Skip to main content
Code42 Support

Setting Up RADIUS For Code42 Platform Versions 4.1.4 And 4.1.5

Applies to:
  • CrashPlan PROe

Overview

RADIUS is a networking protocol that provides authentication, authorization and accounting. This tutorial explains how to configure your Code42 environment to authenticate with one or more RADIUS servers.

Considerations

The RADIUS protocol has some limitations within the Code42 environment:

  • Authentication occurs only during initial sign in or during authorization
  • Scheduling of RADIUS synchronization not available
  • Each master server requires an entry in the appropriate RADIUS server configuration files
  • Your enterprise server is considered to be a NAS (network access server) by RADIUS servers

If you require more advanced functionality, such as customized scripts to control the activation and deactivation of users, or to place users into the correct organizations or roles, then LDAP may be a better choice. The Code42 environment also supports single sign-on (SSO).

RADIUS alerts
After configuring RADIUS, monitor and respond to alerts related to RADIUS sent by your Code42 environment.

Before you begin

This article assumes that you have a functioning and configured RADIUS server. See External Resources for more information on RADIUS administration, along with open source implementations of RADIUS.

Any RADIUS server that you wish to use with your Code42 environment must have the following items configured:

  1. Your master server must be listed in the correct RADIUS configuration files, with the correct options. This file varies according to the RADIUS server software, but is often a file with a name such as clients, clients.conf, or naslist. You will need to configure one or more of these files, or the SQL database that is configured to store RADIUS configuration info.
  2. A shared encryption key (shared secret) must exist for each master server that you want to use with your RADIUS server. The encryption key is often stored in the clients or clients.conf file.
  3. The RADIUS server must be accessible to your master server on your LAN or WAN. By default, RADIUS servers use port 1812 for access requests, and 1813 for accounting requests. RADIUS uses the UDP protocol.
  4. You must collect the following information to have on hand for the configuration process:
    1. RADIUS server hostname or IP address
    2. RADIUS port number for access requests (default is 1812)
    3. One of these means of identifying your master server:
      • NAS-Identifier attribute (the name given to your master server in the RADIUS config file, which is often clients or clients.conf.
      • NAS-IP-Address (your master server's IP address)

Steps

Step 1: Perform ping test to RADIUS server

It's a good idea to test the connectivity between your master server and RADIUS server.

  1. From a terminal window or command prompt on your master server, enter the following command:
    ping radius.example.com:1812
    • Replace the hostname "radius.example.com" with the actual hostname or IP address of your RADIUS server
  2. Verify that the RADIUS server is reachable on the network, as in the example below:
master:~ root$ ping radius
PING ldap (172.16.195.163): 56 data bytes
64 bytes from 172.16.195.163: icmp_seq=0 ttl=64 time=1.601 ms
64 bytes from 172.16.195.163: icmp_seq=1 ttl=64 time=0.978 ms

If your firewall blocks traffic on ports 1812 and 1813, then you will need to configure your firewall to allow traffic on these ports, or contact your firewall administrator.

Step 2: Configure Master server

  1. From Settings > Security > RADIUS, click the Add button:
    Add RADIUS Server
  2. Enter the correct values in RADIUS Server Setup for your RADIUS environment:
    RADIUS Server Setup
    Field Description
    Server Name Identifies the RADIUS server within your Code42 environment
    Address

    The hostname or IP address plus port, in the format: hostname:port

    • The word "testing" will be displayed briefly during the connection test. Wait for the test to complete before clicking Save.
    • A green checkmark and the word "Reachable" indicates successful communication.
    • A message saying "Failed" in red to the right of the Address field, indicates unsuccessful communication. Check the hostname or IP address of your RADIUS server.
    Shared Secret The shared encryption key that the master server and RADIUS server use to communicate securely
    Attributes The attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required.
  3. Click the Save button

Step 3: Enable RADIUS authentication

In order to utilize your new RADIUS server configuration, you must enable an organization to use RADIUS, or configure your top level organization to default to RADIUS.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

Enable a single organization to use RADIUS

  1. Go to Organizations > Details > Action Menu > Edit > Security
  2. Enable the desired RADIUS server or servers by selecting them in Servers:
    Enable RADIUS for an organization
  3. Click the Save button

Enable the top-level organization to use RADIUS

If you would like all newly created organizations to be RADIUS-enabled, then set the top-level org to use RADIUS:

  1. Go to Settings > Organization > Security
  2. Enable the desired RADIUS server or servers by selecting them in Servers:
    Enable RADIUS for the Top-Level Organization
  3. Click Save

Step 3: Confirm RADIUS config using test client

After configuring your master server and enabling RADIUS authentication for an organization, test the configuration with a test user and a test device:

  1. Add a test user to the RADIUS-enabled organization.
  2. Install the CrashPlan app on the test device.
  3. Sign in as the test user on the test device.
    • If you are able to sign in, then your setup is complete.
    • If you are not able to sign in:
      • Check the username and password of the test user
      • Confirm that the user exists in your RADIUS environment
      • View the RADIUS log files for more information on the error preventing authorization

RADIUS logs

The RADIUS server's log files are invaluable for troubleshooting the RADIUS configuration.

The example below is from a Linux server running GNU Radius.

In this example, an administrator has access to both the master server and the RADIUS server for her organization.
The administrator wants to find out why user "joe.doe" is unable to sign in from the CrashPlan app, even though the user exists in the RADIUS database. She uses the utility tail to see the latest entries in the main RADIUS log (radius.log) while simultaneously clicking the sign in button on the CrashPlan app. This is what she sees:

root@omega:/var/log# tail -f radius.log 
Jul 15 15:21:23 Main.info: reading /usr/local/etc/raddb/config
Jul 15 15:21:23 Main.info: /usr/local/etc/raddb/users reloaded.
Jul 15 15:21:23 Main.info: Ready
Jul 15 15:21:23 Main.info: Ready to process requests.
Jul 16 13:44:29 Auth.notice: (Access-Request local 7 "joe.doe"): Login incorrect [joe.doe/bad_password_example]

Seeing the log file, the administrator realizes that she had entered the wrong password for user "joe.doe."

RADIUS attribute/value pairs

RADIUS servers expect access requests to contain RADIUS attributes. Each attribute, such as a username or password, must be paired with a value. For example, the "username" attribute may be paired with the value "joe.doe."

The attributes sent are used by the RADIUS server to authenticate a user with the master server.

Some attributes are required in any access request:

  • Username
  • Password
  • shared secret (shared encryption key)
  • NAS-Identifier or NAS-IP-Address

There are many additional attributes that can be sent. Any valid attribute can be added to the Attributes field of a RADIUS server configuration in the administration console. The only required attribute is "NAS-Identifier" or "NAS-IP-Address," and this attribute should be defined in your RADIUS environment's configuration file.

RADIUS servers use matching rules in combination with the attributes sent by the NAS to authenticate a user. In a Code42 environment, the username and password attributes are automatically sent by your master server and are defined by the username and password used to sign in.