Skip to main content
Code42 Support

Set up RADIUS

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

RADIUS is a networking protocol that provides authentication, authorization and accounting for user access. This tutorial explains how to configure your Code42 environment to authenticate using one or more RADIUS servers.

Compatibility

The Code42 platform works with the following RADIUS server software, and will work with other software that fully supports the RADIUS protocol:

Code42 platform components

All Code42 platform components support RADIUS.

The following Code42 platform components bundled with the Code42 server support two-factor authentication with RADIUS. Two-factor authentication is explained in detail below.

Compatible With Two-Factor Authentication Incompatible With Two-Factor Authentication
  • Code42 apps for:
    • Windows
    • Mac
    • Linux
  • Administration console
  • Code42 apps for:
    • iOS
    • Android
    • Windows Phone

Considerations

  • Authentication occurs during:
  • Each Code42 authority server requires setup within the RADIUS server.
  • Your Code42 server is considered to be a NAS (network access server) by RADIUS servers.
  • RADIUS provides authentication, but does not provide user management. If you require more advanced functionality, such as customized scripts to control the activation and deactivation of users, or to place users into the correct organizations or roles, consider configuring RADIUS for authentication with LDAP for authorization.
External authentication systems
Our Customer Champions can help with authentication issues caused by interaction with Code42 products. However, troubleshooting authentication issues outside your Code42 environment is beyond the scope of our Customer Champions.
For assistance with external authentication systems, contact your authentication vendor.

Two-factor authentication

The Code42 platform supports two-factor authentication as part of its implementation of the RADIUS protocol. This means that you can require a user to enter two separate, independent factors in order to authenticate. For example, the user might be required to enter their username and password, and then enter a PIN sent by SMS to their mobile phone. Two-factor authentication is considered to be a form of multi-factor authentication.

Considerations for two-factor authentication

If you are using two-factor authentication:

  • Two-factor authentication must be set up on your RADIUS server.
  • You must configure the access-challenge message that the RADIUS server sends to your authority server for presentation to the user during the two-factor authentication process.
  • An SMS or email gateway may be required to send the second authentication factor.

What to expect when signing in

To sign in using two-factor authentication:

  1. Sign in to the administration console.
  2. Enter your username and password.
  3. The challenge screen appears.
    2 factor challenge screen
  4. Enter the code sent via SMS, email, token, app, or other method.
  5. Click Verify.

Use multiple RADIUS servers

One organization can be configured to use multiple RADIUS servers for authentication, but be aware of the following conditions on use of multiple RADIUS servers:

  1. The authority server consults RADIUS servers in the order in which they were added.
  2. If a user is not found within a RADIUS server, or the user's credentials are rejected, then the authority server will move on to the next RADIUS server.
  3. When two-factor authentication is used by one or more of the configured RADIUS servers, then the authority server may not cycle through the entire list of RADIUS servers.
    • Depending on the particular configuration and RADIUS implementation, a RADIUS server may respond to an incorrect authentication request with an Access-Challenge message rather than an Access-Reject message.
    • The authority server only cycles to the next RADIUS server in response to an Access-Reject message.

If you are configuring a single RADIUS server to use two-factor authentication in a multi-RADIUS server environment, then adding this RADIUS server last allows the authority server to cycle through the entire list of RADIUS servers.

Before you begin

This article assumes that you have a functioning and configured RADIUS server. See External Resources for more information on RADIUS administration, along with open source and third-party implementations of RADIUS (such as Microsoft NPS).

The following information is provided for informational purposes only. Consult your RADIUS vendor's documentation for specific details related to your implementation.

You must configure the following items for any RADIUS server you want to use with your Code42 environment:

  1. Your authority server must be listed in the correct RADIUS configuration files or settings, with the correct options. This file varies according to the RADIUS server software, but it is often a file with a name such as clients, clients.conf, or naslist. Configure one or more of these files, or the SQL database that is configured to store RADIUS configuration info.
  2. A shared encryption key (shared secret) must exist for each authority server you want to use with your RADIUS server. The encryption key is often stored in the clients or clients.conf file.
  3. The RADIUS server must be accessible to your authority server on your LAN or WAN. By default, RADIUS servers use port 1812 for access requests, and 1813 for accounting requests. RADIUS uses the UDP protocol.
  4. Collect the following information to have on hand for the configuration process:
    • RADIUS server hostname or IP address
    • RADIUS port number for access requests (the default is 1812)
    • One of these ways of identifying your authority server:
      • NAS-Identifier attribute (the name given to your authority server in the RADIUS configuration file, which is often clients or clients.conf.
      • NAS-IP-Address (your authority server's IP address)

Step 1: Perform ping test to RADIUS server

We recommend you test the connectivity between your authority server and RADIUS server.

  1. From a terminal window or command prompt on your authority server, enter the following command:
    ping radius.example.com:1812
    Replace the hostname "radius.example.com" with the actual hostname or IP address of your RADIUS server.
  2. Verify that the RADIUS server is reachable on the network, as in the example below:
    master:~ root$ ping radius
    PING ldap (172.16.195.163): 56 data bytes
    64 bytes from 172.16.195.163: icmp_seq=0 ttl=64 time=1.601 ms
    64 bytes from 172.16.195.163: icmp_seq=1 ttl=64 time=0.978 ms
    

If your firewall blocks traffic on ports 1812 and 1813, you must configure your firewall to allow traffic on these ports, or contact your firewall administrator.

Step 2: Configure authority server

  1. From the administration console, navigate to Settings > Security > RADIUS.
  2. Click Add.
  3. Configure your RADIUS Server Setup:
    RADIUS Server Setup
    Field Description
    Server Name Identifies the RADIUS server within your Code42 environment.
    Address

    The hostname or IP address plus port, in the format: hostname:port

    • The word "testing" appears briefly during the connection test. Wait for the test to complete before clicking Save.
    • A green checkmark and the word "Reachable" indicates successful communication.
    • A message saying "Failed" in red to the right of the Address field indicates unsuccessful communication. Check the hostname or IP address of your RADIUS server.
    Shared Secret The shared encryption key that the authority server and RADIUS server use to communicate securely.
    Attributes The attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required.
    Timeout seconds Timeout period for all RADIUS requests
    Protocol CHAP - more secure method of authentication that does not transmit password in plain text.
    PAP - less secure method of authentication that transmits password in plain text.
  4. Click Save.

Step 3: Enable RADIUS authentication

To begin using your RADIUS server configuration, either configure a single organization to use RADIUS, or configure the system-wide organization to default to RADIUS.

Option A: Enable a single organization to use RADIUS

  1. Sign in to the administration console on your authority server.
  2. Navigate to Organizations, then select the organization.
  3. From the action menu, select Edit.
  4. Click Security.
    enable RADIUS for a single organization
  5. If necessary, deselect Inherit security settings from parent.
  6. From Select an authentication method, choose RADIUS.
    The configured RADIUS servers appear under Choose provider(s).
  7. In Choose provider(s), select the RADIUS server(s) to offer for the organization.
  8. Click Save.

Option B: Enable the system-wide organization to use RADIUS

Modify the system-wide organization settings to enable RADIUS for all organizations.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.

  1. Go to Settings > Organization > Security.
    Enable RADIUS for your entire Code42 environment
  2. From Select an authentication method, choose RADIUS.
    The configured RADIUS servers appear under Choose provider(s).
  3. In Choose provider(s), select the RADIUS server(s) to offer for the organization.
  4. Click Save.

Step 4: Test RADIUS authentication

After configuring your authority server and enabling RADIUS authentication for an organization, test the configuration with a test user and a test device:

  1. Add a test user to the RADIUS-enabled organization.
  2. Install the Code42 app on the test device.
  3. Sign in as the test user on the test device.
    • If you are able to sign in, your setup is complete.
    • If you are not able to sign in:
      • Check the username and password of the test user.
      • Confirm that the user exists in your RADIUS environment.
      • View the RADIUS log files for more information on the error preventing authorization.

RADIUS logs

The RADIUS server's log files are invaluable for troubleshooting the RADIUS configuration.

  • The example below is from a Linux server running GNU Radius.
  • In this example, an administrator has access to both the authority server and the RADIUS server for her organization.
  • The administrator wants to find out why user "joe.doe" is unable to sign in from the Code42 app, even though the user exists in the RADIUS database. She uses the utility tail to see the latest entries in the main RADIUS log (radius.log) while simultaneously clicking the sign in button on the Code42 app. She sees the following:
root@omega:/var/log# tail -f radius.log 
Jul 15 15:21:23 Main.info: reading /usr/local/etc/raddb/config
Jul 15 15:21:23 Main.info: /usr/local/etc/raddb/users reloaded.
Jul 15 15:21:23 Main.info: Ready
Jul 15 15:21:23 Main.info: Ready to process requests.
Jul 16 13:44:29 Auth.notice: (Access-Request local 7 "joe.doe"): Login incorrect [joe.doe/bad_password_example]

Seeing the log file, the administrator realizes that she had entered the wrong password for user "joe.doe."

In depth: RADIUS attribute/value pairs

The following information describes how RADIUS servers communicate with a NAS such as a Code42 authority server and might be useful during the configuration of a RADIUS server.

RADIUS servers expect access requests to contain RADIUS attributes. Each attribute, such as a username or password, must be paired with a value. For example, the "username" attribute may be paired with the value "joe.doe."

The attributes sent are used by the RADIUS server to authenticate a user with the authority server.

Some attributes are required in any access request:

  • Username
  • Password
  • Shared secret (shared encryption key)
  • NAS-Identifier or NAS-IP-Address

Many additional attributes can be sent. Any valid attribute can be added to the Attributes field of a RADIUS server configuration in the administration console. The only required attribute is "NAS-Identifier" or "NAS-IP-Address," and this attribute should also be defined in your RADIUS environment's configuration file.

RADIUS servers use matching rules in combination with the attributes sent by the NAS (in this case a Code42 authority server to authenticate a user. In a Code42 environment, the username and password attributes are automatically sent by your authority server and are defined by the username and password used to sign in.

Alerts

After configuring RADIUS, monitor and respond to alerts related to RADIUS sent by your Code42 environment.