Applications:YubiRADIUS RADIUS Service
From Yubico
Contents |
YubiRADIUS Sandbox Radius Service How to Guide
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing.
Trademarks
Yubico and YubiKey are trademarks of Yubico AB. Other trademarks belong to their respective owners and are hereby acknowledged.
Contact Information
Yubico AB Kungsgatan 62 111 22 Stockholm Sweden info@yubico.com
Document Information
Purpose
The purpose of this document is to guide the readers through the configuration steps required to use the YubiOK RADIUS service.
Audience
This document is intended for technical staff within Yubico customers wishing to test using the YubiKey to assist in securing access to corporate resources such as Remote Access service or VPN.
References
The Yubico Radius Service is based on the Open Source FreeRadius software.
Version
This version 0-9 is released to the Yubico developer community for testing the Yubico developed configuration of the FreeRADIUS server in a service setting.
Definitions
| Term | Defination |
| YubiRadius | Yubico’s RADIUS service |
| VPN | Virtual Private Network |
| SSL | Secure Sockets Layer |
| RADIUS | Remote Authentication Dial In User Service |
| PIN | Personal Identification Number |
| OTP | One Time Password |
| YubiKey ID | The 12 character (48 bit) public identifier of a YubiKey |
| YMS | YubiKey Management Service |
Introduction
Yubico is a security company, founded in 2007, with offices located in Stockholm Sweden, for the European office and in Sunnyvale California, for the North American office.
Yubico’s mission is to “make Internet identification secure, easy, and affordable for everyone”. The Company offers a physical authentication device/token, the YubiKey, which is used to provide secure authentication to web services and various other applications.
The YubiKey device is a tiny key-sized one-button authentication device, emulating a USB keyboard and designed to generate a unique user identity and a one-time password without requiring any software installed on the computer. When YubiKey is inserted to a USB port on a computer and the illuminated button on the device is pressed, YubiKey sends an OTP (One Time Password) to the computer as a sequence of keyboard characters, thus saving the user from typing. Customers that want to use YubiKeys have two options to validate the YubiKey OTPs. They can use the YubiKey SDK to directly provision and verify OTPs locally, or use the Yubico web API to verify OTPs online (over the internet) using the hosted Yubico Validating Service.
In order to provide a reliable online service to its customers, Yubico hosts its servers in highly secure hosting facilities for the critical OTP validation servers.
Many organizations utilize the powerful and flexible authentication mechanism provided by the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL based VPN access point forms a robust and easy solution for remote access. However, in all secure remote access scenarios a two factor authentication is highly recommended.
Yubico provides a RADIUS service for providing strong two factor based authentication i.e. “username + PIN/password + YubiKey OTP”. The RADIUS service provides the followings:
- A online RADIUS server which is capable of handling RADIUS requests over the internet
- Validation service for validating Usernames, PIN/PWs and YubiKey OTPs
- User and (PIN)/password management
- Username, YubiKey ID mappings
- RADIUS settings for RADIUS clients
The RADIUS server uses the production Yubico validation service for validating the OTPs. All the username, password and username and YubiKey ID mappings are stored internally by the service and integrated with online management of the YubiKeys in YMS. The complete solution can be easily managed through the YubiOK RADIUS service.
The online YubiOK RADIUS service is initially aimed at making evaluation of YubiKey for remote access solutions (for up to 10 users) easy to perform without the user having to download and configure the on premise based Yubico – FreeRADIUS combination. The on premise Yubico – FreeRADIUS solution is aimed at a larger user base and for organizations that want the YubiKeys to be managed within the boundaries of the organization. Later on a scaled up RADIUS online service will be available to manage a larger number of users (and will then be subscription based).
For the first time strong two factor YubiKey RADIUS based authentication can be tried out with minimal efforts.
Pre-Requisites
Before using the RADIUS service, you will need the following
A Domain Name
We will use the domain “testradius.com” in our example below. The domain name cannot exceed more than 15 characters and it cannot contain any of the following characters:
\ / " [ ] < > + = ; , ? * @
The domain name can be any name but it should be unique within the YubiOK RADIUS service.
One or more YubiKey(s)
For more information regarding YubiKey, please visit the following link:
http://www.yubico.com/products/yubikey/
It is recommended to reserve one YubiKey for administration of the RADIUS Service. In the example below we will use the YubiKey with ID "vrkvfefuitvf" as the admin key and the YubiKey with ID "tgnuidfhlvug" as the user account.
Configuration
Please follow the configuration steps below to use the RADIUS service
Creating an administrative account
For managing the users, domain, username and YubiKey mapping we would first need to create an administrative account. For creating an administrative account follow the steps described below:
Enter the Admin Portal
Go to the RADIUS Service admin website using the following link:
The webpage below will be displayed:
Enroll
- Click on “enroll here” which is highlighted in the following image
- Enter a username chosen for the administrator, and enter a strong password twice. You will then need to provide a YubiKey OTP by touching the YubiKey button. In this example, we will use the username “admin_testradius”. The screen will look as shown below:
- Click on “Enroll” button and if all the input parameters are entered correctly, you will see the following screen:
Creating and managing Users
For creating and managing users under your domain, you need to login to the YubiOK RADIUS service as an administrative user which you have created in the section 1 described above.
Please follow the steps below to create and manage users:
Enter the Admin Portal
Go to the FreeRADIUS-Beta admin website using the following link:
The webpage below will be displayed:
Login
Enter the admin username, password and YubiKey OTP as shown in the image below and click on “Login” button.
The webpage below will be displayed:
Radius Admin Portal
Once, the password and YubiKey OTP are successfully validated, you will be redirected to the RADIUS Service admin portal as shown in the image below:
Add
Enter your domain name as shown in the following image and click on “Add” button:
Results
This will add the “testradius.com” domain to the RADIUS server and it will be displayed as shown in the image below:
Create User Accounts
For creating users for your domain, click on the “Manage” button as shown in the following image:
Register a User
Enter a username, and enter a password. You will then need to supply a YubiKey OTP by touching the button on the YubiKey. For this example, we use the username “user1”. The screen will look like the image below:
User List
After clicking the “Add” button, the user will be added and displayed as shown in the image below:
Testing the RADIUS service
For testing the RADIUS Service, please follow the steps below:
Go to the Test Portal
Go to the RADIUS Service testing website, using the following link:
The web-page below will be displayed:
Users can select either PAM or EAP mode. By default the PAM Authentication Mode will be selected.
Enter User Credentials
Enter the UserName followed by “@” and then the domain name (e.g. user1@testradius.com), password and YubiKey OTP as shown in the image below and click on the “Login Test” button.
- For PAM Mode:
- For EAP Mode:
Successful Login
If the password, YubiKey OTP and Username and YubiKey ID mapping are validated successfully, you will receive the “access-accept” result as shown in the image below:
- PAM Mode:
- EAP Mode:
Dummy Intranet Page
Testing the RADIUS service with RADIUS client
For testing the YubiOK RADIUS service with your RADIUS client, you need to login to the YubiOK RADIUS service as an administrative user which you have created in the section 1 described above.
Please follow the steps below to configure the RADIUS client settings for your test domain:
Admin Page
Go to the FreeRADIUS-Beta admin website using the following link:
The webpage below will be displayed:
Login
Enter the admin username, password and YubiKey OTP as shown in the image below and click on “Login” button:
Clients
Once logged in as an admin user, click on the “Clients” button highlighted on the image below:
Set Up Client Data
Add your RADIUS Client IP address and a strong Client Secret and click on the “Add” button. Please note that the client IP address should be your public IP address from which the RADIUS requests will be sent to the Yubico RADIUS Service. The Clients page will be displayed as shown below:
Client Setup
After clicking the “Add” button, the client will be added to the RADIUS server and will be displayed as shown in the image below:
RADIUS Client
Configure the RADIUS client (e.g. VPN appliance) to point RADIUS authentication requests to radius.yubico.com, configure the same shared secret on the client and RADIUS port = UDP 1812)
Please note, Yubico RADIUS Service uses UDP port 1812 for communication. Remember to configure your firewall settings to allow outbound communication on UDP Port 1812 to host 174.143.252.6 (radius.yubico.com)
Test
Typically the test application e.g. the VPN client will request for user credentials i.e. user name and password at the time of authentication.
In the “User Name” field, enter the user name and domain name in the format:
- For PAM Mode:
“username” + “@” + “domainname”
e.g. in our example configuration it will be “user1@testradius.com and then in the “Password” field, enter the user’s password immediately appended with the YubiKey OTP, i.e. “PW”+”Yubikey OTP”
- For EAP Mode:
“username” + “@” + “domainname” + “:” + “YubiKey OTP”
e.g. in our example configuration it will be “user1@testradius.com:<YubiKey OTP>” and then in the “Password” field, enter the user’s password.
Established Link
After successful authentication, the VPN connection should be established.
Debugging
FreeRADIUS-Beta admin website provides the RADIUS server debug messages which will be helpful while trouble shooting. To view the debug messages, click on the “View logs” link on the “Yubico RADIUS Service Client Management” page as highlighted in the image below:
The RADIUS server debug messages generated for the selected client will be displayed as follows:
