication Settings"
  2. Under the "Authentication" section, click "Mode"
  3. In the "Global Authentication Setting" section, set as "User authentication only". Then click "Apply".

User authentication only

NetMotion Mobility Client Configuration

  1. When installing the NetMotion Mobility client on a Windows machine, be sure to enter the IP address of the NetMotion Mobility server.

Client server IP address config

  1. After installation, restart the Windows machine.
  2. After restarting, the following screen may appear, because the NetMotion Mobility client is not yet configured. Click "Skip".

Skip this screen

  1. Open the NetMotion Mobility client, and click on the "Configuration" button

Configuration button

  1. Click the "Server Certificates" tab. Then uncheck the checkbox for "Validate server certificate", and click OK.

Uncheck validate server cert

  1. Click the "User Certificates" tab. Then uncheck the checkbox for "Allow user certificates", and click OK.

Uncheck allow user cert

  1. Restart the Windows machine
  2. After restarting, log in with a user that already has a token assigned (or will have a YubiKey auto-provisioned upon the first successful login).

Windows login

  1. After logging into Windows, the Mobility client login screen will appear. The user should enter his password followed by an OTP (either from a YubiKey or an Authenticator app).

Mobility client login screen

  1. If the username, password, and OTP are authenticated successfully by GreenRADIUS, the user will be connected to the NetMotion server, and the network will become active and show a status of "Connected".

NetMotion connected

Avoiding Entering Passwords Twice (Optional)

If you would like users to avoid entering passwords twice (once at the Windows logon screen and again on the NetMotion Mobility client), GreenRADIUS can be configured to skip password validation and only validate token OTPs.

  1. In the GreenRADIUS web admin interface, under the "Global Configuration" tab, click the "General" icon.
  2. Set "Enable Password Authentication Through GreenRADIUS" to "No". Then click the "Save" button.

IMPORTANT: This is a global setting, so this would only be recommended if NetMotion is the only 2FA integration with GreenRADIUS.

Skip password auth

  1. When users see the NetMotion Mobility client login screen, users will only need to enter an OTP from their token to log in.

Mobility client login screen

Web Analytics Made Easy -
StatCounter

Updated 2023-02-13
© 2024 Green Rocket Security Inc. All rights reserved.

Integration Guide for Palo Alto Networks GlobalProtect VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your Palo Alto GlobalProtect device.

Configuring GreenRADIUS for Palo Alto GlobalProtect

In the GreenRADIUS web admin interface, add the Palo Alto GlobalProtect as a RADIUS client.

  1. Click the Domain tab
  2. Click the domain name where you want to add the Palo Alto GlobalProtect as a RADIUS client
  3. Click the RADIUS Clients tab
  4. Enter the IP address of the Palo Alto GlobalProtect. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring Palo Alto GlobalProtect

Add GreenRADIUS as a RADIUS Server

  1. Log in to the Palo Alto GlobalProtect admin interface
  2. On the Device tab, navigate to Server Profiles, then RADIUS. Click Add.
  3. In the Name field, enter "GreenRADIUS"
  4. Set the timeout value to 10 seconds (or 45 seconds if using our Green Rocket 2FA Mobile App)
  5. Configure the "Authentication Protocol" drop-down to "PAP". Note: PAN-OS 7.X users must set the protocol via command line using this command: set authentication radius-auth-type pap
  6. In the Servers section, click Add. Then enter the following:
  • Server: GreenRADIUS
  • RADIUS Server: [IP address or hostname of GreenRADIUS]
  • Secret: [enter the same RADIUS secret as configured in GreenRADIUS for the Palo Alto GlobalProtect]
  • Port: 1812
  1. Click OK

RADIUS Server Profile

Add an Authentication Profile

  1. On the Device tab, navigate to Authentication Profile
  2. Click the New... button. Then enter the following:
  • Name: GreenRADIUS
  • Type: RADIUS
  • Server Profile: GreenRADIUS
  • User Domain: Optional, leave blank if you only have one domain configured in GreenRADIUS
  • Username Modified: Optional, leave blank if you only have one domain configured in GreenRADIUS
  1. Click the Advanced tab. In the "Allow List" section, select the "all" group.
  2. Click OK

Authentication Profile

Configure Palo Alto GlobalProtect

  1. On the Network tab, navigate to GlobalProtect, then Gateways
  2. Click on the GlobalProtect Gateway to display the properties window
  3. On the Authentication tab, select the GreenRADIUS authentication profile

Authentication Profile

  1. Click the Agent tab, then click the Client Settings tab. Click the name of your configuration.
  2. On the Authentication Override tab, check the checkboxes for both Generate cookie for authentication override and Accept cookie for authentication override. Set the Cookie Lifetime as desired. Select a certificate to use with the cookie.

Authentication Override

  1. Click OK twice

Configure the GlobalProtect Portal

  1. On the Network tab, navigate to GlobalProtect, then Portal
  2. Click on your GlobalProtect Portal to display the properties window
  3. On the Authentication tab, select the GreenRADIUS authentication profile

Authentication Profile

  1. Click the Agent tab, then click the name of your configuration.
  2. On the Authentication tab, check the checkboxes for both Generate cookie for authentication override and Accept cookie for authentication override. Set the Cookie Lifetime as desired. Select a certificate to use with the cookie.

Authentication Override

  1. Click OK twice

Commit and Save the Settings

  1. Click the Commit button to make the changes take effect

You may now start testing Palo Alto GlobalProtect logins. Check the Authentication Requests report in GreenRADIUS (under the Reports tab) to make sure Palo Alto GlobalProtect logins are being validated by GreenRADIUS.

Web Analytics Made Easy -
StatCounter

Updated 2021-09-28
© 2024 Green Rocket Security Inc. All rights reserved.

Integration Guide for Check Point VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your Check Point VPN

Configuring GreenRADIUS for Check Point VPN

In the GreenRADIUS web admin interface, add the Check Point VPN as a RADIUS client.

  1. Click the Domain tab
  2. Click the domain name where you want to add the Check Point VPN as a RADIUS client
  3. Click the RADIUS Clients tab
  4. Enter the IP address of the Check Point VPN. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring the Check Point VPN

Add GreenRADIUS as a RADIUS Server

  1. Log in to the Check Point VPN SmartConsole
  2. Go to Objects > New Host to add GreenRADIUS details

RADIUS Server Configuration

  1. Go to Objects > More object types > Server > RADIUS. Select the newly created GreenRADIUS host and enter GreenRADIUS details. (Note: Select "PAP" as the protocol.)

RADIUS Server Configuration

Create Local Users in the Check Point VPN

If you would like to create local user accounts and have them authenticated by GreenRADIUS, follow the steps below. (If you would like to use user accounts from Active Directory, please follow the steps in the next section below.)

  1. Go to Objects > More object types > User/Identity > New User
  2. Create new users making sure that their usernames match exactly with their usernames in your LDAP and in GreenRADIUS (assuming they have already been imported into GreenRADIUS)

New User New User

Import Users from Active Directory into the Check Point VPN

  1. Go to Objects > More object types > User/Identity > LDAP Account Unit
  2. Specify all of the required details for the Active Directory connection. On the General tab, provide a name for the LDAP.

AD Connection

  1. On the Servers tab, enter the Active Directory details

AD Connection

  1. On the Objects Management tab, click "Fetch branches" to confirm it can access the domains in the Active Directory

AD Connection AD Connection

Create Group in the Check Point VPN

For local user accounts, go to Objects > More object types > User/Identity > New Group, and assign users to this group

New Group

For Active Directory user accounts, go to Objects > More object types > User/Identity > LDAP Group. Specify the AD security group whose members should be allowed access.

New Group

Configure Gateway

  1. Navigate to Gateways & Servers and double click on your gateway
  2. Go to VPN Client > Authentication > Authentication Method and click the Settings button

Gateway Configuration

  1. In the Single Authentication Client Settings, set Authentication Method as RADIUS and specify the configured RADIUS server

Gateway Configuration

Configure Security Policies

  1. Go to Security Policies > Access Control > Policy
  2. Click "+" to add a policy
  3. For local user accounts, right click the Source field and select Add Legacy User Access. Select the group in the User Group dropdown menu.

Security Policy Configuration

  1. For user accounts from Active Directory, in the Source field, click the "+" (add) icon and select the AD group created earlier

Security Policy Configuration

Once all of this has been configured, publish to save the settings

Publishing

Test Login

  1. To test a VPN login, launch your Check Point Endpoint Security VPN client
  2. Select the appropriate site
  3. Log in with your username and password+OTP. (If you are testing with a YubiKey or Authenticator app OTP, and the OTP Input Method is "Append OTP to password" in GreenRADIUS, then append the OTP to the end of your password in the password field.)

Test Login

  1. If the login is successful, it will show that it is connected

Connected

  1. You can verify that the login was authenticated by GreenRADIUS by going to the GreenRADIUS web admin interface > Reports tab > Authentication Requests report

Web Analytics Made Easy -
StatCounter

Updated 2022-07-21
© 2024 Green Rocket Security Inc. All rights reserved.

ADFS Integration

GreenRADIUS 2FA can be integrated with Active Directory Federation Services (ADFS).

This deployment and configuration guide assumes the following:

  • GreenRADIUS (v4.1.11.11 or later) has been deployed and configured
  • A GreenRADIUS license has been installed that enables the ADFS MFA module
  • The ADFS Server role has been installed and configured in either Windows Server 2016 or 2019
  • Applications and services are already set up in ADFS as relying parties

GreenRADIUS Configuration

  1. In the GreenRADIUS web admin interface, click on the Global Configuration tab.

GreenRADIUS Global Configuration tab

  1. Click the Client-based Authentication Policies icon.
  2. In the Add Client page, configure the following settings:
  • Client ID: This is an admin-defined value and should be the same Client ID as configured in the ADFS adapter.
  • Description: This is an optional field.
  • Shared Secret: This is an admin-defined character string and must match with the Shared Secret configured in the ADFS adapter.
  • Type: Set to ADFS
  • Multi-Factor Policy: The configured setting will be enforced for user logins:
    • Password + OTP: Password and OTP (or mobile push app)
    • PIN + OTP: PIN and OTP (or mobile push app)
    • Password + PIN + OTP Password, PIN, and OTP (or mobile push app)
  • Enable First Factor Validation (Password/PIN) Through GreenRADIUS: Set to No
  • Enable Auto-provisioning: If set to Yes, YubiKeys (when OTPs are used) will be automatically assigned to users upon the first successful login with the YubiKey if the user does not already have a YubiKey assigned.
    • Note: To enable auto-provisioning of YubiKeys for use with ADFS, not only must this be set to "Yes", but also at the global and domain level.

Client-based Authentication Policies

  1. Click the Add button.

Install and Configure the GreenRADIUS ADFS MFA Adapter

  1. Download the GreenRADIUS ADFS MFA Adapter. (You can obtain the latest version by contacting us.)
  2. Logged in as an admin on the Windows Server with the ADFS server role, double-click the GreenRADIUS ADFS 2FA Adapter installer. After a few progress bars, a welcome screen appears. Click Next.

Welcome screen

  1. Accept the license agreement and click Next.

License screen

  1. Click Install.

Install screen

  1. After the installation is complete, click Finish.
  2. Open the GreenRADIUS ADFS MFA Adapter Configuration application

GreenRADIUS URL screen

  1. Click the Global Configuration tab.
  2. Configure the following settings:
  • Request Processing Scheme
    • Ordered List: The first GreenRADIUS instance listed will be contacted first for user authentication, then the next, and so on.
    • Round Robin: The next GreenRADIUS instance will be contacted first for user authentication, rotating through the list of GreenRADIUS instances with each new login attempt.
  • Server Connection Timeout: The time (in seconds) for which the ADFS client waits for each GreenRADIUS instance to respond.
  • Dead Server Detection Threshold: Indicates the maximum number of consecutive login attempts to be made to a configured GreenRADIUS instance before marking the instance as "dead"
  • Server Dead Time Interval: The time (in seconds) for which a server marked as dead will not be contacted.
  • Client ID: Should be the same Client ID as configured in all GreenRADIUS instances.
    • Note: The client ID must be unique and not already used by another ADFS client.
  • Shared Secret: This must match the shared secret configured in each GreenRADIUS for this ADFS client.

ADFS Global Configuration

  1. Click the Server List tab.
  2. Add GreenRADIUS instances and enable them.

ADFS Server List

  1. Click the Save and Apply button.
  2. Launch the ADFS management application. Right-click on Authentication Methods and select Edit Multi-factor Authentication Methods.

Edit MFA Methods

  1. A list of authentication providers will be shown. Select/Enable Green Rocket Security MFA for AD FS, and then click Apply.

MFA providers screen

  1. Restart the ADFS service.

Configuring the GreenRADIUS ADFS MFA Adapter/Plugin

  1. Launch the ADFS management application. Right-click on Access Control Policies and select Add Access Control Policy....

Access control policies

  1. An "Add Access Control Policy" screen will appear. In the Name field, enter a name for this new access control policy.

Access control policy name

  1. In the "Rule Editor" screen, under the "Permit" section, select users and check the checkbox for and require multi-factor authentication. Then click OK.

Rule editor screen

  1. Click on Apply, then OK to save changes.

Associate Access Control Policies to Relying Parties in ADFS

  1. In the ADFS management application, right-click on Relying Party Trusts, and select a relying party trust to configure.
  2. From the list of available access control policies, select the policy that was just configured above that requires multi-factor authentication.

Select access control policy

  1. Restart the ADFS service.

User Logins with GreenRADIUS MFA for ADFS Relying Parties

At this point, the ADFS service is ready to authenticate users and their second factor with GreenRADIUS. If the relying party is configured with an access control policy requiring multi-factor authentication with GreenRADIUS, users will see the following screen (or similar) after logging in with their username and password.

Second factor login screen

The following tokens are currently supported:

  • YubiKeys: YubiKey OTPs are supported. With the cursor in the blank field, after inserting the YubiKey, the user simply touches the YubiKey button.
  • Google Authenticator: Google Authenticator and other Authenticator apps are supported as well. In the blank field, the user enters the current six-digit OTP in the Authenticator app, then clicks Continue.
  • Green Rocket 2FA Mobile App: Our Green Rocket 2FA Mobile App can also be used. The user leaves the field blank and clicks Continue. The user should then receive a push notification on his or her mobile phone and tap Approve to complete the login.

Web Analytics Made Easy -
StatCounter

Updated 2022-05-24
© 2024 Green Rocket Security Inc. All rights reserved.

Configuring WordPress for GreenRADIUS 2FA

Introduction

GreenRADIUS can be used to enforce two-factor authentication for Wordpress installations.

Contact us to evaluate our WordPress plugin for GreenRADIUS 2FA.

Prerequisites

  1. A WordPress server, with administrative permissions to modify it.
  2. A publicly accessible GreenRADIUS instance with a valid certificate installed. The certificate must be trusted by the WordPress instance.
  3. The WordPress 2FA plugin from Green Rocket Security

Steps

  1. Log into your administrative account on WordPress.
  2. Click the "Plugins" menu in the left tab, then select "Add New" > "Upload Plugin".
  3. Select the .ZIP file from Green Rocket Security, and upload it.
  4. Select "Plugins" -> "Installed Plugins" from the left menu.
  5. Click "Activate" under the "GreenRADIUS Authentication" entry.
  6. In the left menu, select "Settings" > "GreenRADIUS Authentication".

WordPress settings

  1. Enter the hostname of the GreenRADIUS instance and click "Save".
  2. When you next attempt to log into the WordPress instance, you should see an OTP field:

Wordpress login with GreenRADIUS

  1. Log in with a user that is imported in GreenRADIUS. (Only user accounts in GreenRADIUS can now log in. Local WordPress user accounts that do not have a matching LDAP username imported into GreenRADIUS will no longer be able to log in with local credentials.

For example, if there is an existing WordPress user account with a username of "jdoe", there needs to be a corresponding LDAP user account with a username of "jdoe". This LDAP user account also needs to be among the users imported into GreenRADIUS, so that there is a "jdoe" user account in GreenRADIUS.

GreenRADIUS Validation of Token Only

The WordPress plugin and GreenRADIUS can be configured so that WordPress validates the user's local WordPress password and GreenRADIUS validates the token. To do this, follow the steps below:

  1. In the plugin settings, check the "Split Authentication" checkbox and click the Save button

WordPress plugin settings

  1. In the GreenRADIUS web admin interface, go to the "Global Configuration" tab and click the "General" icon
  2. Set "Enable Password Authentication Through GreenRADIUS" to "No".
  • NOTE: This GreenRADIUS setting is a global setting. It will enable or disable password validation through GreenRADIUS for all RADIUS and Web API integrations.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying the GreenRADIUS FIDO2 App

Prerequisities

  • A PC running 64-bit Windows or macOS
  • YubiKey or other FIDO2 token
  • GreenRADIUS v5.1.2.2 or later
  • A valid GreenRADIUS license with the "FIDO2 for RADIUS, LDAP, and 2FA API Integrations" module enabled
  • Our GRS FIDO2 Authenticator App v2.1.2 or later

Instructions

1. GreenRADIUS Configuration

  1. Go to Global Configuration → GRS Authenticator App.

GRVA Global Configuration tab

  1. Configure the following fields:

GRS Authentication app configuration

  1. Relying Party: this should be the same as the GreenRADIUS hostname.
    • The relying party name should resolve to the IP of GreenRADIUS. This can be done by adding a DNS entry to the host file of the local system.
    • Changing the Relying Party will invalidate all the previously registered tokens.
  2. User Verification:
    • Discouraged: Users are not prompted for FIDO2 token PINs during login attempts
    • Preferred: Users are prompted for PINs during login attempts
    • Required: Users are always prompted for PINs during login attempts
  3. Timeout (in seconds): defaults to 60.
  4. Enable Auto Provisioning: defaults to Yes.

2. Application Installation

2a. Installation on Windows

  1. Run the GRS FIDO2 Authenticator app installer
  2. Once the installation is complete, run the application

2b. Installation on macOS

Click on the macOS installer and drag the Green Rocket Security Authenticator icon into the Applications folder, then launch the application.

3. Application Configuration

Once you have launched the GRS FIDO2 Authenticator app, you will need to enter the hostname of GreenRADIUS:

App with hostname prompt

Next, enter your username, password, and an OTP from a token assigned to the user. (A Temporary Token will also work.)

App with username/password prompt

If a FIDO2 token is not already registered to you, you will automatically be redirected to the FIDO2 token setup screen upon successful login. Here, you will enter a human-readable name for your token (such as the YubiKey's serial number).

App with token registration prompt

The standard Windows FIDO2 dialog will now appear. At this point you will need to insert your FIDO2 token into the computer's USB port if you have not already. Enter your FIDO2 token's security PIN (if applicable), and then touch the FIDO2 token when prompted.

Steps of Windows 2FA dialog

The FIDO2 token will now be registered to the user in GreenRADIUS.

To test, send an authentication request using the RADIUS Test feature of GreenRADIUS on the Troubleshoot tab or from another configured RADIUS client

GreenRADIUS in Troubleshoot tab

Upon sending the request, you should see a notification from the app:

GreenRADIUS in Troubleshoot tab with request in corner of screen

The request will appear in the app dashboard. You can now click the request to decide whether to approve or reject it.

If you decide to approve the request, the standard Windows FIDO2 dialog will appear. Enter the PIN (if prompted), and touch the FIDO2 token. The login should then be successful if performed within the timeout period.

Web Analytics Made Easy -
StatCounter

Updated 2023-06-01
© 2024 Green Rocket Security Inc. All rights reserved.

Appendix

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

GreenRADIUS Security Recommendations and Considerations

The following items are recommendations to consider to help secure your GreenRADIUS instances.

  1. Change default passwords
    • Web admin interface (change for both default users root and gradmin)
    • Command line (change for the gradmin user)
      • Note: The passwords for web admin interface users and command line users are managed separately, so be sure to change the default passwords for both
  2. Enforce two-factor authentication for GreenRADIUS admin accounts
  3. Replace the default self-signed certificate with a certificate signed by a trusted CA
  4. Restrict web admin interface access by IP address
    • Webmin > Webmin Configuration > IP Access Control
  5. Enable the UFW (onboard firewall) and set policies to restrict access (if an external firewall will not be used)
  6. If the onboard OpenLDAP nor the LDAP Authenticator Module will not be used, use a docker-compose-override file to prevent the OpenLDAP container from starting up
  7. Enable encryption of token secrets prior to importing or registering any tokens
    • Global Configuration tab > General
  8. If the YubiCloud will be used to validate YubiKey OTPs (instead of validating locally within GreenRADIUS), obtain a new Client ID and API Key from the Yubico site
    • Set in Global Configuration tab > Validation Server
  9. Set strong shared secrets when configuring RADIUS and ADFS clients
  10. Enable auto-logout after a certain period of inactivity in the web admin interface
    • Webmin > Webmin Configuration > Authentication
  11. Enable blocking of user accounts to prevent brute force attacks
  12. Make sure to apply the GreenRADIUS updates timely

Web Analytics Made Easy -
StatCounter

Updated 2024-01-08
© 2024 Green Rocket Security Inc. All rights reserved.

GreenRADIUS – Rocket Evaluation Guide

Start Testing Greenradius In Less Than 15 Minutes!

This guide is intended for those that want to evaluate GreenRADIUS and its features quickly before integrating it with external user directories (such as Active Directory) and external RADIUS clients (such as VPN with Cisco, Palo Alto Networks, SonicWALL, and other devices and applications that authenticate with the RADIUS protocol).

Step 1 – Import OVA File In VMWare Or Oracle Virtualbox

After downloading the GreenRADIUS OVA file, import it into either VMware or Oracle VirtualBox. If DHCP is set up, the appliance will try to find an available IP address. If one is not set up automatically or if you would like to change the IP address later, see our guide for configuring network settings.

Step 2 – Log In To The Web Console

After an IP address is assigned, open a new browser tab and go to https://<IP address of GreenRADIUS>/admin.

The default credentials are:

  • Username: gradmin
  • Password: GreenRocket!23

Step 3 – Review The Sample Domain

GreenRADIUS includes a pre-configured, sample domain named greenradius.demo. (This can be deleted later, and new domains can be created and configured.) Click on the Domain tab, then click on greenradius.demo. Five test users are included in this domain from the onboard OpenLDAP that is included in the virtual appliance. All five test users have a default password of GreenRocket!23.

To access the onboard OpenLDAP, use a third-party LDAP admin tool, such as LDAP Admin. The default credentials are:

  • Username: cn=admin,dc=greenradius,dc=demo
  • Password: GreenRocket!23

By default, this domain has our Gradual Deployment feature enabled, so that all test users are in single-factor mode (meaning only username and password are required for authentication). After a test user successfully authenticates with a security token (such as a YubiKey or Google Authenticator), the single-factor mode for that user will be disabled so that the user must use two-factor authentication (password + security token) going forward.

Step 4 – Single-Factor Authentication

Click on the GreenRADIUS Virtual Appliance link on the left. Then click on the Troubleshoot tab. The RADIUS Test section at the top can be envisioned to stand in for a client or login page that requires a username and password.

In the username field, enter “user1”. In the password field, enter “GreenRocket!23”. (We will leave the OTP field blank for this single-factor test authentication.) Then click the Send Request button. You should see a response of “Successful”.

Step 5 – Assigning A Google Authenticator Token To A User

In a new browser tab, go to https://<IP address of GreenRADIUS> (with nothing else after the IP address). This is the user self-service portal where a user can self-assign tokens, including Google Authenticator.

Follow these steps to assign Google Authenticator to a user:

  1. Click the “Assign a Token” button.
  2. In the Username field, enter “user1”. Then click Proceed.
  3. In the Password field, enter “GreenRocket!23”. Then click Submit.
  4. Click on the Google Authenticator radio button at the top.
  5. Open the Google Authenticator app on your phone. (If you do not already have it installed on your phone, please download and install the free app.)
  6. In the Google Authenticator app, navigate to set up a new account and click “Scan a barcode”.
  7. The Google Authenticator app will launch a barcode scanner (like a camera). Scan the barcode on your browser.
  8. Once the barcode is captured and a new token is displayed (with six numeric characters), click the Proceed button.
  9. Enter the current six-digit OTP in Google Authenticator (assigned to user1@greenradius.demo) in the OTP field. Then click the Verify button. You should receive a successful response.

Step 6 – Two-Factor Authentication

Go back to the Troubleshoot tab. In the RADIUS Test section, enter “user1” in the Username field, enter “GreenRocket!23” in the Password field, and enter the current six-digit OTP in Google Authenticator in the OTP field. Then click the Send Request button. You should see a response of “Successful”. (If you see a response of “Failed”, make sure that the server time is correct by following these steps.)

With this same user (user1), you can try with username and password only, and you will notice that the attempt now fails. Since the user has successfully authenticated with a token (Google Authenticator), this user must use two-factor authentication going forward. (Admins can change this for individual users in the Users/Groups tab in the Domain tab.)

One other note – This RADIUS test section has three separate fields for username, password, and OTP. When RADIUS clients are eventually set up, the default configuration in GreenRADIUS is for users to submit credentials this way:

  • Username field of client or login page: username
  • Password field: password immediately followed by OTP (no spaces or characters in between)

If you run into any issues or have further questions, please do not hesitate to contact us at 888-793-3247 or +44 808 234 6340 or email us at info@greenrocketsecurity.com.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

GreenRADIUS – Quick Start Guide

This guide is intended for those that want to evaluate GreenRADIUS and its features quickly by integrating it with external user directories (such as Active Directory) and external RADIUS clients (such as VPN with Cisco, Palo Alto Networks, SonicWALL, and other devices and applications that authenticate with the RADIUS protocol).

If you would like to evaluate GreenRADIUS before integrating with your user directory and your RADIUS clients, please refer to our GreenRADIUS "Rocket" Evaluation Guide.

Step 1 – Import OVA File In VMWare Or Oracle Virtualbox

After downloading the GreenRADIUS OVA file, import it into either VMware or Oracle VirtualBox. If DHCP is set up, the appliance will try to find an available IP address. If one is not set up automatically or if you would like to change the IP address later, see our guide for configuring network settings.

Step 2 – Log In To The Web Console

After an IP address is assigned, open a new browser tab and go to https://<IP address of GreenRADIUS>/admin.

The default credentials are:

  • Username: gradmin
  • Password: GreenRocket!23

Step 3 - Set Up a New Domain

GreenRADIUS includes a pre-configured, sample domain named “greenradius.demo”. (You can keep this or delete it, since a new domain will be created.)

In the Domain tab, enter your domain name in the field, then click the “Add Domain” button. Then click on the newly created domain.

Step 4 – Importing Users

Go to the “Directory Server” tab. Enter the IP address of your Active Directory, OpenLDAP, or 389DS. Then enter the username and password of an administrator’s credentials. Click the “Proceed” button.

Complete the additional fields to import users from your Active Directory or OpenLDAP. Note the following:

  • For the “Login Name Identifier”:
    • For Active Directory, “sAMAccountName” is common, but other identifiers can also be used.
    • For OpenLDAP, use “uid”
  • For the "Filter" field, consider importing users from a specific security group. An example filter string would be: (&(objectClass=person)(memberOf=CN=test_group,OU=Technology,DC=domain,DC=local)). Otherwise, to import all users, the filter string should be: (&(objectCategory=person)(objectClass=user))
  • The “Set Frequency” drop-down menu sets the scheduled frequency that GreenRADIUS will import/update users from your user directory.

Once all fields have been configured, click the “Save and Import” button to import users.

The import operation should begin. If the import is successful, the end of the message will read “Successfully updated users records. User Import operation completed.” Click “Return to previous page”.

Step 5 – Configuring A RADIUS Client

Go to the “RADIUS Clients” tab.

Enter the IP address or hostname of the RADIUS client you want to integrate with GreenRADIUS. (You could also enter a subnet.) Then, enter a shared secret (entirely up to you what you want to use) in the two client secret fields. Then, click the “Add” button.

In the admin/management screen/portal of the RADIUS client you are configuring with GreenRADIUS, make sure to direct authentications to GreenRADIUS as a RADIUS server and use the same shared secret as configured in GreenRADIUS. (If asked, use the PAP protocol. CHAP, MS-CHAP, and MS-CHAPv2 are not supported.)

At this point, you can test single-factor authentications through your normal logon client/page.

Step 6 – Enable Gradual Deployment (Optional)

GreenRADIUS can make implementation easy with the Gradual Deployment feature. When enabled, GreenRADIUS will automatically enforce two-factor authentication for a user after the user’s first successful authentication with password and token. For users that have yet to use a token, they will remain needing only to use their password to successfully authenticate until they use their token or until the Gradual Deployment feature is disabled.

To enable Gradual Deployment, in the Configuration tab of the domain, set the “Enable Gradual Deployment” setting to “Yes”. Then click the “Update” button.

Note – Changing this setting from “Disable” to “Enable” will set all users to needing only passwords (single factor only) to authenticate, even those users that have tokens assigned or are set to needing tokens to authenticate. You can check each user’s requirement under the “Single Factor Flag” column in the “Users/Groups” tab. A green check mark means the user only needs a password. A red X means the user needs password and token.

Also note that this Gradual Deployment feature is not available for Windows Logon.

Step 7 – Enable Auto-Provisioning Of YubiKeys (Optional)

Auto-provisioning of YubiKeys to users can be done automatically in GreenRADIUS. When this feature is enabled, users are auto-assigned YubiKeys upon first successful authentication with an unassigned YubiKey. No separate registration of the YubiKey to the user is required.

To enable this feature, in the Configuration tab of the domain, set the “Enable Auto-provisioning For YubiKey Tokens” to “Yes”. Then click the “Update” button. (Make sure this setting is also set to “Yes” in the “General” settings in the Global Configuration tab.)

If you run into any issues or have further questions, please do not hesitate to contact us at 888-793-3247 or +44 808 234 6340 or email us at info@greenrocketsecurity.com.

Web Analytics Made Easy -
StatCounter

Updated 2023-06-19
© 2024 Green Rocket Security Inc. All rights reserved.

Migrating from GreenRADIUS v3.1.6.7 to v4.1.3.4

Introduction

GreenRADIUS version 4.1.3.4 is equipped with a tool to migrate users, tokens, and settings from v3.1.6.7. This document describes how to use the migration tool, detailing the steps to perform. It also covers how to deal with certain configurations not covered by the migration tool.

The following configuration is migrated with this tool:

  1. Database tables containing general configuration, user-token assignments, user information, domain information, directory server information, RADIUS clients, token states, token secrets, etc.
  2. Certificates
  3. License file
  4. RADIUS configuration

Additionally, the following configuration can optionally be migrated as well:

  1. Onboard firewall configuration
  2. Onboard OpenLDAP server configurations
  3. Network configuration migration, including DHCP settings and (if applicable) static IP address
  4. Hostname
  5. Time zone

Prerequisites

  1. The GreenRADIUS instance to migrate from must be running GreenRADIUS v3.1.6.7
  2. A fresh GreenRADIUS v4.1.3.4 must be deployed as the migration target
  3. The v4.X instance must be able to reach the v3.1.6.7 instance
  4. On the GreenRADIUS v3.1.6.7 instance, the gradmin command line user account (not the web admin interface account) needs to have a password that does not include special characters
  5. The Docker containers auto-start on boot. If the containers have been stopped manually, they need to be restarted before beginning the migration.
  6. For on-board OpenLDAP server configuration migration, a resolvable hostname/FQDN must be configured in GreenRADIUS v4.X as follows:
    • Log in to GreenRADIUS.
    • Navigate to Global Configuration→Certificate
    • Set the value in the Server Hostname/FQDN field.
    • Under the Create Certificate tab, enter a common name matching the hostname/FQDN configured in the above step. Click the Create and Install button.

Steps

Once GreenRADIUS v4.1.3.4 is running, invoke the migration script from the command line:

$ cd /home/gradmin/GRS-Migration-Tool/
$ sudo python migration.py

This will produce a dialog of migration options like this:

Migration Options

The migration tool prompts for the hostname or IP address of a v3.1.6.7 instance.

It will then request an administrator username and password of a command-line user on the v3.1.6.7 instance.

You will be prompted as to whether you wish to migrate on-board firewall configuration, on-board LDAP configuration, hostname, network, and timezone settings.

The migration process may take some time. When it is finished, a completion message will be displayed:

Migration Complete

If your v3.1.6.7 instance was configured not to use DHCP, then the v4.1.3.4 instance will try to use its IP address the next time it starts (if you selected to migrate the network configuration.) To prevent the GreenRADIUS instances from colliding over the IP address, you should shut both down and then reboot only the v4.1.3.4 instance without rebooting the v3.1.6.7 one.

After reboot, you will find that most settings from your v3.1.6.7 instance have been migrated.

IMPORTANT NOTE: If there are multiple servers configured in synchronization, one GreenRADIUS v4.1.3.4 instance should be deployed for each v3.1.6.7 instance and migration from each v3.1.6.7 instance should be done to the corresponding v4.1.3.4 server instance. Once the migration is done, the server entries in the synchronization configuration should be deleted and re-added on each of the v4.1.3.4 server instances.

Additionally, in some cases, the network configuration is not migrated.
In such cases, manually configure the network by following our network configuration guide.

Settings to Check and Configure Manually

Not all settings are migrated. Please be sure to check the following settings and make changes as necessary:

  1. YubiKey OATH-HOTP OTP length (in case YubiKeys programmed in OATH-HOTP mode are being used, this setting is found under Global Configuration→General)
  2. User portal OATH algorithm for soft tokens (in case Google Authenticator or similar soft tokens are being used, a setting of TOTP is recommended, this setting is found under Global Configuration→User Portal)
  3. Temporary tokens must be re-established for those users assigned temporary tokens
  4. LDAP server certificates (in the Directory Server tab of the GreenRADIUS domain) if you are using secure connection (over port 636)
  5. Local web admin console user accounts and settings

Contact Green Rocket Security for further instructions to upgrade from v4.1.3.4 to the latest GreenRADIUS version

Web Analytics Made Easy -
StatCounter

Updated 2021-10-21
© 2024 Green Rocket Security Inc. All rights reserved.

Programming YubiKeys with the GRS Programming/Auto-Import Tool

Green Rocket Security provides a Windows-based YubiKey programming tool, which programs YubiKeys and also automatically uploads the newly-generated YubiKey secrets to GreenRADIUS in a single-step process. These are the steps to install and use the programming tool.

  1. Contact Green Rocket Security to receive a copy of the programming tool installation EXE.
  2. Run the installer as administrator. The programming tool will be installed to the AppData directory for your user. A shortcut will also appear in the Start Menu.
  3. Enable the programming API on GreenRADIUS, if you have not done so already. To do this, log into GreenRADIUS, either in the console or via SSH, and run the command sudo docker exec -it GRVA-MAIN changepassword grsapiusr. This will prompt you for a new password for the grsapiusr API user.
  4. Insert your YubiKey in a USB port.
  5. Launch the programming tool as an administrator. To do this, find its entry in the Start Menu, right-click it, and select "Run as Administrator" from the list of options that appears.
  6. You will need to enter the hostname or IP address of GreenRADIUS as well as the username (grsapiusr) and password. The password is the one configured in Step 3. Entering the connection information
  7. The tool will now automatically program your YubiKey with a random secret and upload the data to GreenRADIUS. You will be able to see the new token appear in the "List Tokens" screen of the web admin interface.
  8. You can program as many keys as your wish successively, or exit the tool once you are finished. The data for each key is imported to GreenRADIUS as it is generated, so no final "save" step is necessary.

Configure GreenRADIUS to Validate YubiKeys Locally

To use the tokens, you will need to set your GreenRADIUS to use local validation, since the secrets are stored locally rather than in the YubiCloud. To do this:

  1. In the GreenRADIUS web admin interface, click the Global Configuration tab.
  2. Select "Validation Server".
  3. Set the server to "Local validation server on GreenRADIUS Virtual Appliance" and click "Save" to commit your changes.

Configuring the validation server

Once this is done, you will be able to use your YubiKeys with GreenRADIUS validating OTPs locally.

Web Analytics Made Easy -
StatCounter

Updated 2021-06-03
© 2024 Green Rocket Security Inc. All rights reserved.

Management APIs

Customers may make use of HTTPS management APIs for specific administrative operations in GreenRADIUS. These allow customers to write their own frontend software to administer their GreenRADIUS instance.

This document lists the endpoints for these APIs and provides examples of how to call each one.

All of these APIs require that the management API password be configured. You can do this by executing the following command from the shell on your GreenRADIUS instance:

sudo docker exec -it GRVA-MAIN changepassword grsapiusr

All requests require parameters to be supplied in the request body as a JSON structure. The Content-Type of the request must be set to application/json. Authentication is required for each request in the form of BasicAuth username/password tokens.

For example, to call the API from Python, you could use the following:

import requests

HOST = 'greenradius.example.com'

requests.post(
    'https://'+HOST+'/gras-api/v2/mgmt/import_token/yubikey',
	auth = ('grsapiusr', 'GreenRocket!23'),
	json = {
    	"yubikeys" : [
            {
                "make": "Yubico OTP",
                "serialno": 3014781,
                "publicname": "ddvcuttiuejt",
                "internalname": "8b428d0f016f",
                "aeskey": "a55adb9c4da2ad57c529737fd4d5ecd0"
            }
        ]
    }
)

The APIs are:

Reporting Batch Results

Many of the endpoints allow one to send multiple entries as part of a single request. For example, the YubiKey Import endpoint enables you to send several YubiKey token entries with one request. When this happens, it is possible for some of the assignment requests to succeed and some to fail. Therefore, these endpoints use result batches to report the results of individual logins, rather than reporting the entire batch as a single success or failure.

A result batch is a JSON structure with the following entries:

{
    "count": 2,
    "records": {...}
}

The count is either an integer or a string (callers must expect either.) It indicates the number of results in this batch. The records entry is a JSON structure, unless count is 0, in which case it is the empty list []. It will contain count key-value pairs, each of which represents the result of one of the entries in the initial request. The value will vary depending on which type of batch and which endpoint; the key is always a string (not an int) of the index, starting from 1, of the request in the initial list passed to the endpoint.

For example: say a fictional endpoint square, which computes N2, is called with five individual entries:

{
    "numbers": [
        5,
        2,
        "invalid input",
        6
    ]
}

The result might be two result batches, one containing successes and one containing failures:

{
    "numbers_squared": {
        "count": 3,
        "records": {
            "1": 25,
            "2": 4,
            "4": 36
        }
    },
    "numbers_invalid": {
        "count": 1,
        "records": {
            "3": {...}
        }
    }
}

numbers_invalid["records"]["3"] would be an error structure, as described below.

Paging

When multiple entries are returned by any endpoint, you have the option to request that the results are paged: that is, rather than returning all the entries in one request you can fetch them in slices.

To prevent denial of service, all entry batches are truncated to 10,000 records: no endpoint will return more than 10,000 records at once. This means you must implement batch handling if you need to deal with more than 10,000 results.

To use paging, specify the following two options in the JSON parameters to the endpoint you are using:

KeyValue TypeValue Description
offsetIntThe offset from which to start the returned records.
limitIntThe maximum number of records to return.

For example, if a query produces 50,000 thousand results, you can fetch the first 10,000 with:

{
    "offset": 0,
    "limit": 10000
}

Then, send another request with the same parameters except the next value of offset:

{
    "offset": 10000,
    "limit": 10000
}

Once a return value contains fewer than limit requests, you have reached the end of the available entries.

Error Reporting

Error Structure

Errors are reported as a structure with the following entries.

KeyValue TypeValue Description
codeIntAn integer numerical code describing the error.
shortStringA short, non-user-friendly description of the error.
descriptionStringA longer, more user-friendly description of the error.

Table of Error Codes

CodeError
4000The Content-Type of the request is not application/json.
4001One of the input parameters is invalid.
4002A required input parameter is missing.
5000No user found.
5001The user already has the maximum number of tokens allowed.
5002The token is already assigned to the user.
5003Assigning a token to a user failed.
5004The requested YubiKey token is not present.
5005The maximum number of users has been exceeded.
5006The token could not be assigned because user-level authentication failed due to invalid credentials.
5007Token assignment failed for an unspecified reason.
5008Token assignment failed because the token does not exist.
5026The requested assignment was not found.
5051The YubiKey token is already present.

Import a YubiKey Token

Overview

This endpoint imports a new YubiKey token. The token will not be assigned to any user, but it will be added to the GreenRADIUS database.

Request Type: POST
Endpoint Path: /gras-api/v2/mgmt/import_token/yubikey

Parameters

{
    "yubikeys" : [...]
}

Each item in the provided list of YubiKeys must be a JSON structure with the following elements:

AttributeTypeDescription
makeStringThe make of this particular token. Should always be set to "Yubico OTP".
serialnoIntThe serial number of the YubiKey.
publicnameStringThe key's public ID.
internalnameStringThe key's private ID.
aeskeyStringThe secret AES-128 key associated with the YubiKey.

Return Values

If the request parameter is valid and adheres to the specified format, the endpoint will return a JSON structure similar to the following:

{
    "records_imported": {...},
    "records_invalid": {...},
    "records_skipped": {...}
}

Each of records_imported, records_invalid, and records_skipped will contain a request batch structure. Within this records_imported structure, each record in the batch will be a structure with keys status, make, serialno, and publicname. The latter three elements are the same ones that were passed in; the status attribute is always set to "success".

For failed requests (this includes both records_invalid and records_skipped), the value will be an error entry. Attempting to import a key that is already present in the database is considered an error; that key will be counted in records_skipped.

For an error which makes it impossible to parse the key import requests (such as, for example, the yubikeys parameter is missing entirely or is the wrong type) then the request value will simply be an error structure.

Delete a YubiKey

Overview

This endpoint deletes a YubiKey from the database.

Request Type: DELETE
Endpoint Path: /gras-api/v2/mgmt/delete_token/yubikey

Parameters

{
    "deletealways": false,
    "yubikeys": [...]
}
ParameterTypeDescription
deletealwaysBoolIf true, the YubiKeys will be deleted even if they are currently assigned to users. If false, those requests will instead produce error entries. This parameter is optional and defaults to false.
yubikeysListA list of YubiKeys to delete. Each YubiKey is a JSON structure with a single entry publicname, which is the Public ID of the YubiKey.

Return Values

If the request is validly formed, the response will be a JSON structure of the form:

{
    "records_deleted": {...},
    "records_invalid": {...},
    "records_skipped": {...}
}

Each of these is a batch structure; records_invalid and records_skipped contain an error structure for each failed deletion. records_deleted contains a batch structure, whose individual entries are of the following form:

{
    "status": "success",
    "publicname": "..."
}

publicname will be the public name of the deleted key.

If the request is not validly formed, the response will be an error structure.

Assign a Token

Overview

The endpoint assigns tokens to users. Unlike the YubiKey import endpoint, it is not restricted to Yubikeys; this endpoint works for any token type except OATH/TOTP tokens. For those, there is a special endpoint; see below.

Request Type: POST
Endpoint Path: /gras-api/v2/mgmt/mappings

Parameters

{
    "assignments" : [
        {...}
    ]
}

Each assignment entry should be a structure with the following elements:

AttributeTypeDescription
usernameStringThe target user to assign the key to. This must be supplied in user@domain format.
publicnameStringThe public ID of the token to assign to the user.

Return Values

Like the other endpoints, this returns a single error structure if the input is invalid. However, it does not return regular batch structures on success. Instead, the output is in the following format:

{
    "assignments": [...]
}

Each item in the assignments list corresponds to one of the entries in the original request. These are structures with two entries, input and output. The input attribute is the input that was submitted for this entry (i.e. a structure with username and publicname attributes). The output attribute is a structure. This structure is always guaranteed to have one attribute status, whose value will be either "success" or "failed". If the assignment failed, the structure will also be an error structure, with code,short,and description attributes. If the assignment succeeded, the structure will contain a msg attribute with a success message.

Remarks

If the token is already assigned to a user - even if they are the same as the target of the assignment request - the request will fail.

Assign an OATH Token

Overview

This endpoint assigns OATH/TOTP tokens (e.g. an Authenticator token) to users.

Request Type: POST
Endpoint Path: /gras-api/v2/mgmt/mappings/oath

Parameters and Return Value

The parameters and return value for this endpoint are identical in structure to those of the endpoint above ("Assign a Token"); however, the "publicname" specified in the records should be the identifier for an OATH/TOTP token already present in the system (i.e. visible in the List Tokens tab of the web administration console).

Unassign a Token

Overview

This endpoint un-assigns tokens that are currently assigned to users.

Request Type: DELETE
Endpoint Path: /gras-api/v2/mgmt/mappings

Parameters

{
    "users": [
        {...}
    ]
}

Each entry to unassign should be a structure with either of the two following keys (you need not supply both):

AttributeTypeDescription
usernameStringThe username to un-assign from, in user@domain format.
publicnameStringThe public ID of the token to un-assign.

Remember, for each unassignment, you only need to supply either the user or the token!

Return Value

Like the Assign a Token endpoint, this endpoint returns a structure in this format:

{
    "users": [...]
}

Each item in the users list corresponds to one of the input entries. These entries are structures with input and output attributes, with input again holding the input value for this entry. The output value is either an error structure, if the given entry failed to unassign, or a structure in one of two formats.

If the entry unassigned by username, its corresponding output struct will have the following attributes:

AttributeTypeDescription
statusStringFor successful unassignments, holds "success".
usernameStringThe input username.
tokens_unassignedList of stringsA list of all tokens unassigned from the user.

If the entry unassigned by token ID, its output struct will look like this instead:

AttributeTypeDescription
statusStringFor successful unassignments, holds "success".
publicnameStringThe input public ID of the token.
users_unassignedList of stringsA list of all users the token was unassigned from.

Request Token Assignments / Status

Overview

This endpoint returns a list of user-token mappings matching the given criteria.

Request Type: GET
Endpoint Path: /gras-api/v2/mgmt/tokenassignment

Parameters

All parameters are optional. You may supply one, more than one, or none. Supplying no parameters will match all assignments.

ParameterTypeDescription
token_idList of stringsA list of Token IDs to match against.
usernameList of stringsA list of user names to match against. These must be provided in user@domain format.
token_typeList of stringsA list of token types to match against. The following values are accepted: yubikey, oath-totp, oath-hotp, u2f, and m2f. Multiple values may be supplied.
assigned_beforeIntA "latest date" for any assignment. Matches only assignments earlier than this date. Provided as a number of seconds since 00:00:00 on 1 Jan 1970 in the server's timezone.
assigned_afterIntAn "earliest date" for any assignment, in the same format as assigned_before.

Return Value

The return value will be a map with three main elements of interest: records_with_mappings, records_without_mappings, and records_invalid. Each of these elements is a struct with a count element and a records element. The records element will be an empty list or non-existent if there are no records in the given group; otherwise it will be a map. Depending on the parameters provided, this map will have either the usernames or token names as keys, and the mappings for that user or token as the value.

If the search parameters are such that the returned values are tokens, then each token struct will contain a list of user mappings; if the search parameters cause a token list to be returned, then its struct will contain a list of token mappings. In either case, the mappings will be added as a user_mappings element on each returned record.

Token structs are of the following form:

ParameterTypeDescription
token_idStringThe public ID of the token.
token_typeStringThe type of token, e.g. "Yubikey" or "OATH-TOTP"

User structs contain the following elements:

ParameterTypeDescription
userStringThe username, in user@domain format.

Whichever are the mapping structs (not the returned records) will also contain the following information for each mapping:

ParameterTypeDescription
statusStringThe token status (either "Enabled" or "Disabled").
assigned_onIntThe date that the token was assigned to the user, in Unix epoch format.

Request Authentication Records

Overview

This endpoint returns a log the of authentications against the GreenRADIUS server, filtered according to provided criteria.

Request Type: GET
Endpoint Path: /gras-api/v2/mgmt/gras-authentication-request-records

Parameters

{
    "authentication_result": //List of strings.
    "token_type": //List of strings. 
    "username": //List of strings
    "token_id": //List of strings
    "authentication_agent": //List of strings
    "authentication_endpoint": //List of strings
    "sort_by": //String
    "sort_order": //String
    "from_timestamp": //String. "Earliest date" for authentication requests, in seconds since 
    				//00:00:00 on 1 January 1970 in the server's timezone
    "to_timestamp": //String. "Latest date" for authentication requests, in the same format as above.
}
ParameterPossible Values (more than one may be supplied)
authentication_resultSUCCESS_2FA, SUCCESS_SF,SUCCESS_TEMP,FAILED
token_typeALL,YUBIKEY,OATH,U2F,MOBILE
sort_byAUTHENTICATION_TIME,USERNAME,TOKEN_ID
sort_orderASC,DESC

List Block/Unblock Status

Overview

This endpoint returns the blocking status of users, supporting various filter configurations.

Request Type: GET
Endpoint Path: /gras-api/v2/mgmt/blocked-status

Parameters

If no JSON data is supplied, then the request returns the blocking status of every user across all domains. Otherwise, a JSON map can be used containing one or more of the following filters:

ParameterTypeDescription
usersListA list of users, in user@domain format.
patternStringA pattern string, in user@domain format. A ".*" expression can be provided to match some part of the username, e.g. "user.*@test" will match all users in domain test whose username starts with user. A domain cannot be partially specified and partially filled by the regex; either the whole domain must be supplied, or the regex must match the whole domain.
stateListContains either or both of "blocked", "unblocked". Matches only the users in that state.

Return Value

The return value on success will be a JSON map containing one entry for each user matching the pattern, plus an additional entry with the key "Reporting Time Zone", which lists the timezone in which GreenRADIUS is executing. This must be taken into account when converting UNIX timestamps into date/time structures.

For each of the users, their username (in user@domain format) will be the key for their entry in the map; the value will be a structure containing the following elements:

KeyTypeDescription
statusString"blocked" or "unblocked".
last_failed_attempt_atIntegerThis entry is only present is status is blocked. If it is present, it contains the UNIX timestamp of the last failed login.

Unblock Users

Overview

This endpoint unblocks users who have previously been blocked by exceeding the threshold for consecutive failed login attempts.

Request Type: PUT
Endpoint Path: /gras-api/v2/mgmt/unblock-users

Parameters

The parameter should be a JSON map containing a single entry users. The value of this entry should be an array of usernames, in user@domain format; each user in this array will be unblocked.

{
	"users":[
        "user1@greenradius.demo",
        "user2@greenradius.demo"
    ]
}

Return Value

A JSON map will be returned containing three sub-maps: records-unblocked,records-skipped, and records_not_found. Records in records_skipped are those which were specified in the parameters, but which were already unblocked (unblocking them would be a no-op.) Each of these categories is in the following format:

KeyTypeDescription
countNumberThe number of records in this category
recordsList of stringsThe users in this category, in user@domain format.

Enable Token Assignment

Overview

This endpoint enables a set of given user/token mappings.

Request Type: PUT
Endpoint Path: /gras-api/v2/mgmt/tokenassignment/enable

Parameters

The parameter should be a JSON map containing a single entry token_assignments. The value of this entry should be an array of maps, each providing one mapping to enable. Each map must provide at least one of the following elements (if it is necessary to specify among many mappings for the user or token, both should be provided).

KeyTypeDescription
token_idStringThe public ID of a token mapped to the user.
usernameStringThe username of the user with the mapping, in user@domain format.

NOTE: The token_id parameter currently supports only YubiKey OTP and Authenticator app tokens

Disable Token Assignment

Overview

This endpoint disables a set of given user/token mappings.

Request Type: PUT
Endpoint Path: /gras-api/v2/mgmt/tokenassignment/disable

Parameters

The parameter should be a JSON map containing a single entry token_assignments. The value of this entry should be an array of maps, each providing one mapping to disable. Each map must provide at least one of the following elements (if it is necessary to specify among many mappings for the user or token, both should be provided).

KeyTypeDescription
token_idStringThe public ID of a token mapped to the user.
usernameStringThe username of the user with the mapping, in user@domain format.

NOTE: The token_id parameter currently supports only YubiKey OTP and Authenticator app tokens

Add a Temporary Token

Overview

This endpoint adds temporary tokens for the specified users.

Request Type: POST
Endpoint Path: /gras-api/v2/mgmt/temporary-tokens

Parameters

This endpoint takes a JSON map containing a single entry temporary_tokens, which is a list of records representing temporary tokens to add. Each record is a map in the following form:

KeyTypeRequiredDescription
usernameStringYesThe user to add the token to, in user@domain format.
expiry_dateIntYesThe expiration date for the token in Unix epoch time.
temporary_tokenStringYesThe token that the user will use. Its length must match what is specified in Global Configuration, and the last six characters cannot be numeric.
count_of_max_authIntNoThe maximum number of times the user will be allowed to authenticate with this token. Set this to 9999 for unlimited authentications. This defaults to 5 if not specified

Return Value

The response will be a map containing three batch results: records_created, records_invalid, and records_skipped.

Update a Temporary Token

Overview

Updates the parameters of one or more already-existing temporary tokens.

Request Type: PUT
Endpoint Path: /gras-api/v2/mgmt/temporary-tokens

Parameters & Return Value

The parameters and return values for updating temporary tokens are identical to the parameters for creating a temporary token; however, expiry_date and temporary_token are optional. If unspecified, these parameters will remain unmodified. Otherwise, the new values overwrite the old ones for that user's temporary token.

Delete a Temporary Token

Overview

Delete the temporary tokens of one or more users.

Request Type: DELETE
Endpoint Path: /gras-api/v2/mgmt/temporary-tokens 

Parameters

This endpoint takes a JSON map containing a single entry, usernames, which should be a list of users whose temporary tokens should be deleted. The usernames should be in user@domain format.

Return Values

This returns a three batches: records_deleted, records_invalid, and records_skipped, consistent with other endpoints.

Get Temporary Token Information

Overview

Get the details associated with the temporary tokens of one or more users.

Request Type: GET
Endpoint Path: /gras-api/v2/mgmt/temporary-tokens 

Parameters

This endpoint takes a JSON map containing a single entry, usernames, which should be a list of users to get the temporary token information for. The usernames should be in user@domain format.

Return Values

The return value is three batches: records_found, records_invalid, records_skipped. The records_found entries will be maps representing a user-token mapping; these will be in the same form as the parameters to the Add a Temporary Token endpoint.

Web Analytics Made Easy -
StatCounter

Updated 2023-10-31
© 2024 Green Rocket Security Inc. All rights reserved.

Validation Protocol

The YubiKey Validation Protocol enables GreenRADIUS to validate YubiKey OTPs through a special endpoint without performing username/password validation nor user-YubiKey assignment validation.

Prerequisites

  • GreenRADIUS 4.4.1.1 or later
  • A valid license which supports OTPOnly functionality

Usage

The endpoint is accessible at https://<IP/hostname of GreenRADIUS>/wsapi/2.0/verify by POST or GET request.

HTTP parameters should be supplied in the usual way as "form-input" style entries, e.g.

https://<IP/hostname of GreenRADIUS>/wsapi/2.0/verify?nonce=12341234123412341234&id=99999&otp=grktccrrijbribbcdtveetgbvergnrvcnkngnfljjfcj

The following parameters are required:

  • id: The Client ID for this requestor.
  • otp: The OTP to validate
  • nonce: A unique identifier for this request. Must be between 16 and 40 characters in length.

The following parameters are optional:

  • timestamp: If 1, session counter information and timestamp will be returned with response.

The response will be returned as a series of key=value pairs, separated by newlines. The otp and nonce will be echoed back, accompanied by time stamp, session counter, and session use if timestamp was set in the request. An HMAC signature will also be returned, as the h parameter. The result will be returned in the status parameter, and takes the following possible values:

  • OK: The OTP is valid.
  • BAD_OTP: The OTP is invalid.
  • REPLAYED_OTP: The OTP has already been used in a previous request.
  • REPLAYED_REQUEST: The OTP/nonce combination has already been used in a previous request.
  • MISSING_PARAMETER: The request is lacking a required parameter.
  • NO_SUCH_CLIENT: The Client ID does not exist in GreenRADIUS.
  • BACKEND_ERROR An internal error has occurred. Please contact Green Rocket Security if you see this message.

Example of a request response:

h=u7EiYbXxElBBKRfkkCNCxf6zj/4=
t=2021-10-13T20:13:02Z0820
otp=grktccrrckjlbejchetblehkefgcnrtgdevvgiikkdfc
nonce=12341234123412345
timestamp=9323959
sessioncounter=2
sessionuse=0
status=OK

Adding a Client

To add a client in GreenRADIUS, click on the Global Configuration tab, then click Client-based Authentication Policies. Then click the "Add a New Client" button.

Client-based authentication policy configuration

You will then be able to add the Client ID, description, and shared HMAC key for the client. (Client ID "1" is reserved for internal purposes and must not be used.)

client-based authentication policy configuration - yubikey only

Updated 2023-02-11
© 2024 Green Rocket Security Inc. All rights reserved.

Automatic Certification with Let's Encrypt

It is possible to set up GreenRADIUS to automatically obtain and install certificates from Let's Encrypt. These are the steps to obtain and install a certificate and configure your GreenRADIUS to automatically renew its certificate from Let's Encrypt.

Prerequisites

  • GreenRADIUS v4.3.5.5 or later
  • A valid domain name with the A record pointing at GreenRADIUS
  • GreenRADIUS must be connected to the Internet with the ability to make outgoing connections on port 443 and accept incoming connections from any IP address on port 80. (Note: In order to enable incoming connections on the internal UFW firewall (if enabled), run sudo ufw allow 80 in the GreenRADIUS command line.)

Steps

  1. Log into your GreenRADIUS instance via SSH
  2. sudo su
  3. snap install core
  4. snap refresh core
  5. snap install --classic certbot
  6. ln -s /snap/bin/certbot /usr/bin/certbot
  7. certbot certonly --standalone
  8. Follow the onscreen instructions. After this, your certificate files will be placed in a directory at /etc/letsencrypt/live/<your site name>/. This contents of this folder will be updated as needed by Certbot, so the certificate here should always be fresh.
  9. Download the automatic installation script from this link and unzip it. You should now have a file called install-grva.sh.
  10. Move install-grva.sh to /etc/letsencrypt/renewal-hooks/deploy.
  11. Run chmod +x /etc/letsencrypt/renewal-hooks/deploy/install-grva.sh.
  12. Run certbot renew --force-renewal and verify that no errors occurred.

You should now find that the new certificates have been installed on GreenRADIUS. Certbot will periodically refresh the certificates; there may be a few seconds where GreenRADIUS is unavailable when this occurs (approximately once per month).

Updated 2021-11-01
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying FIDO2 with GreenRADIUS for PHP-powered websites

Prerequisites

  • A web application which supports PHP integration and has a valid certificate installed
  • PHP 7.3.27 or later
  • GreenRADIUS v5.1.2.2 or later

Configuration Instructions

  1. Download and unzip the FIDO2 relying party installation package.
  2. The module is divided into two sections. One is written in Javascript and runs on the client's browser; the other is written in PHP and runs server-side. These are stored in the js/ and php/ subdirectories, respectively, of the installation package. Both need to be installed in your web application; the exact location and configuration depends on your specific web server. In this guide, the location of the PHP modules will be referred to as $PHPCLIENT and the location of the Javascript modules as $JSCLIENT.
  3. On the server, run the following commands as root:
    1. touch /var/log/fido2.log
    2. chown www-data:root /var/log/fido2.log
  4. Configure the $PHPCLIENT/config.php. The following should be configured:
    1. server: IP address/hostname of the GreenRADIUS server to authenticate against.
    2. relying-party: A valid domain string that identifies the FIDO2 relying party (e.g. fido2demo.com). The same identifier with have to be configured on the GreenRADIUS FIDO2 server.
    3. client-id: A unique identifier for this particular client. The same ID must be configured in GreenRADIUS and cannot be shared by any other client.
    4. shared-secret: A shared secret key to authenticate the client module with GreenRADIUS. The same secret must also be configured in GreenRADIUS.
  5. In GreenRADIUS, go to Global Configuration > Client-Based Authentication Policies and select Add a New Client.
  6. Populate the new client with the same client ID, shared secret, and relying party identifier as in the $PHPCLIENT/config.php file. Set the client type to FIDO2_Web_API, and configure the other settings as preferred.
  7. You can now begin to develop your application. To help with this, a minimal example site has been provided as part of the installation package in the demosite/ directory. To deploy the demo site, place the $JSCLIENT files into the same directory as the demo site, and place the $PHPCLIENT file so that auth.php is accessible at the /mgmt-api/ path on the server. You may need to make adjustments depending on your particular configuration.
Updated 2023-06-10
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying GreenRADIUS on Ubuntu 20

Prerequisites

  • An Ubuntu 20 server versioned 20.04 or greater
  • Ensure the network interface is configured with a static IP, netmask, gateway, and DNS
  • The update package for GreenRADIUS 5.1.6.6 or later

Steps

  1. Log in as a user with sudo access.
  2. Run sudo apt-get update
  3. Run sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
  4. Run curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  5. Run sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  6. Run sudo apt-get install docker-ce docker-ce-cli containerd.io
  7. Run sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-Linux-x86_64" -o /usr/local/bin/docker-compose
  8. Run sudo chmod +x /usr/local/bin/docker-compose
  9. Run sudo apt-get install unzip incron net-tools
  10. Run sudo adduser gradmin
  11. Run sudo adduser gradmin sudo
  12. Run sudo chmod -R 750 /home/gradmin
  13. Run sudo chown -R gradmin:gradmin /home/gradmin
  14. Reboot and log in as the gradmin user.
  15. Run mkdir ~/temp
  16. Run cd ~/temp
  17. Copy the GreenRADIUS update package to the /home/gradmin/temp directory of the Ubuntu instance.
  18. For the following commands, replace xxxx with the version number of the GreenRADIUS updte package:
  19. Run sudo unzip GreenRADIUS_xxxx_Update.zip
  20. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/images.tgz -C .
  21. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/others.tgz -C .
  22. Run sudo mkdir -p /opt/grs/scripts
  23. Run sudo cp others/vm_incron_scripts/* /opt/grs/scripts/
  24. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  25. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  26. Run sudo mkdir -p /opt/grs/host-comm/request
  27. Run sudo mkdir -p /opt/grs/host-comm/response
  28. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  29. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  30. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  31. Run sudo service incron restart
  32. Run sudo docker load -i images/greenradius_xxxx_init_image
  33. Run sudo docker load -i images/greenradius_xxxx_main_image
  34. Run sudo docker load -i images/greenradius_xxxx_openldap_image
  35. Run sudo docker load -i images/greenradius_xxxx_postgres_image
  36. Run sudo docker load -i images/greenradius_xxxx_rsyslog_image
  37. Run sudo docker load -i images/greenradius_xxxx_freeradius_image
  38. Run sudo docker load -i images/greenradius_xxxx_grs_auth_app_image
  39. Run sudo mkdir -p /home/gradmin/grs-docker-compose
  40. Run sudo cp others/docker-compose.yml /home/gradmin/grs-docker-compose/
  41. Run cd /home/gradmin/grs-docker-compose
  42. Run sudo docker-compose up -d
  43. Once the previous step completes, the web administration console should be visible if you navigate to the server's IP address or hostname in your browser. Keep in mind that GreenRADIUS does not serve HTTP for security reasons; if you are getting Connection Refused errors, make sure the scheme is set to HTTPS.
  44. Run sudo touch /etc/systemd/system/grs-docker-compose-app.service
  45. Edit the file and insert the following:
[Unit]
Description=Docker Compose Application Service
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/home/gradmin/grs-docker-compose
ExecStart=/usr/local/bin/docker-compose up -d
ExecStop=/usr/local/bin/docker-compose down
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target
  1. Run sudo systemctl enable grs-docker-compose-app
  2. Run sudo systemctl start grs-docker-compose-app.service
  3. Run sudo rm -rf /home/gradmin/temp/*

The installation is now complete.

For installing subsequent GreenRADIUS updates:

In the following steps, replace xxxx with the version number of the new update.

  1. Copy the GreenRADIUS update package to the /home/gradmin/temp directory.
  2. Log in as gradmin.
  3. Run sudo apt-get update
  4. Run sudo apt-get upgrade
  5. Run cd ~/temp
  6. Run sudo unzip GreenRADIUS_xxxx_Update.zip
  7. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/images.tgz -C .
  8. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/others.tgz -C .
  9. Run sudo docker load -i images/greenradius_xxxx_init_image
  10. Run sudo docker load -i images/greenradius_xxxx_main_image
  11. Run sudo docker load -i images/greenradius_xxxx_openldap_image
  12. Run sudo docker load -i images/greenradius_xxxx_postgres_image
  13. Run sudo docker load -i images/greenradius_xxxx_rsyslog_image
  14. Run sudo docker load -i images/greenradius_xxxx_freeradius_image
  15. Run sudo docker load -i images/greenradius_xxxx_grs_auth_app_image
  16. Run cd /home/gradmin/grs-docker-compose
  17. Run sudo docker-compose down
  18. Run sudo cp /home/gradmin/temp/others/docker-compose.yml .
  19. Run sudo docker-compose up -d

To start or stop the containers:

Before starting or stopping the containers, make sure you are in the grs-docker-compose directory with cd /home/gradmin/grs-docker-compose.

Start the containers

sudo docker-compose up -d

Stop the containers

sudo docker-compose down

Updated 2023-11-28
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying GreenRadius on Oracle Linux 7.x

Prerequisites

  • A target machine running Oracle Linux 7.5 or greater
  • The update package for GreenRADIUS v4.4.6.6
  • The update package for the latest version of GreenRADIUS
  • The zip file containing:
    • The docker-compose.yml file for GreenRADIUS with appropriate patches for RHEL/OEL
    • The docker-compose.override.yml file
    • The timezone_handle_for_docker_on_CentOS.sh file

Deployment Instructions

  1. Log in with a user that has sudo access
  2. Run sudo yum update
  3. Run sudo yum-config-manager --enable *addons
  4. Run cd /etc/yum.repos.d/
  5. Run sudo wget http://yum.oracle.com/public-yum-ol7.repo
  6. Run sudo yum-config-manager --enable *addons
  7. Run sudo yum update
  8. Run sudo yum install docker-engine
  9. Run sudo systemctl start docker
  10. Run sudo systemctl enable docker
  11. Run sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  12. Run sudo chmod +x /usr/local/bin/docker-compose
  13. Run sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
  14. Run sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  15. Run sudo yum install incron
  16. Run sudo yum install unzip
  17. Run sudo yum install net-tools
  18. Run sudo useradd -d /home/gradmin -m -G wheel -s /bin/bash gradmin
  19. Run sudo passwd gradmin and set the password for gradmin appropriately
  20. Run sudo chmod -R 750 /home/gradmin
  21. Run sudo chown -R gradmin:gradmin /home/gradmin
  22. Run sudo mkdir /home/gradmin/grs-docker-compose
  23. As root, edit the /etc/selinux/config file and disable SELinux
  24. Run sudo service firewalld stop
  25. Run sudo systemctl disable firewalld
  26. Reboot and login as gradmin
  27. Copy the 4.4.6.6 update package to /tmp/
  28. Copy the docker-compose.yml and docker-compose.override.yml files to /home/gradmin/grs-docker-compose, and the timezone_handle_for_docker_on_CentOS.sh file to /home/gradmin
  29. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/
  30. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  31. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  32. Run sudo mkdir -p /opt/grs/scripts
  33. Run sudo cp /tmp/others/vm_incron_scripts/* /opt/grs/scripts/
  34. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  35. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  36. Run sudo mkdir -p /opt/grs/host-comm/request
  37. Run sudo mkdir -p /opt/grs/host-comm/response
  38. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  39. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  40. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  41. Run sudo systemctl enable incrond
  42. Run sudo service incrond restart
  43. Run sudo docker load -i /tmp/images/greenradius_4466_init_image
  44. Run sudo docker load -i /tmp/images/greenradius_4466_main_image
  45. Run sudo docker load -i /tmp/images/greenradius_4466_openldap_image
  46. Run sudo docker load -i /tmp/images/greenradius_4466_postgres_image
  47. Run sudo docker load -i /tmp/images/greenradius_4466_rsyslog_image
  48. Run sudo docker load -i /tmp/images/greenradius_4466_freeradius_image
  49. Run sudo chmod -R 750 /home/gradmin
  50. Run sudo chown -R gradmin:gradmin /home/gradmin
  51. Run sudo timedatectl set-timezone UTC
  52. Run sudo sh /home/gradmin/timezone_handle_for_docker_on_CentOS.sh
  53. Run cd /home/gradmin/grs-docker-compose.
  54. Run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d
  55. Verify that a GreenRADIUS 4.4.6.6 instance is accessible via the web. You should be able to visit https://<ip address of instance>/admin in your browser and via the login page for the web administration console.
  56. Run sudo docker-compose down
  57. Copy the latest update package for GreenRADIUS into the /tmp/ directory
  58. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/ (where "xxxx" is the version number of the GreenRADIUS update package)
  59. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  60. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  61. Run sudo docker load -i /tmp/images/greenradius_xxxx_init_image
  62. Run sudo docker load -i /tmp/images/greenradius_xxxx_main_image
  63. Run sudo docker load -i /tmp/images/greenradius_xxxx_openldap_image
  64. Run sudo docker load -i /tmp/images/greenradius_xxxx_postgres_image
  65. Run sudo docker load -i /tmp/images/greenradius_xxxx_rsyslog_image
  66. Run sudo docker load -i /tmp/images/greenradius_xxxx_freeradius_image
  67. Run sudo docker load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  68. Edit /home/gradmin/grs-docker-compose/docker-compose.yml and replace every occurrence of "4466" with the version for your latest version of GreenRADIUS (e.g. "4499" for v4.4.9.9)
  69. Run cd /home/gradmin/grs-docker-compose
  70. Run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d
  71. Confirm that the latest GreenRADIUS version is accessible via your browser at the same URL as before.

On future startups, you will need to run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d from the grs-docker-compose directory, as shown above, to launch the containers.

To apply subsequent updates

  1. Copy the update package to the /tmp directory.
  2. Log in as gradmin.
  3. Run sudo yum update
  4. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/. Note that in this command and below, xxxx should be replaced with the current version number.
  5. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  6. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  7. Run sudo docker load -i /tmp/images/greenradius_xxxx_init_image
  8. Run sudo docker load -i /tmp/images/greenradius_xxxx_main_image
  9. Run sudo docker load -i /tmp/images/greenradius_xxxx_openldap_image
  10. Run sudo docker load -i /tmp/images/greenradius_xxxx_postgres_image
  11. Run sudo docker load -i /tmp/images/greenradius_xxxx_rsyslog_image
  12. Run sudo docker load -i /tmp/images/greenradius_xxxx_freeradius_image
  13. Run sudo docker load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  14. Run cd /home/gradmin/grs-docker-compose
  15. Run sudo docker-compose down
  16. Run sudo cp /tmp/others/docker-compose.yml /home/gradmin/grs-docker-compose/
  17. Run cd /home/gradmin/grs-docker-compose
  18. Run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d
Updated 2023-09-06
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying GreenRadius on Amazon Linux 2

Prerequisites

  • A target machine (x86_64) running Amazon Linux 2
  • A GreenRADIUS update package (v5.1.3.3 or later)
  • The docker-compose-override-tz.yml, docker-compose-override.yml, and timezone_handle_for_docker_on_Amazon-Linux-2.sh files from this deployment package

Deployment Instructions

  1. Log in with a user that has sudo access.
  2. Configure a static IP, netmask, gateway and DNS servers for the server.
  3. Run sudo yum update
  4. Run sudo yum install -y yum-utils device-mapper-persistent-data lvm2
  5. Run sudo yum -y install curl wget unzip awscli aws-cfn-bootstrap nfs-utils chrony conntrack jq ec2-instance-connect socat
  6. Run if sudo yum list installed | grep ec2-net-utils; then sudo yum remove ec2-net-utils -y -q; fi
  7. Run sudo amazon-linux-extras enable docker
  8. Run sudo yum -y install docker
  9. Run sudo systemctl enable docker
  10. Run `sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  11. Run sudo chmod +x /usr/local/bin/docker-compose
  12. Run sudo yum install unzip
  13. Run sudo amazon-linux-extras install epel -y
  14. Run sudo yum install incron
  15. Run sudo yum install net-tools
  16. Run sudo useradd -d /home/gradmin -m -G wheel -s /bin/bash gradmin
  17. Run sudo passwd gradmin
  18. Run chmod -R 750 /home/gradmin
  19. Run chown -R gradmin:gradmin /home/gradmin
  20. Reboot and log in as the gradmin user.
  21. Copy the latest GreenRADIUS update package to the /tmp/ directory.
  22. Copy the provided docker-compose.override-tz.yml file to /tmp directory.
  23. Copy the provided docker-compose.override.yml file to /tmp directory.
  24. Copy the provided timezone_handle_for_docker_on_Amazon-Linux-2.sh script to /home/gradmin directory.
  25. Run sudo chmod 750 /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  26. Run sudo chown gradmin:gradmin /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  27. Run sudo service docker start
  28. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/. In this instruction and those following, replace xxxx with the version number for the upgrade package.
  29. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  30. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  31. Run sudo mkdir -p /opt/grs/scripts
  32. Run sudo cp /tmp/others/vm_incron_scripts/* /opt/grs/scripts/
  33. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  34. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  35. Run sudo mkdir -p /opt/grs/host-comm/request
  36. Run sudo mkdir -p /opt/grs/host-comm/response
  37. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  38. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  39. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  40. Run sudo systemctl enable incrond
  41. Run sudo service incrond restart
  42. Run sudo docker load -i /tmp/images/greenradius_xxxx_init_image
  43. Run sudo docker load -i /tmp/images/greenradius_xxxx_main_image
  44. Run sudo docker load -i /tmp/images/greenradius_xxxx_openldap_image
  45. Run sudo docker load -i /tmp/images/greenradius_xxxx_postgres_image
  46. Run sudo docker load -i /tmp/images/greenradius_xxxx_rsyslog_image
  47. Run sudo docker load -i /tmp/images/greenradius_xxxx_freeradius_image
  48. Run sudo docker load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  49. Run sudo mkdir -p /home/gradmin/grs-docker-compose
  50. Run sudo cp /tmp/others/docker-compose.yml /home/gradmin/grs-docker-compose/
  51. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.yml
  52. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker- compose.yml
  53. Run sudo cp /tmp/docker-compose.override-tz.yml /home/gradmin/grs-docker-compose/
  54. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.override-tz.yml
  55. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker- compose.override-tz.yml
  56. Run sudo cp /tmp/docker-compose.override.yml /home/gradmin/grs-docker-compose/
  57. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.override.yml
  58. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker-compose.override.yml
  59. Set the proper timezone using the command sudo timedatectl set-timezone <time zone>. You can view a list of valid timezones with sudo timedatectl list-timezones | less.
  60. Run file /etc/timezone. If and only if it is a directory:
    1. Run sudo rm -rf /etc/timezone.
    2. Run sudo touch /etc/timezone.
    3. Edit /etc/timezone and enter the value set in step 59.
  61. Run sudo sh /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  62. Run sudo su -
  63. Run cd /home/gradmin/grs-docker-compose
  64. Run docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker- compose.override-tz.yml up -d
  65. Run sudo touch /etc/systemd/system/grs-docker-compose-app.service
  66. Edit /etc/systemd/system/grs-docker-compose-app.service and enter the following:
    # /etc/systemd/system/grs-docker-compose-app.service
    
    [Unit]
    Description=Docker Compose Application Service
    Requires=docker.service
    After=docker.service
    
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    WorkingDirectory=/home/gradmin/grs-docker-compose
    ExecStart=/usr/local/bin/docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d
    ExecStop=/usr/local/bin/docker-compose down
    TimeoutStartSec=0
    
    [Install]
    WantedBy=multi-user.target
    
  67. Save the file.
  68. Run sudo systemctl enable grs-docker-compose-app
  69. Run sudo systemctl start grs-docker-compose-app.service

To apply subsequent updates

  1. Copy the update package to the /tmp directory.
  2. Log in as gradmin.
  3. Run sudo yum update
  4. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/. Note that in this command and below, xxxx should be replaced with the current version number.
  5. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  6. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  7. Run sudo docker load -i /tmp/images/greenradius_xxxx_init_image
  8. Run sudo docker load -i /tmp/images/greenradius_xxxx_main_image
  9. Run sudo docker load -i /tmp/images/greenradius_xxxx_openldap_image
  10. Run sudo docker load -i /tmp/images/greenradius_xxxx_postgres_image
  11. Run sudo docker load -i /tmp/images/greenradius_xxxx_rsyslog_image
  12. Run sudo docker load -i /tmp/images/greenradius_xxxx_freeradius_image
  13. Run sudo docker load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  14. Run cd /home/gradmin/grs-docker-compose
  15. Run sudo docker-compose down
  16. Run sudo cp /tmp/others/docker-compose.yml /home/gradmin/grs-docker-compose/
  17. Run cd /home/gradmin/grs-docker-compose
  18. Run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d

To manually start/stop containers

First, change the directory with cd /home/gradmin/grs-docker-compose/.

To start the container, run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d.

To stop the container, run sudo docker-compose down.

Updated 2023-10-31
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying GreenRadius on Amazon Linux 2023

Prerequisites

  • A target machine (x86_64) running Amazon Linux 2023
  • A GreenRADIUS update package (v5.1.6.6 or later)
  • If you have installed firewall software, make sure that it is set up properly to allow incoming connections.
  • SELinux set to "permissive" or "disabled" (this is the default on fresh installations)
  • The docker-compose-override-tz.yml, docker-compose-override.yml, and timezone_handle_for_docker_on_Amazon-Linux-2.sh files from this deployment package

Deployment Instructions

  1. Log in with a user that has sudo access.
  2. Run sudo yum update
  3. Run sudo yum install -y yum-utils device-mapper-persistent-data lvm2
  4. Run sudo yum -y install wget unzip awscli aws-cfn-bootstrap nfs-utils chrony conntrack jq ec2-instance-connect socat
  5. Run sudo yum install curl
  6. Run sudo yum install libxcrypt-compat
  7. Run if sudo yum list installed | grep ec2-net-utils; then sudo yum remove ec2-net-utils -y -q; fi
  8. Run sudo yum -y install docker
  9. Run sudo systemctl enable docker
  10. Run `sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  11. Run sudo chmod +x /usr/local/bin/docker-compose
  12. Run sudo yum install unzip
  13. Run wget https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/i/incron-0.5.12-12.el8.x86_64.rpm
  14. Run sudo rpm -i incron-0.5.12-12.el8.x86_64.rpm
  15. Run sudo yum install net-tools
  16. Run sudo useradd -d /home/gradmin -m -G wheel -s /bin/bash gradmin
  17. Run sudo passwd gradmin
  18. Run chmod -R 750 /home/gradmin
  19. Run chown -R gradmin:gradmin /home/gradmin
  20. Run sudo su gradmin to assume the permissions of the gradmin user
  21. Run mkdir ~/temp
  22. Run cd ~/temp
  23. Copy the latest GreenRADIUS update package to the /home/gradmin/temp/ directory.
  24. Copy the provided docker-compose.override-tz.yml file to the /home/gradmin/temp/ directory.
  25. Copy the provided docker-compose.override.yml file to the /home/gradmin/temp/ directory.
  26. Copy the provided timezone_handle_for_docker_on_Amazon-Linux-2.sh script to /home/gradmin directory.
  27. Run sudo chmod 750 /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  28. Run sudo chown gradmin:gradmin /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  29. Run sudo service docker start
  30. Run sudo unzip GreenRADIUS_xxxx_Update.zip. In this instruction and those following, replace xxxx with the version number for the upgrade package.
  31. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/images.tgz -C .
  32. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/others.tgz -C .
  33. Run sudo mkdir -p /opt/grs/scripts
  34. Run sudo cp others/vm_incron_scripts/* /opt/grs/scripts/
  35. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  36. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  37. Run sudo mkdir -p /opt/grs/host-comm/request
  38. Run sudo mkdir -p /opt/grs/host-comm/response
  39. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  40. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  41. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  42. Run sudo systemctl enable incrond
  43. Run sudo service incrond restart
  44. Run sudo docker load -i images/greenradius_xxxx_init_image
  45. Run sudo docker load -i images/greenradius_xxxx_main_image
  46. Run sudo docker load -i images/greenradius_xxxx_openldap_image
  47. Run sudo docker load -i images/greenradius_xxxx_postgres_image
  48. Run sudo docker load -i images/greenradius_xxxx_rsyslog_image
  49. Run sudo docker load -i images/greenradius_xxxx_freeradius_image
  50. Run sudo docker load -i images/greenradius_xxxx_grs_auth_app_image
  51. Run sudo mkdir -p /home/gradmin/grs-docker-compose
  52. Run sudo cp others/docker-compose.yml /home/gradmin/grs-docker-compose/
  53. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.yml
  54. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker- compose.yml
  55. Run sudo cp docker-compose.override-tz.yml /home/gradmin/grs-docker-compose/
  56. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.override-tz.yml
  57. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker-compose.override-tz.yml
  58. Run sudo cp docker-compose.override.yml /home/gradmin/grs-docker-compose/
  59. Run sudo chmod 750 /home/gradmin/grs-docker-compose/docker-compose.override.yml
  60. Run sudo chown gradmin:gradmin /home/gradmin/grs-docker-compose/docker-compose.override.yml
  61. Set the proper timezone using the command sudo timedatectl set-timezone <time zone>. You can view a list of valid timezones with sudo timedatectl list-timezones | less.
  62. Run file /etc/timezone
  63. If and only if /etc/timezone exists and is a directory, run sudo rm -rf /etc/timezone
  64. Run sudo touch /etc/timezone
  65. Edit /etc/timezone and enter the value set in step 59.
  66. Run sudo sh /home/gradmin/timezone_handle_for_docker_on_Amazon-Linux-2.sh
  67. Run sudo su -
  68. Run cd /home/gradmin/grs-docker-compose
  69. Run docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker- compose.override-tz.yml up -d
  70. Run sudo touch /etc/systemd/system/grs-docker-compose-app.service
  71. Edit /etc/systemd/system/grs-docker-compose-app.service and enter the following:
    # /etc/systemd/system/grs-docker-compose-app.service
    
    [Unit]
    Description=Docker Compose Application Service
    Requires=docker.service
    After=docker.service
    
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    WorkingDirectory=/home/gradmin/grs-docker-compose
    ExecStart=/usr/local/bin/docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d
    ExecStop=/usr/local/bin/docker-compose down
    TimeoutStartSec=0
    
    [Install]
    WantedBy=multi-user.target
    
  72. Save the file.
  73. Run sudo systemctl enable grs-docker-compose-app
  74. Run sudo systemctl start grs-docker-compose-app.service
  75. Run sudo rm -rf /home/gradmin/temp/*

To apply subsequent updates

  1. Copy the update package to the /home/gradmin/temp/ directory.
  2. Log in as gradmin.
  3. Run sudo yum update
  4. Run sudo unzip /home/gradmin/temp/GreenRADIUS_xxxx_Update.zip -d /home/gradmin/temp/. Note that in this command and below, xxxx should be replaced with the current version number.
  5. Run cd /home/gradmin/temp
  6. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/images.tgz -C .
  7. Run sudo tar -xvzf GreenRADIUS_xxxx_Update/others.tgz -C .
  8. Run sudo docker load -i images/greenradius_xxxx_init_image
  9. Run sudo docker load -i images/greenradius_xxxx_main_image
  10. Run sudo docker load -i images/greenradius_xxxx_openldap_image
  11. Run sudo docker load -i images/greenradius_xxxx_postgres_image
  12. Run sudo docker load -i images/greenradius_xxxx_rsyslog_image
  13. Run sudo docker load -i images/greenradius_xxxx_freeradius_image
  14. Run sudo docker load -i images/greenradius_xxxx_grs_auth_app_image
  15. Run cd /home/gradmin/grs-docker-compose
  16. Run sudo docker-compose down
  17. Run sudo cp /home/gradmin/temp/others/docker-compose.yml /home/gradmin/grs-docker-compose/
  18. Run cd /home/gradmin/grs-docker-compose
  19. Run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d
  20. Run sudo rm -rf /home/gradmin/temp/*

To manually start/stop containers

First, change the directory with cd /home/gradmin/grs-docker-compose/.

To start the container, run sudo docker-compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.override-tz.yml up -d.

To stop the container, run sudo docker-compose down.

Updated 2023-10-31
© 2024 Green Rocket Security Inc. All rights reserved.

Deploying GreenRadius on RedHat Enterprise Linux

Prerequisites

  • A target machine running RHEL 7 or 8
  • Adjust SELinux in a way that allows GreenRADIUS to function smoothly
  • A GreenRADIUS update package (v5.1.3.3 or later)

Deployment Instructions

  1. Log in with a user that has sudo access.
  2. Run sudo yum update
  3. Run sudo yum install -y yum-utils
  4. Run sudo yum update
  5. Run sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm
  6. Run sudo yum -y install container-selinux
  7. Run sudo yum makecache --refresh
  8. Run sudo yum -y install fuse-overlayfs
  9. Run sudo yum -y install slirp4netns
  10. Run sudo dnf update
  11. Run sudo dnf install epel-release
  12. Run sudo dnf install --enablerepo="epel" ufw
  13. Run sudo yum remove docker-ce docker-ce-cli containerd.io
  14. Run sudo dnf install podman
  15. Run sudo dnf install podman-plugins
  16. Run sudo yum install python3
  17. Run sudo pip3 install podman-compose
  18. Check where podman-compose has been installed by running sudo find / -name "podman-compose"
  19. Create a symlink to this path with sudo ln -s <path/where/podman-compose/is/installed> /usr/bin/podman-compose
  20. Run sudo yum install incron
  21. Run sudo yum install unzip
  22. Run sudo yum install net-tools
  23. Run sudo useradd -d /home/gradmin -m -G wheel -s /bin/bash gradmin
  24. Run sudo passwd gradmin and set the password for gradmin appropriately
  25. Run sudo chmod -R 750 /home/gradmin
  26. Run sudo chown -R gradmin:gradmin /home/gradmin
  27. Run sudo mkdir /home/gradmin/grs-podman-compose
  28. Run sudo service firewalld stop
  29. Run sudo systemctl disable firewalld
  30. Reboot and login as gradmin
  31. Copy the GreenRADIUS update package to the /tmp/ directory
  32. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/ (Note: For this step and subsequent steps with "GreenRADIUS_xxxx_Update.zip", replace "xxxx" with the appropriate version number of the GreenRADIUS update package.)
  33. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  34. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  35. Run sudo cp /tmp/others/docker-compose.yml /home/gradmin/grs-podman-compose/
  36. Run sudo cp /tmp/others/podman-compose.override.yml /home/gradmin/grs-podman-compose/
  37. Run sudo mkdir -p /opt/grs/scripts
  38. Run sudo cp /tmp/others/vm_incron_scripts/* /opt/grs/scripts/
  39. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  40. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  41. Run sudo mkdir -p /opt/grs/host-comm/request
  42. Run sudo mkdir -p /opt/grs/host-comm/response
  43. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  44. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  45. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  46. Run sudo systemctl enable incrond
  47. Run sudo service incrond restart
  48. Run sudo podman load -i /tmp/images/greenradius_xxxx_init_image
  49. Run sudo podman load -i /tmp/images/greenradius_xxxx_main_image
  50. Run sudo podman load -i /tmp/images/greenradius_xxxx_openldap_image
  51. Run sudo podman load -i /tmp/images/greenradius_xxxx_postgres_image
  52. Run sudo podman load -i /tmp/images/greenradius_xxxx_rsyslog_image
  53. Run sudo podman load -i /tmp/images/greenradius_xxxx_freeradius_image
  54. Run sudo podman load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  55. Run sudo chmod -R 750 /home/gradmin
  56. Run sudo chown -R gradmin:gradmin /home/gradmin
  57. Run sudo timedatectl set-timezone UTC
  58. Run sudo cp /tmp/others/scripts/get_system_timezone.sh /opt/grs/scripts/
  59. Run sudo sh +x /opt/grs/scripts/get_system_timezone.sh
  60. Run sudo sh +x /tmp/others/scripts/prerequisite_for_getting_system_timezone.sh
  61. Run cd /home/gradmin/grs-podman-compose
  62. Run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d
  63. Verify that the GreenRADIUS instance is accessible via the web. You should be able to visit https://<ip address of instance>/admin in your browser to access the GreenRADIUS web admin interface.

Applying Updates to Your GreenRADIUS Instance

  1. Run cd /home/gradmin/grs-podman-compose
  2. Run sudo podman-compose down
  3. Copy the latest update package for GreenRADIUS into the /tmp/ directory
  4. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/ (where "xxxx" is the version number of the GreenRADIUS update package)
  5. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  6. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  7. Run sudo podman load -i /tmp/images/greenradius_xxxx_init_image
  8. Run sudo podman load -i /tmp/images/greenradius_xxxx_main_image
  9. Run sudo podman load -i /tmp/images/greenradius_xxxx_openldap_image
  10. Run sudo podman load -i /tmp/images/greenradius_xxxx_postgres_image
  11. Run sudo podman load -i /tmp/images/greenradius_xxxx_rsyslog_image
  12. Run sudo podman load -i /tmp/images/greenradius_xxxx_freeradius_image
  13. Run sudo podman load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  14. Edit /home/gradmin/grs-podman-compose/docker-compose.yml and replace every occurrence of the current version number with the version for your latest version of GreenRADIUS (e.g. 5122 for v5.1.2.2)
  15. Run cd /home/gradmin/grs-podman-compose
  16. Run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d
  17. Confirm that the latest GreenRADIUS version is accessible via your browser at the same URL as before. On future startups, you will need to run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d from the grs-podman-compose directory, as shown above, to launch the containers.

Note: Whenever the timezone on the server will be changed, the server will have to be rebooted for the timezone to be reflected in the containers.

Updated 2023-10-16
© 2024 Green Rocket Security Inc. All rights reserved.