Skip to main content
Code42 Support

Setting Up RADIUS

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

RADIUS is a networking protocol that provides authentication, authorization and accounting for user access. This tutorial explains how to configure your Code42 environment to authenticate using one or more RADIUS servers.

Compatibility

The Code42 platform works with the following RADIUS server software, and will work with other software that fully supports the RADIUS protocol:

Code42 platform components

All Code42 platform components support RADIUS.

The following Code42 platform components bundled with the Code42 server support two-factor authentication with RADIUS. Two-factor authentication is explained in detail below.

Compatible With Two-Factor Authentication Incompatible With Two-Factor Authentication
  • CrashPlan app for Windows, OS X, and Linux
  • Administration console

CrashPlan apps for iOS, Android, and Windows Phone

Considerations

The RADIUS protocol has some limitations within the Code42 environment:

  • Authentication occurs during:
  • Each Code42 master server requires setup within the RADIUS server.
  • Your Code42 server is considered to be a NAS (network access server) by RADIUS servers.
  • RADIUS provides authentication, but does not provide user management. If you require more advanced functionality, such as customized scripts to control the activation and deactivation of users, or to place users into the correct organizations or roles, consider configuring RADIUS for authentication with LDAP for authorization.
External authentication systems
Our Customer Champions can help with authentication issues caused by interaction with Code42 products. However, troubleshooting authentication issues outside your Code42 environment is beyond the scope of our Customer Champions.
For assistance with external authentication systems, contact your authentication vendor.

Two-factor authentication

The Code42 platform supports two-factor authentication as part of its implementation of the RADIUS protocol. This means that you can require a user to enter two separate, independent factors in order to authenticate. For example, the user might be required to enter her username and password, and then enter a PIN sent by SMS to her mobile phone. Thus, the Code42 environment can require the user to both know something (her username and password), and to possess something (her mobile phone) in order to gain access. Two-factor authentication is considered to be a form of multi-factor authentication.

RADIUS server configuration

Two-factor authentication must be set up on your RADIUS server, including the access-challenge message that the RADIUS server sends to your master server for presentation to the user during the two-factor authentication process.

What to expect when signing in

The end-user experience when signing in with single-factor RADIUS is identical to signing in with local authentication. However, when two-factor authentication is used, there is an additional authentication step.

The following example shows a user signing in with two-factor authentication via the administration console:

  1. The user is presented with the standard sign in screen and enters his username and password:RADIUS 2FA sign in step 1
  2. The user is presented with the challenge screen: RADIUS 2FA sign in step 2
  3. The user enters the PIN sent via SMS, email, token, app, or other method:RADIUS 2FA sign in step 3
  4. The user is now signed in: RADIUS 2FA sign in step 4

Using multiple RADIUS servers

One organization can be configured to use multiple RADIUS servers for authentication, but be aware of the following conditions on use of multiple RADIUS servers:

  1. The master server consults RADIUS servers in the order in which they were added.
  2. If a user is not found within a RADIUS server, or the user's credentials are rejected, then the master server will move on to the next RADIUS server.
  3. When two-factor authentication is used by one or more of the configured RADIUS servers, then the master server may not cycle through the entire list of RADIUS servers.
    • Depending on the particular configuration and RADIUS implementation, a RADIUS server may respond to an incorrect authentication request with an Access-Challenge message rather than an Access-Reject message.
    • The master server only cycles to the next RADIUS server in response to an Access-Reject message.

If you are configuring a single RADIUS server to use two-factor authentication in a multi-RADIUS server environment, then adding this RADIUS server last allows the master server to cycle through the entire list of RADIUS servers.

Before you begin

RADIUS server

This article assumes that you have a functioning and configured RADIUS server. See External Resources for more information on RADIUS administration, along with open source and third-party implementations of RADIUS (such as Microsoft NPS).

The following information is provided for informational purposes only. You should consult your RADIUS vendor's documentation for specific details related to your implementation.

Any RADIUS server that you wish to use with your Code42 environment must have the following items configured:

  1. Your master server must be listed in the correct RADIUS configuration files or settings, with the correct options. This file varies according to the RADIUS server software, but is often a file with a name such as clients, clients.conf, or naslist. You will need to configure one or more of these files, or the SQL database that is configured to store RADIUS configuration info.
  2. A shared encryption key (shared secret) must exist for each master server that you want to use with your RADIUS server. The encryption key is often stored in the clients or clients.conf file.
  3. The RADIUS server must be accessible to your master server on your LAN or WAN. By default, RADIUS servers use port 1812 for access requests, and 1813 for accounting requests. RADIUS uses the UDP protocol.
  4. You must collect the following information to have on hand for the configuration process:
    • RADIUS server hostname or IP address
    • RADIUS port number for access requests (the default is 1812)
    • One of these means of identifying your master server:
      • NAS-Identifier attribute (the name given to your master server in the RADIUS config file, which is often clients or clients.conf.
      • NAS-IP-Address (your master server's IP address)

Two-factor authentication

If you are using two-factor authentication:

  • Two-factor authentication must be set up on your RADIUS server.
  • You must configure the access-challenge message that the RADIUS server sends to your master server for presentation to the user during the two-factor authentication process.
  • An SMS or email gateway may be required to send the second authentication factor.

Step 1: Perform ping test to RADIUS server

It's a good idea to test the connectivity between your master server and RADIUS server.

  1. From a terminal window or command prompt on your master server, enter the following command:
    ping radius.example.com:1812
    Replace the hostname "radius.example.com" with the actual hostname or IP address of your RADIUS server.
  2. Verify that the RADIUS server is reachable on the network, as in the example below:
    master:~ root$ ping radius
    PING ldap (172.16.195.163): 56 data bytes
    64 bytes from 172.16.195.163: icmp_seq=0 ttl=64 time=1.601 ms
    64 bytes from 172.16.195.163: icmp_seq=1 ttl=64 time=0.978 ms
    

If your firewall blocks traffic on ports 1812 and 1813, then you will need to configure your firewall to allow traffic on these ports, or contact your firewall administrator.

Step 2: Configure master server

  1. From the administration console, navigate to Settings > Security > RADIUS,
  2. Click Add.
  3. Enter the correct values in RADIUS Server Setup for your RADIUS environment:
    RADIUS Server Setup
    Field Description
    Server Name Identifies the RADIUS server within your Code42 environment.
    Address

    The hostname or IP address plus port, in the format: hostname:port

    • The word "testing" will be displayed briefly during the connection test. Wait for the test to complete before clicking Save.
    • A green checkmark and the word "Reachable" indicates successful communication.
    • A message saying "Failed" in red to the right of the Address field, indicates unsuccessful communication. Check the hostname or IP address of your RADIUS server.
    Shared Secret The shared encryption key that the master server and RADIUS server use to communicate securely.
    Attributes The attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required.
    Timeout seconds Timeout period for all RADIUS requests
    Protocol CHAP - more secure method of authentication that does not transmit password in plain text.
    PAP - less secure method of authentication that transmits password in plain text.
  4. Click Save.

Step 3: Enable RADIUS authentication

In order to use your new RADIUS server configuration, configure an organization to use RADIUS, or configure the system-wide organization to default to RADIUS.

Option A: Enable a single organization to use RADIUS

  1. Sign in to the administration console on your master server.
  2. Navigate to Organizations, then select the organization.
  3. From the Action Menu, select Edit.
  4. Click Security.
  5. If necessary, deselect Inherit security settings from parent.
  6. From Select an authentication method, choose RADIUS.
    The configured RADIUS servers appear under Choose provider(s).
  7. In Choose provider(s), select the RADIUS server(s) to offer for the organization.RADIUS server configuration Organization details edit security
  8. Click Save.

Option B: Enable the system-wide organization to use RADIUS

Modify the system-wide organization settings to enable RADIUS for all organizations.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

  1. Go to Settings > Organization > Security.
  2. From Select an authentication method, choose RADIUS.
    The configured RADIUS servers appear under Choose provider(s).
  3. In Choose provider(s), select the RADIUS server(s) to offer for the organization.
  4. Click Save.

Step 4: Test RADIUS authentication

After configuring your master server and enabling RADIUS authentication for an organization, test the configuration with a test user and a test device:

  1. Add a test user to the RADIUS-enabled organization.
  2. Install the CrashPlan app on the test device.
  3. Sign in as the test user on the test device.
    • If you are able to sign in, then your setup is complete.
    • If you are not able to sign in:
      • Check the username and password of the test user.
      • Confirm that the user exists in your RADIUS environment.
      • View the RADIUS log files for more information on the error preventing authorization.

RADIUS logs

The RADIUS server's log files are invaluable for troubleshooting the RADIUS configuration.

  • The example below is from a Linux server running GNU Radius.
  • In this example, an administrator has access to both the master server and the RADIUS server for her organization.
  • The administrator wants to find out why user "joe.doe" is unable to sign in from the CrashPlan app, even though the user exists in the RADIUS database. She uses the utility tail to see the latest entries in the main RADIUS log (radius.log) while simultaneously clicking the sign in button on the CrashPlan app. This is what she sees:
root@omega:/var/log# tail -f radius.log 
Jul 15 15:21:23 Main.info: reading /usr/local/etc/raddb/config
Jul 15 15:21:23 Main.info: /usr/local/etc/raddb/users reloaded.
Jul 15 15:21:23 Main.info: Ready
Jul 15 15:21:23 Main.info: Ready to process requests.
Jul 16 13:44:29 Auth.notice: (Access-Request local 7 "joe.doe"): Login incorrect [joe.doe/bad_password_example]

Seeing the log file, the administrator realizes that she had entered the wrong password for user "joe.doe."

In depth: RADIUS attribute/value pairs

The following information may help you to understand how RADIUS servers communicate with a NAS such as a Code42 master server, and may also be useful during the configuration of a RADIUS server.

RADIUS servers expect access requests to contain RADIUS attributes. Each attribute, such as a username or password, must be paired with a value. For example, the "username" attribute may be paired with the value "joe.doe."

The attributes sent are used by the RADIUS server to authenticate a user with the master server.

Some attributes are required in any access request:

  • Username
  • Password
  • shared secret (shared encryption key)
  • NAS-Identifier or NAS-IP-Address

There are many additional attributes that can be sent. Any valid attribute can be added to the Attributes field of a RADIUS server configuration in the administration console. The only required attribute is "NAS-Identifier" or "NAS-IP-Address," and this attribute should also be defined in your RADIUS environment's configuration file.

RADIUS servers use matching rules in combination with the attributes sent by the NAS (in this case a Code42 master server to authenticate a user. In a Code42 environment, the username and password attributes are automatically sent by your master server and are defined by the username and password used to sign in.

Alerts

After configuring RADIUS, monitor and respond to alerts related to RADIUS sent by your Code42 environment.