GreenRADIUS Virtual Appliance - Green Rocket … · 9.1.2 Authentication Request ... GreenRADIUS...
Transcript of GreenRADIUS Virtual Appliance - Green Rocket … · 9.1.2 Authentication Request ... GreenRADIUS...
GreenRADIUS Virtual Appliance
Configuration and Administration Guide Software version: 2
Document version: 1.0
October, 2015
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 2 of 61
Introduction
Green Rocket Security is a provider of online and network identity protection. The company’s
flagship product, the GreenRADIUS Virtual Appliance, enables organizations to authenticate
users via two-factor authentication with a variety of security tokens, such as the YubiKey.
This guide will focus on the integration of GreenRADIUS with the YubiKey. (For usage with
other security tokens, such as soft tokens, please contact Green Rocket Security.) Founded
in 2014, Green Rocket Security is privately held and headquartered in the heart of Silicon
Valley.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Green Rocket Security shall have no liability for any error or damages of any kind resulting from the use of this document. The Green Rocket Security Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing.
Trademarks
YubiKey is a trademark of Yubico Inc.
Contact Information
Green Rocket Security Inc.
1900 Camden Ave.
San Jose, CA 95124
888-793-3247
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 3 of 61
Contents
Introduction.......................................................................................................................................... 2
Disclaimer............................................................................................................................................ 2
Trademarks ......................................................................................................................................... 2
Contact Information ............................................................................................................................. 2
1 Document Information ..................................................................................................................... 5
1.1 Purpose ................................................................................................................................... 5
1.2 Audience ................................................................................................................................. 5
1.3 References .............................................................................................................................. 5
1.4 Version .................................................................................................................................... 5
1.5 Definitions ................................................................................................................................ 5
2 Introduction ...................................................................................................................................... 6
3 What’s New ..................................................................................................................................... 8
4 What’s Changed .............................................................................................................................. 9
5 Pre-Requisites ............................................................................................................................... 10
5.1 GreenRADIUS License File .................................................................................................. 10
5.2 One or more YubiKey(s) ....................................................................................................... 10
5.3 Active Directory or OpenLDAP server .................................................................................. 10
6 Configuration ................................................................................................................................. 11
6.1 Downloading the GreenRADIUS VMware virtual appliance ................................................. 11
6.2 Configuration of the GreenRADIUS virtual appliance ........................................................... 11
6.2.1 Adding domains to the Green Rocket Security Virtual Appliance management ............... 11
6.2.2 Setting up the Global configuration parameters ................................................................ 13
6.2.3 Importing users to the domain ........................................................................................... 25
6.2.4 Defining User Group Hierarchy ......................................................................................... 28
6.2.5 Importing YubiKeys to YKKSM database or YubiHSM ..................................................... 28
6.2.6 Enabling Auto-provisioning mode for the domain ............................................................. 29
6.2.7 Enable Gradual Deployment ............................................................................................. 30
6.2.8 Return user’s Group Membership information in RADIUS response ................................ 30
6.2.9 Adding RADIUS clients to the Domain .............................................................................. 32
7 Testing the configuration ............................................................................................................... 33
7.1 RadTest: ................................................................................................................................ 33
7.2 Validate OTP: ........................................................................................................................ 36
7.3 Ping: ...................................................................................................................................... 37
8 Users and Token Management ..................................................................................................... 39
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 4 of 61
8.1 Enable Token ........................................................................................................................ 39
8.2 Disable Token ....................................................................................................................... 40
8.3 Unassign Token .................................................................................................................... 40
8.4 Delete User ........................................................................................................................... 41
8.5 Display Users/Group Hierarchy:............................................................................................ 42
8.6 Assign Temporary Token: ..................................................................................................... 43
9 Reports .......................................................................................................................................... 46
9.1 On-Demand Report ............................................................................................................... 46
9.1.1 Token Assignment............................................................................................................. 46
9.1.2 Authentication Request ..................................................................................................... 46
9.2 Sample report ........................................................................................................................ 47
10 List Tokens Tab ............................................................................................................................. 49
11 Appendix 1: Security Considerations ............................................................................................ 50
12 Appendix 2: Using LDAPS ............................................................................................................ 51
12.1 Setting LDAPS for GreenRADIUS Virtual Appliance: ........................................................... 51
13 Appendix 3: Importing Users from Active Directory/OpenLDAP ................................................... 53
13.1 Importing Users from Active Directory: ................................................................................. 53
13.2 Importing users with a specific group membership: .............................................................. 56
13.3 Importing users from multiple groups: ................................................................................... 57
14 Appendix 4: Web API .................................................................................................................... 58
15 Appendix 5: GreenRADIUS Virtual Appliance Port Information .................................................... 59
16 Appendix 6: Restricting Access to Webmin .................................................................................. 60
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 5 of 61
1 Document Information
1.1 Purpose
The purpose of this document is to guide readers through the configuration steps to enable
two-factor authentications with YubiKey and the GreenRADIUS virtual appliance provided by
Green Rocket Security. This document assumes that the reader has advanced knowledge
and experience in Linux system administration, particularly how to configure PAM
authentication mechanism on a Linux platform.
This configuration guide focuses on configuration of FreeRADIUS demon for user
authentication using Active directory (AD) or OpenLDAP server.
1.2 Audience
This document is intended for technical staff of Green Rocket Security customers who want to
deploy the YubiKey for securing access to corporate resources via technologies such as
Remote Access service or VPN.
1.3 References
Part of the GreenRADIUS solution is based on the Open Source FreeRADIUS and Webmin
software.
1.4 Version
This version is released to the Green Rocket Security community for the usage of Green
Rocket Security's GreenRADIUS virtual appliance to provide the YubiKey-based two-factor
authentication primarily for remote access technologies(such as VPN).
1.5 Definitions
Term Definition
GRVA Green Rocket Security’s GreenRADIUS Virtual Appliance
VPN Virtual Private Network
SSL Secure Sockets Layer
RADIUS Remote Authentication Dial In User Service
PIN Personal Identification Number
OTP One Time Password
YubiKey ID The 12 character (48 bit) public identifier of a YubiKey
AD Active Directory
LDAP Lightweight Directory Access Protocol
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 6 of 61
2 Introduction
Green Rocket Security is a security company founded in 2014 headquartered in Silicon Valley.
Green Rocket Security’s mission is to “help our customers gain secure access to their
resources from any device or location while preventing unauthorized access by anyone else”.
Many organizations utilize the powerful and flexible authentication mechanism provided by the
RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL based
VPN access point forms a robust and easy solution for remote access. However, in all secure
remote access scenarios a two factor authentication is highly recommended.
Green Rocket Security provides a FreeRADIUS-based remote access solution,
“GreenRADIUS”, for providing strong two-factor based authentication, i.e. “username +
PIN/password + YubiKey OTP”. The GreenRADIUS solution supports multiple domains. Each
domain configuration works independently and has its own configuration settings.
In order to make it easy for customers to quickly deploy a solution, Green Rocket Security
provides a ready to deploy “GreenRADIUS” VMware based virtual appliance. The ready to
deploy VMware virtual appliance contains the following:
FreeRADIUS Server
Green Rocket Security OTP validation server (YKVAL and YKKSM server or
YubiHSM)
Webmin server
Green Rocket Security GreenRADIUS Webmin module
Username-YubiKey ID mapping service (YkMap service)
AD/LDAP Username and password authentication mechanism
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 7 of 61
The following diagram illustrates a typical deployment of GreenRADIUS.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 8 of 61
3 What’s New
1. Support for OATH-HOTP and FIDO 1.0 (U2F) security tokens Add-on Modules provide support for OATH-HOTP and FiDO 1.0 (U2F) tokens in GreenRADIUS Please refer to document “GreenRADIUS - Installation of Add-On” for instructions on how to install an Add-On module in GreenRADIUS
2. Support for multiple token types for one user A user can be assigned different types of token and can be interchangeably used by the user to perform 2-Factor Authentication
3. Self-Service Portal End users can use self-service portal accessible to assign a token, re-sync OATH-HOTP token or authenticate using FIDO U2F token. To access the self-service portal, simply point your browser to https://<GRVA IP Address>
4. Automatic Software Updates In order to protect system integrity in case of updates to OS and third party software components, Green Rocket Security will release tested and certified software updates. GreenRADIUS 2.0 has an ability to directly download software updates from the Green Rocket Update server and also have the ability to upload updates manually. Please refer to document “GreenRADIUS – Installation of Updates” for instructions on how to install software updates in GreenRADIUS 2.0
5. Configurable RADIUS Return Attribute When returning group membership information is enabled, the RADIUS attribute can be configured between “Class” (RADIUS attribute = 25) or “Filter-Id” (RADIUS attribute = 11). This improves GreenRADIUS adoption in implementing access control policies based on a User’s group membership.
6. New Operating System GreenRADIUS 2.0 Virtual Appliance has been updated to Ubuntu 14.04.3 LTS .
7. Security issues and important bug fixes a. When using GreenRADIUS Servers in synchronized configuration, sometimes the
Username to YubiKey mapping used to get out-of-sync. This issue is fixed. b. Several major security fixes from the past year have been incorporated into the
GRVA.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 9 of 61
4 What’s Changed
1. A License file or a License Serial Number must be obtained from Green Rocket Security prior
to using GreenRADIUS
2. To simplify administration for most common deployments following changes are introduced
a. YubiHSM support has been removed from the base Virtual Appliance and will be
offered as an Add-On feature
b. Webmin modules have been reduced to a minimum, focusing only on those elements
essential to managing the Virtual Appliance.
c. GreenRADIUS administration console (webmin) can also be accessed using the link https://<GRVA IP Address>/admin
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 10 of 61
5 Pre-Requisites
Before using the GRVA, you will need the following:
5.1 GreenRADIUS License File
GreenRADIUS 2.0 requires a valid license on the Virtual Appliance. In order to get a valid
license please send an email to [email protected] and please refer to document
“GreenRADIUS - Installation of License” for instructions on how to install a license file on
GreenRADIUS 2.0 server.
5.2 One or more YubiKey(s)
5.3 Active Directory or OpenLDAP server
Green Rocket Security GreenRADIUS virtual appliance (GRVA) server supports username and
password authentication with Active Directory or with OpenLDAP server. In order to deploy and
test the GRVA solution, either Active Directory or OpenLDAP server is required.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 11 of 61
6 Configuration
Please follow the configuration steps below to use the GreenRADIUS virtual appliance:
6.1 Downloading the GreenRADIUS Virtual Appliance
Visit www.greenrocketsecurity.com/greenradius to download an evaluation version or to order
the full version.
6.2 Configuration of the GreenRADIUS Virtual Appliance
These steps assume that the GRVA is already downloaded and running.
The configuration of the GRVA image is as follows:
1. Operating system: Ubuntu 14.04 LTS
2. Username: gradmin
3. Password: GreenRocket!23
4. Webmin Access URL: https://<GRVA IP Address >/admin
5. User Self-Service portal URL: https://<GRVA IP Address >/
The gradmin account is part of the admin group on the server and can access “su” for any
needed root-level commands.
The virtual appliance is configured for receiving automatic IP addresses using DHCP. Change
the network configuration to static IP Address if necessary. The DNS server will need to be
set to resolve the IP Address of the Active Directory domain controller/OpenLDAP server. If
there is a host name configured for the AD, GRVA server will not work if the IP address of the
AD domain controller/OpenLDAP server is not set to be resolved.
To get the solution into a functional state, these steps are required:
1. Create and configure users in a directory service AD/LDAP or the local OpenLDAP
(included on the image)
2. Add a domain to the GRVA management
3. Configure the various global configuration parameters
4. Import users from the AD/LDAP/OpenLDAP server to the domain
5. To use the locally installed OTP validation server instead of the online YubiCloud
validation service, import YubiKey secrets into the OTP validation server on the VA.
6. Configure Auto-provisioning options for the domain
7. Add the RADIUS client (e.g. Cisco ASA server) to the GreenRADIUS VA so that it
accepts the RADIUS authentication requests from the RADIUS client(s)
These steps are described in details below:
6.2.1 Adding domains to the GreenRADIUS Virtual Appliance management
Login to the Webmin console in order to configure and manage the GreenRADIUS solution.
Green Rocket Security has created a separate Webmin module to manage the
GreenRADIUS solution which is included in the virtual appliance. Please follow the steps
below to add a domain to the GreenRADIUS solution:
1) To login to the Webmin console, use the following URL:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 12 of 61
https://<GRVA IP Address >
The URL will be automatically redirected to the Webmin console, as shown in the image
below:
2) Provide username as gradmin and password as “Green Rocket Security", as shown in the
image below:
3) After logging into the Webmin portal the GreenRADIUS Virtual Appliance module will be
displayed, as shown in the image below:
Enter a domain name and click on “Add Domain”. For demonstration purpose, we are using
GreenRADIUS.com as domain name as shown in the image below:
This will add a domain “GreenRADIUS.com” in the GreenRADIUS virtual appliance. The domain name only supports upper/lower case alpha-numeric (A-Z and 0-9) characters and special characters like period (.). 4) An unlimited number of domains can be added as needed to the GreenRADIUS virtual
appliance. Each domain configuration is applied separately and configured independently
of all other domains. Only the settings available under the “Global Configuration” will
affect all domains.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 13 of 61
Note: If more than one domain is used, the UID will need to be entered as
<username>@domainname.<ext> in any login screen for RADIUS connected VPN/Remote
Access etc. i.e.:
For a single domain the UID can be entered as AD/LDAP <user name>For multiple domains
the UID must be entered as AD/LADP <user name>@domain.com
6.2.2 Setting up the Global configuration parameters
The configuration parameters available under the “Global Configuration” allow GRVA
administrators to access several configuration settings. These include: general FreeRADIUS
configuration, enabling FreeRADIUS logging, choosing the Green Rocket Security OTP
validation server, configuring the Synchronization service or deciding on the Key Storage
Module to use.
To configure the Global configuration options, please follow the steps below:
1) Click on the “Global Configuration” tab as highlighted in the image below:
2) The “Global configuration” options are listed in the following image:
The “Global Configuration” options are explained as follows:
6.2.2.1 General
Click on General icon in Global Configuration tab.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 14 of 61
1) Enable Auto-provisioning: Check the box to enable auto-provisioning. Auto-provisioning
provides automatic YubiKey assignment to the users. When Auto-provisioning is enabled,
the administrator can distribute the YubiKeys to end users without any additional work.
With Auto Provisioning enabled the end users will be authenticated based on their
username + password and a valid OTP on the first login attempt after receiving their
YubiKey. After their successful authentication, the corresponding YubiKey ID will be
automatically associated with the username (i.e. automatic user name to YubiKey
binding). This method greatly simplifies the initial rollout process for administrators and
end users.
2) Enable Auto-provisioning for multiple YubiKeys: If this option is enabled, a single user can
be assigned multiple YubiKeys automatically through Auto-provisioning. While users can
have multiple YubiKeys assigned to a single username, a YubiKey can only be assigned
to a single user, unless the “Enable Single YubiKey for multiple Users” option is selected.
If the “Enable Single YubiKey for multiple Users” option is selected, a single YubiKey can
be assigned to multiple users if and only if each user belongs to a different domain.
It is important to note that the global configuration for Auto-provisioning overrides the
domain level configuration for Auto-provisioning. This means that auto-provisioning must
be globally enabled in order to enable it for a single domain. If global auto-provisioning is
turned off then in is not possible to enable it at the domain level).
3) Enable Single YubiKey for multiple Users: When this option is selected, a single YubiKey
can be assigned to multiple user accounts, provided that each user account belongs to a
different domain. Even with this option enabled, a single YubiKey cannot be assigned to
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 15 of 61
multiple users in the same domain.
4) On service fail, fall-back to single factor? : When this option is enabled, when the OTP
validation service is not available or there is any problem with validating the OTPs with
the OTP validation server, the OTP validation will be skipped and the GRVA will fall back
to a traditional single factor authentication based on username and password. At a
service failure users will then only be validated using their AD/LDAP password. This
option can be used in environments where the internet service is shaky and user
availability is of highest priority (The option “On service fail, send email alert?” should also
be enabled when this feature is used in this situation). The recommended use for this
function is for an administrator to manually enable it to aid during troubleshooting or
similar situations.
5) Append OTP to: This option allows administrator to decide either to append the OTP to
the username or the entered password in the authentication request.
6) Temporary token length: This option sets the number of characters in a temporary token
provided to the user for limited period of time. Currently ‘Temporary token length’ is fixed
to 8 characters.
7) YubiKey Public ID length (1-8 bytes): This option sets the number of characters in each
OTP which make up the Public ID. By reducing the Public ID length, the OTPs generated
by the YubiKey will likewise be shorter – each byte represents 2 characters. However, the
amount of YubiKeys which GreenRADIUS can identify is also limited by the length of the
Public ID. Finally, if the Public ID is set to a value other then 6, the GreenRADIUS will not
work with the YubiCloud validation.
When setting the YubiKey Public ID to a value other then 6, every YubiKey to be used
with GreenRADIUS must also be configured with the same Public ID length.
8) Enable YubiApp Registration: ‘YubiApp Registration’ service allows the user to generate
soft key tokens from their Smartphone.
If the ‘YubiApp Registration’ is disabled from global configuration then no user from
underlying domains can access the ‘YubiApp Registration’ service. If ‘YubiApp
Registration’ is enabled from global configuration then depending on domain level
YubiApp configuration, it will allow the corresponding user to access ‘YubiApp
Registration’.
Please refer ‘Appendix 6: YubiApp Registration’ for more information about YubiApp
registration.
9) Enable Password Authentication through GreenRADIUS: When this option is selected,
GreenRADIUS will keep track of Username during authentication, allowing requests for
username and passwords to be in separate dialogs/screens as the YubiKey OTP request.
10) On service fail, send email alert?: By selecting this option, the GRVA server will send an
email to the email addresses specified in the “Email Addresses” field if the OTP validation
service is unavailable. Administrators can enter multiple email addresses by separating
them with commas.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 16 of 61
Please note that to use this functionality the Exim4 email server installed on the
GreenRADIUS Virtual Appliance will need to be configured - following your corporate
policy - using the “dpkg-reconfigure exim4-config” command.
6.2.2.2 FreeRADIUS
Click on FreeRADIUS icon in Global Configuration tab.
Enable FreeRADIUS Logging: Enabling this option will invoke the debug logging of the
FreeRADIUS server. The FreeRADIUS server will need to be restarted after
enabling/disabling this option. The FreeRADIUS server can be restarted using the highlighted
button as shown in the screen shot below:
The FreeRADIUS log file can be viewed by clicking on System System Logs from the Left
hand side menu as highlighted in the image below:
Clicking on “View” of radius log link as highlighted below will display the system logs:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 17 of 61
Please note that RADIUS logging should only be used for trouble shooting. Remember to turn
it off once the trouble shooting session is over as it will quickly fill the disk with extensive logs.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 18 of 61
6.2.2.3 Validation Server
1) Set where the YubiKey OTP (provided as a part of user credentials) will be validated by
selecting the appropriate option.
YubiCloud - Online Validation Service” then OTPs will be validated by making a validation
request to the YubiCloud Online Validation service. The YubiCloud validation servers
provide redundancy and high availability for OTP validation. When selecting YubiCloud
note that YubiKeys are enabled for YubiCloud validation so the YubiKeys can be directly
distributed to end users without any programming. For more information, please visit the
link below:
https://www.yubico.com/support/documentation/
If “Local validation Server on GreenRADIUS VA” is set then OTPs will be validated using
the locally installed (installed in the GreenRADIUS VA) OTP validation server.
Please note that when the “Local validation Server on GreenRADIUS VA” option is
selected the server will need to import the YubiKey information (YubiKey records) such as
AES Key, Private ID etc. before it can start validating the OTPs. Please refer to the
section 4.2.4 for more details on importing the YubiKey records.
If using another validation server somewhere else, the Validation Server setting will need
to be set to the “Other” option and provided the OTP validation URL in the specified
format.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 19 of 61
2) Validation Server Client ID and API key:
The API ID/Client ID and API key will need to be entered for the selected validation server
as explained below.
YubiCloud
If the “YubiCloud - Online Validation Service” is selected in the previous input field then
enters the Client ID in the Client ID field. If an API ID for YubiCloud (in base64 format)
was not provided, please visit to the following link to generate one:
https://upgrade.yubico.com/getapikey/
For Example: If the Administrator would like to use the YubiCloud with Client ID = 4233
and API key = “H9xX7BeTIbhYK3xCb/PSEeRVNvY=” which is a valid already registered
API ID in the YubiCloud and can be used for quick setup, then he/she need to enter 4233
in the Client ID input field and “H9xX7BeTIbhYK3xCb/PSEeRVNvY=” (without quotes) in
the ‘API Key’ field.
Local Validation Server
If the “Local validation Server on GreenRADIUS VA” is selected in the previous field then
it is not necessary to set up the Client ID. By default the Client ID is set to“1” for local
validation server. An API key will still need to be configured,
For the default (common) key enter "IXazp2MoffwFYj/pfcc+v20SMVc=" (without quotes)
as the API Key
To enable organizations to choose a custom key the GreenRADIUS Virtual Appliance
provides the API key generation functionality for the local validation server.
This will help the organizations to get the new API Key for their local validation server
rather than using the common one.
Clicking the ‘Generate’ button generates a new API that is generated and populates the
‘API Key’ field.
If “Show API Key” checkbox is checked, the API key is displayed in text format, otherwise
in the key is displayed in the “masked” password format (i.e. *****).
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 20 of 61
Other
If the “Other” option is selected in the previous field then the API ID/Client ID and API Key
pair must be known for the OTP validation server. Enter that Client ID and API key in the
labelled fields. Refer the installation document of the validation server for more details on
adding the client id and API Key in the validation server.
6.2.2.4 Synchronization
It is possible to set up multiple GreenRADIUS Virtual Appliances (GRVA) to help avoid a
single point of failure when the local on-board validation server is used. In this mode of
deployment, a number of GRVA instances can be configured with identical global, domain,
user configurations and the same set of YubiKey secrets (AES keys) imported on all the
instances. Thereafter, the following configuration parameters need to be set on each instance
to enable synchronization of YubiKey assignment information (for users) and OTPs with the
other instances of GRVA in the group. This feature was introduced in GreenRADIUS.
Please note – when multiple instances of GreenRADIUS Virtual Appliance are
configured for synchronization, to avoid database conflicts Administrators must
restrict the use of Webmin administration interface to a single GRVA instance at a time
to manage Users and YubiKey assignments to users.
1) Local Server (Secret) Configuration:
Server secret: This field allows entering the shared secret for local server. This secret is
used to encrypt the communication for synchronization of Username to YubiKey ID
mapping. When adding a server each GRVA instance must be configured with the same
shared secret as the other GRVA instances to allow synchronization.
The Local Server (Secret) can be comprised of any upper/lower case alpha-numeric (A-Z and 0-9) characters and special characters (. ! # @ etc.).
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 21 of 61
2) Add Server: Provide the details of the other GRVA instances i.e. IP address and shared
secret with which this GRVA instance should communicate for synchronization of OTP
counters and Username to YubiKey ID mapping.
To allow the instances of GRVA to synchronize OTP counters and Username-to-YubiKey
ID Mapping with other GRVA instances, the Add Server section must be populated with
the IP address (Server IP) and Shared Secret (Sever Secret) of the other GRVA servers.
The Server Secret can be comprised of any upper/lower case alpha-numeric (A-Z and 0-
9) characters and special characters (. ! # @ etc.).
Please remember the following important points while setting up synchronization between
two or more instances of GreenRADIUS Virtual appliance:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 22 of 61
The synchronization feature in GRVA synchronizes the OTP counters and
Username to YubiKey ID mapping information between the configured instances.
Other static or seldom changed configurations need to be done manually,
meaning that the same settings need to be entered in all the GRVA instances.
It is important to import users from same LDAP/AD server with same import
settings like Filter, UserDN, BaseDN.
Import the same YubiKey import file into all the instances
Configure the local server secret (shared encryption key) on each instance
To enable synchronization between the GRVA instances, add all other GRVA
instances using in the ‘Add Server’ section.
For Example: If there are two instances of GreenRADIUS virtual appliance, defined as
Instance 1 and Instance 2, follow the configuration steps below for each instance:
Optional Sync
GreenRADIUSInstance 1
GreenRADIUSInstance 2
On GRVA at Instance 1, define local server secret as ‘test123’.
On GRVA at Instance 2, define local server secret as ‘test456’.
In the “Add Server” section of Instance 1 add the server address for Instance 2 and
Server Secret & Confirm Shared Secret as ‘test456’.
In the “Add Server” section of Instance 2 add the server address for Instance 1 and
Server Secret & Confirm Shared Secret as ‘test123’
To test synchronization between both instances, enable Auto-provisioning in Global
settings and for the domain, then assign a YubiKey to User14 in the GREENRADIUS
instance 2.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 23 of 61
After successful assignment, User14 should be assigned the YubiKey.
Due to synchronization between the two instances, the same YubiKey assignment can
also be seen in the other instance (as shown in the following screen):
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 24 of 61
6.2.2.5 Key Storage Module
GRVA supports the use of YK-KSM or YubiHSM to securely store the YubiKey seeds if the
on-board validation server is used. This screen allows you to define Key Storage Module to
be used to store the YubiKey credentials.
1) Key Storage module: Select this option to select the YubiKey-KSM (YK-KSM) or
YubiHSM module for storing YubiKey credentials.
2) If YubiHSM is selected the information about the key handle must be provided in either
Hexadecimal or Decimal format. Enter the Passphrase (Master Key) that was used at the
time of initial YubiHSM configuration.
For Example: The key handle can be provided in hexadecimal format like 0x8888 or in
decimal format such as 34952.
The YubiHSM creates or receives secrets and encrypts them before they are transmitted
to the authentication server for storage. With this approach, an unlimited number of
secrets can be transmitted, stored and authenticated without risk of being compromised.
In this mode, the YubiHSM can also decrypt the OTP received from provisioned YubiKeys
and also validate with validation server e.g. YK-VAL.
If planning to use YubiHSM in the GreenRADIUS Virtual Appliance it will need to first
have the YubiHSM device connected physically and then configure it.
Please note that if YubiHSM is used, GreenRADIUS Virtual Appliance requires the
YubiHSM to be configured in HSM mode.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 25 of 61
Note: Settings made in the “Global configuration” affects all the domains.
6.2.3 Importing users to the domain
If upgrading from a previous version of GreenRADIUS, note that there have been significant
changes for the user import function. Users are now organized under OUs/Groups. To view
an imported user first click on the OU/Group the user belongs to. Once there all users in that
OU/Group will be displayed. Due to the new way of viewing users it will take a longer time
than before to import users. Please refer “Appendix 4: Importing Users from Active
Directory/LDAP” for more information about what is new for user import.
To import users to the domain, please follow the steps below:
1) Click on the domain name as shown in the image below:
2) Click on the Users Import tab, as highlighted in the image below to fetch the users from
the AD/OpenLDAP server:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 26 of 61
GreenRADIUS has simplified the basic User Import functionality. Administrators who require
more flexibility while importing users or need to configure an SSL connection to the directory
may use the advance section. However, it is recommended to use the simplified interface for
the initial GreenRADIUS Setup, and then proceed into the advanced section if additional
configuration is required (such as setting up an SSL connection).
3) To setup GreenRADIUS, the following information will need to be provided:
a) Directory Type: The Directory type may be set to either ‘Active Directory’ or
‘OpenLDAP’; Set the Directory type to the same Directory type the users will be
imported from.
b) LDAP/AD Server Address or Host Name: Enter the IP Address/Fully Qualified
Domain Name of the Active directory/ OpenLDAP server.
c) Admin User: Enter the User DN for binding with the Active Directory/ OpenLDAP
server. Enter the administrator DN GreenRADIUS should use to authenticate with the
AD/LDAP server when importing users.
For Example: “cn=administrator, cn=users, dc=example, dc=com”. Most commonly
this is an administrator or privileged account.
d) Password: Enter the password for the administrator/privileged account to be used for
when importing users from the Directory.
e) Advance: The ‘Advance’ button will display the advanced configuration UI. The
Advanced configuration UI includes tool to customize GreenRADIUS further, such as
using secure connection (LDAPS), applying filters while importing users from
directory, and the like.
f) Save: The Save button will save the entered settings for this page.
g) Import Users: The Import Users button will save the current entered settings for this
page and attempt to connect the LDAP/AD server to import the users.
By clicking on ‘the Advance’ button, administrators can provide more parameters to import the
users with more flexibility as required.
4) Please provide the following information:
a) Use Secure Connection?: Select ‘Yes’ to use LDAPS (encrypted Secure Connection)
and ‘No’ to use regular unencrypted LDAP to connect to the directory server for
importing and authenticating users.
b) Directory Type: Select the directory type between ‘Active Directory’ and ‘OpenLDAP’;
The Administrator must define the directory type from where he/she importing the
users.
c) LDAP/AD Server Address or Host Name: Enter the IP Address/Fully Qualified
Domain Name of the Active directory/ OpenLDAP server
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 27 of 61
d) Backup LDAP/AD Server Address or Host Name (optional; for user authentication
only): Enter the IP Address/Fully Qualified Domain Name of the Backup Active
directory/ OpenLDAP server
Please note that this AD/LDAP server is used only for the validation purpose when
Primary LDAP/AD Server is not reachable.
e) Port: Enter the port number on which the LDAP server is running. Leave this blank or
set it to zero to use the default LDAP or LDAPS ports, depending on setting in step ‘a’
above
f) LDAP Version: Select the version of the LDAP Protocol to be used for importing the
users information from your Directory Service
g) Base DN: Enter the Base DN of the Active Directory/OpenLDAP server from where
the users need to be fetched. The Base DN represents the starting point in the
Directory (AD/LDAP) hierarchy under which the users are located. For Example:
“ou=users, dc=example, dc=com”
h) User DN: Enter the User DN for binding with the Active Directory/ OpenLDAP server.
Enter the administrator DN GreenRADIUS should use to authenticate with the
AD/LDAP server when importing users. For Example: “cn=administrator, cn=users,
dc=example, dc=com”. Most commonly this is a type of administrator or privileged
account. Also see related password below.
i) Password: Enter the password for the administrator/privileged account for use when
importing users from your Directory
j) Schedule: Select the appropriate schedule for fetching the users from the Active
Directory/OpenLDAP server. Administrators can optionally schedule the automatic
import of the users on hourly, daily and weekly basis as shown in the image below:
If Administrator selects “Hourly” option is selected, users will be imported once in an hour.
When the “Daily” option is selected, the users will be imported once every day and when
the “Weekly” option is selected the users will be imported once in a week. This is useful if
you have a larger number of users and with users frequently changing roles and moving
from one OU to another.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 28 of 61
k) Filter: Provide the filter value(s). For Example: In the case of Active Directory Server
and OpenLDAP server use “(objectClass=person)”> to import all or specific users.
Set an appropriate filter to import the users based on your needs. For more
information, please see the examples provided in Appendix 4.
l) Login Name Identifier: Provide the Login name Identifier to identify the unique
attribute that should be used to authenticate users with AD/LDAP server. (For Active
Directory use “sAMAccountName” and for OpenLDAP server use “uid”)
The Save button will save the entered settings for this page.
The GreenRADIUS Virtual Appliance utilizes an optimized user import functionality.
Thousands of users from LDAP/AD can be imported in GreenRADIUS Virtual Appliance
along with their hierarchical information in just a few minutes.
Please refer “Appendix 4: Importing Users from Active Directory/LDAP” for more
information about importing users from AD/LDAP.
The GreenRADIUS Virtual Appliance supports login names longer than 20 characters.
6.2.4 Defining User Group Hierarchy
In GreenRADIUS 3.6.0 and above, Administrators have greater control over which groups to
return for each user. When returning a single group for a user, GreenRADIUS will respond
with the highest priority group, as defined in the Groups tab in the Domain settings. If a group
has its priority set to 0, it is never displayed for a user unless all groups are being returned.
The Groups listed in the Domain Configuration will be automatically populated upon importing
users from the AD/LDAP server. By default all groups are set to 0.
Administrators can then assign a priority to each group by entering a number above 0. The
higher the number assigned, the higher the priority in returning the group associated with the
user. When importing new groups, their priority is automatically set to 0 and remains at that
value until changed by an Administrator.
Once the priority of the groups has been assigned, click the Update button to save the priority
for each group.
6.2.5 Importing YubiKeys to YKKSM database or YubiHSM
To use the locally installed OTP validation server, it is necessary to import the token
(YubiKey) information such as AES Key, Private ID etc. for the YubiKeys to the locally
installed YKKSM database or YubiHSM (depending on the selection in Global Configuration).
This is to allow the OTPs emitted from these YubiKeys to be validated with the locally
installed OTP validation server.
Use the “YubiKeys Import” tab to import the YubiKey’s related information to the YKKSM
database/YubiHSM.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 29 of 61
You can directly import YubiKey secrets can be directly imported from log files generated by
the Original Windows Personalization Tool or the Cross-platform Personalization Tool. Select
the appropriate option depending on the source of your file.
A sample entry in the comma separated text file (generated by the Original Windows
Personalization Tool) is as follows:
1,djecuclbjfjh,ebe845d88fa6,a23bf655215e0355e5ae9b08858def33,0,0,0
For uploading the information, the path of the comma separated text file must be entered in
the “File to upload” text box. Once the path is configured, clicking the “Upload” will upload the
YubiKey secrets.
6.2.6 Enabling Auto-provisioning mode for the domain
It is possible to enable/disable the Auto-provisioning mode at the domain level as well.
However, note that to enable Auto-provisioning mode at the domain level, it must also be
enabled in the “Global configuration” settings. If the Auto-provisioning in the “Global
configuration” settings is disabled then Auto-provisioning is not available for any domain even
if the Auto-provisioning option is enabled at the domain level.
The same principle is applied to the “Auto-provisioning for multiple YubiKeys” option.
To enable the “Auto-provisioning” and “Auto-provisioning for multiple YubiKeys” please follow
the steps given below:
1) Click on the “Configuration” tab as highlighted in the image below:
2) Enable/ Disable the “Auto-provisioning” and “Auto-provisioning for multiple YubiKeys” as
per requirements in the section highlighted in the image below, then click on “Update”
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 30 of 61
6.2.7 Enable Gradual Deployment
GreenRADIUS 3.6.0 and on support a Gradual Deployment feature, allowing users to
continue to login with just their AD/LDAP credentials until being assigned a YubiKey. This
feature requires Auto-Provisioning to be enabled to function correctly. When Gradual
Deployment is enabled in the Configuration tab for a Domain, the Users/Groups interface will
have some additional features:
a) Single Factor Flag: This reflects if a user is currently allowed to use a single factor
login of just their Username/Password credentials from AD/LDAP. A green check
means that user does not need to supply a YubiKey OPT, while a red x in this column
means a YubiKey OTP is required. When a YubiKey is successfully assigned to a
user, this flag is automatically disabled.
b) Enable single Factor Option: By checking one or more users and clicking this option,
the Single Factor Flag for the selected users is set to on, allowing those users to log
in without the need of a YubiKey OTP. This can be used in conjunction with the
temporary tokens to assist users who have lost or misplaced their YubiKey.
c) Disable single Factor Option: By checking one or more users and clicking this option,
the Single Factor Flag for the selected users is set to off, requiring those users to log
in with a YubiKey OTP.
6.2.8 Return user’s Group Membership information in RADIUS response
GreenRADIUS Virtual Appliance provides the functionality to return the user’s group
membership information in RADIUS response.
1) Return user’s Group Membership information in RADIUS response: can enable the
functionality by setting ‘Return user’s Group Membership information in RADIUS
response’ to ‘yes’. In addition, Administrators can specify the format in which the user’s
group membership information need to be returned.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 31 of 61
2) Response Format: It consists of three parts:
a) First Textbox: This defines of the prefix to be attached to the user’s group
membership information.
b) Group name: This consists of user’s group membership information.
c) Second Text box: This defines of the postfix to be attached to the user’s group
membership information.
3) Group return information: If Group DN is selected, then the entire group DN of the user is
returned in the RADIUS response.
If ‘Only Group Name’ option is selected then only the user’s group name will be returned
in the RADIUS response.
For Example: If user1 belongs to the group name = ‘people’, and we define the prefix as
‘ou=’ and postfix as ‘;’ then user’s group membership information returned in the RADIUS
response will be,
Class = ou=people;
Please note that FreeRADIUS returns the user’s group information in Class attribute.
In GreenRADIUS 3.6.0 and above, Administrators can choose which groups to return for each
users by setting the Return All Groups Option
a. Yes: Every group a user belongs to is returned.
b. No: Only the highest ranking group, as determined by the Domain Group Ranking
configured will be returned
In GreenRADIUS 3.6.0 and above, administrators are able to rank user groups by
importance, allowing users to be identified by the highest ranking group each belong to.
When importing users from an AD/LDAP server, the all the groups will also be imported.
GreenRADIUS Administrators can sort them by priority.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 32 of 61
6.2.9 Adding RADIUS clients to the Domain
The RADIUS client’s IP address and a shared secret must be added in the FreeRADIUS
server so that the FreeRADIUS server accepts incoming RADIUS requests coming from the
RADIUS client. To add the RADIUS client, please follow the steps given below:
1) Click on the “configuration” tab as shown in the image below:
2) Provide the IP address of the Client and Secret (encryption key) in the section highlighted
in the image below and click on the “Add” button
GreenRADIUS Virtual Appliance supports configuration for network clients on a subnet only
through configuring for all clients on this subnet.
For Example: You can set the Client IP address as 192.168.1.0/24 which makes the GRVA to
accept the request from any of the terminal having IP address 192.168.1.0 to 192.168.1.255.
The GRVA is now ready for testing and evaluation.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 33 of 61
7 Testing the configuration
For testing RADIUS two-factor authentication with YubiKey, YubiKey OTP validation and
availability of machine users can visit the Troubleshoot tab.
7.1 RadTest:
To test the RADIUS two-factor authentication with a YubiKey, use the “RadTest” utility in the
section highlighted in the image below:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 34 of 61
Examples:
We configured a GreenRADIUS virtual appliance as described above in the document. We
added the “GreenRADIUS.com” domain and imported a couple of users from active directory.
For demonstration purpose, we are using the “User1” user as highlighted in the image below:
The user is not assigned any YubiKey yet. We have enabled the Auto-provisioning option at the
“Global configuration” level as well as at domain level. We are using the online Green Rocket
Security OTP validation server for testing.
Note that if you have created only one domain in the GRVA server there is no need to add the
domain name after the username at the time of authentication. In this example, if the username
is User14 then at the time of authentication you need to just provide username as User14
instead of [email protected]. However, for multiple domains then the domain name
will need to be added after the username at the time of authentication.
The username is case-insensitive. The YubiKey OTP can be provided in all upper or lower case
letters. The Password is case-sensitive and supports all upper & lower case alpha-numeric (A-
Z and 0-9) characters and special characters.
Please refer to the test examples below:
1) We tested the configuration using the “RadTest” utility as shown below:
We provided the correct password for the User14 user and the OTP from a YubiKey which
was not yet assigned to anyone and to which OTP can be validated with the online Green
Rocket Security OTP validation server.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 35 of 61
We received the response as “Successful!” from the RADIUS server since the username +
Password + YubiKey OTP were validated successfully.
And a username to YubiKey Public ID mapping was created as highlighted in the image
below:
2) We executed the RadTest utility one more time, this time entering the same credentials
along with the same OTP that was provided in the test above:
This time we received the response as “Failed!” because the OTP was used already.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 36 of 61
7.2 Validate OTP:
To test the validation of YubiKey OTP with the validation server defined in Global Configuration,
use the “Validate OTP” utility in the section highlighted in the image below:
Please note that is the YubiKey is configured for adding a enter key as the end of the OTP
(default programming) Then use notepad or similar text editor for entering the OTP and then
cut and paste in the YubiKey OTP filed.
Following example describes the YubiKey OTP validation with the Online YubiCloud service.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 37 of 61
7.3 Ping:
The Ping utility is another test tool used for checking the availability (network connectivity) of a
machine or service.
The Following image displays ping functionality.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 38 of 61
Here we are trying to check availability of www.greenrocketsecurity.com
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 39 of 61
8 Users and Token Management
Using the GreenRADIUS Virtual Appliance interface, it is possible to enable/disable the
YubiKey associated (assigned) to a user, unassign a YubiKey from a user or delete a user from
the GreenRADIUS database. These functionalities are explained in details in the following
sections:
8.1 Enable Token
The “Enable Token” button allows an Administrator to re-enable a YubiKey assigned to a user
from the disabled state. Doing so will allow the YubiKey to be used for authentication again.
To do so, first select the user from the “Users” tab and click on “Enable Token” button. The
YubiKey ID to username association will be enabled again and the YubiKey may be used
once more by the user.
The Token status changes to enabled (Tick mark sign) as highlighted below:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 40 of 61
8.2 Disable Token
The “Disable Token” button allows an Administrator to disable a YubiKey assigned to a user
from the enabled state. Doing so will prevent the YubiKey from being used for authentication.
Select the user from the “Users” tab and click on “Disable Token” button. The YubiKey ID to
the username association will be disabled and the user will not be able to use the YubiKey.
The Token status changes to disabled (cross sign) as highlighted below:
8.3 Unassign Token
The “Unassign Token” button allows an Administrator to Unassign a YubiKey assigned to a
user. Doing so will prevent the YubiKey from being used for authentication.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 41 of 61
Select the user from the “Users” tab and click on “Unassign Token” button. The YubiKey
Public ID to the username association will be deleted and the user will not be able to use the
YubiKey.
The YubiKey gets unassigned as highlighted below:
8.4 Delete User
The “Delete” button allows an Administrator to delete a user from the GreenRADIUS Virtual
Appliance.
To delete a user from GreenRADIUS Virtual Appliance t click on the “Delete User” button. The
user only will be deleted from the GreenRADIUS Virtual Appliance and not from the Active
Directory or LDAP. Further, all the YubiKey ID to username associations for that user will be
deleted and those YubiKeys will no longer be able to be used for authentication.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 42 of 61
The user gets deleted as highlighted below:
Please note that if a user is deleted from the AD/LDAP, then that user is not automatically
removed from the GreenRADIUS Virtual Appliance’s domain. An Administrator has to
manually delete that particular user from GreenRADIUS Virtual Appliance’s domain.
If a user is renamed in the LDAP/AD then the changed name is also renamed in the
GreenRADIUS Virtual Appliance domain in next importing activity of the users.
8.5 Display Users/Group Hierarchy:
By default GreenRADIUS Virtual Appliance displays all the users without organizing them into
groups and sub-groups.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 43 of 61
‘All Users’ button: By clicking the ‘All Users’ button, GreenRADIUS displays a list of all the
users in the LDAP/AD, irrespective of their group hierarchy. After being clicked, the button
toggles to the ‘Group Hierarchy’ button.
‘Group Hierarchy’ button: By clicking the ‘Group Hierarchy’ button, GreenRADIUS displays
the users in their group hierarchical structure, using Groups and Sub-Groups imported from
LDAP/AD.
8.6 Assign Temporary Token:
If user forgot to bring their YubiKey, an Administrator can assign the user a temporary token,
which will allow the user to authenticate without the use of a YubiKey for a specific number of
authentications set by the administrator.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 44 of 61
To assign a temporary token, an administrator can select the user and click on the
‘Temporary token settings’ as highlighted in the above screenshot.
1) Enable Temporary Token: Select ‘yes’ to assign a temporary token.
2) Temporary Token: The Temporary token can be manually entered as a fixed 8 character
string, or randomly generated by clicking the Generate Button.
3) Temporary Token Expires After: You can specify the expiry date for the temporary token.
For example: If you specify the expiry date as ’21 March 2012’, then user can use
temporary token from now through the ’21 March 2012’ 11.59 P.M. midnight). Any
attempts to login with the temporary token after this will be rejected by the server. Once
the temporary token has expired the user must use his/her assigned YubiKey for
successful authentication.
4) If you specify an expiry date from the past, an error message will be shown asking you to
“Please specify todays date or a future date”
5) Maximum Authentication Allowed: This field is used to set the number of times the user is
allowed to use the temporary token. This field value decreases after each successful
validation of the user with a ‘Temporary Token’.
Once an Administrator has assigned a ‘Temporary Token’ to the user, then ‘Temporary
Token Status’ column displays enable (green checkmark) status as shown in the
screenshot below for user1:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 45 of 61
The ‘Temporary Token Status’ disables automatically in following cases,
a. On expiry of the ‘Temporary Token’ configured date.
b. When ‘Maximum Authentication Allowed’ turns to ‘0’ (zero)
c. When user enters a valid YubiKey in validation request.
d. When user enters a new YubiKey (unassigned YubiKey) in validation request and
has auto-provisioning is enabled (for both global as well as domain level).
Please note (as described above) that the temporary token functionality will be automatically disabled once the user uses their valid YubiKey for first time or uses their YubiKey again (if forgotten). The Temporary token also supports all upper/lower case alpha-numeric (A-Z and 0-9) characters and special characters.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 46 of 61
9 Reports
The GreenRADIUS virtual Appliance can also generate reports. The reporting feature is
available under the “Reports” tab. The reporting feature provides On-Demand Reports.
9.1 On-Demand Report
You can generate following two types of On-Demand reports:
9.1.1 Token Assignment
The token Assignment report will show the username to YubiKey assignment depending on
the filter chosen. The report is generated in a CSV format which can be downloaded.
There are three filters available; All, Enabled and Disabled. The “All” filter will have the report
show all the username to YubiKey ID mappings. The “Enabled” filter will have the report show
only the currently enabled username to YubiKey ID mappings. The “Disabled” filter will have
the report show only the currently disabled username to YubiKey ID mappings.
Also, for the “Token Assignment” On-Demand report, additional filters can select the particular
date range for which to generate the reports.
9.1.2 Authentication Request
Authentication Request report will show the result of the total authentication requests handled
by the GreenRADIUS virtual appliance, depending on the filter chosen. The report is
generated in a CSV format which can be downloaded.
There are three filters available; All, Success and Failed. The “All” filter will have the report
show all the authentication requests handled by virtual appliance, irrespective of whether they
were successful or failed. The “Success” filter will have the report show only the successful
authentication requests. The “Failed” filter will have the report show only the failed
authentication requests.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 47 of 61
For the “Authentication Request” On-Demand report, additional filters can select the particular
date and time range for which to generate the reports.
All the reports will be saved in the “/usr/share/webmin/Green Rocket Security-RoP/reports”
directory. Reports can be managed from this directory.
9.2 Sample report
For demonstration purpose, we will show how to generate an Authentication request report
using the “All” filter.
To generate the report, follow the steps below:
1) In the “Reports” tab, select Type as “Authentication Requests” and Options as “All” for
“On-Demand Report”. Select Time Range as, From 1st Jan 2012 00:00 to 20th March
2012 00:00, also highlighted in the image below:
Please click on the “Generate” button; the report will be generated and a message saying
“Report generated successfully” is displayed. Click on ‘View’ under Action to view the
report. Note the message text will appear on the screen as highlighted in the image below
2) Click on “click here” link or the “View” button to view the report. A new tab will be opened
automatically in your browser and the report will be generated in the following format:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 48 of 61
3) You can also delete the generated report, select the report and click on the “Delete
Selected” button
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 49 of 61
10 List Tokens Tab
The “List Tokens” tab displays all the YubiKeys imported in the database along with their
corresponding assigned usernames including domain name.
The List Tokens tab is designed to help the administrators keep track off the YubiKeys that are
imported into the database as well as which are assigned to users and which are unassigned
so that an administrator can easily determine which YubiKeys are available to be assigned to
new users.
GreenRADIUS Virtual Appliance provides a built-in UI to the AEADs that are generated using
YubiHSM device and displays the YubiKeys imported using YubiHSM device.
If an administrator configures the “Key Storage Module” as “YubiKey-KSM” in the “Global
Configuration” tab then only YubiKeys imported in the database are displayed in the “List
Tokens” tab with the corresponding username of the user.
Similarly, if an administrator configures the “Key Storage Module” as “YubiHSM” then only
YubiKeys imported using YubiHSM are displayed in the “List Tokens” tab (irrespective of the
selected key handle) with the corresponding username of the user.
The Administrator can search the imported YubiKey assignment and status details by
searching for the Token ID or username.
Administrators can directly assign the user a YubiKey by clicking on ‘Assign a Token to User’
menu.
Please note that Tokens tab is available only with local validation server and disabled for online
(YubiCloud) validation service.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 50 of 61
11 Appendix 1: Security Considerations
For security reasons, we strongly recommend to change the default passwords before setting
up GreenRADIUS Virtual Appliance in your environment. At the very least we recommend
changing the passwords before taking GreenRADIUS into production.
GreenRADIUS Virtual Appliance is built on standard Ubuntu 14.04.3 LTS Operating System.
Available OS patches have been applied at time of creation of the GRVA.
GreenRADIUS Virtual Appliance tries to limit automatically starting services to only those
needed for GreenRADIUS authentication. We highly recommend users review and adjust
system configuration and security settings according to applicable corporate security policies
and best practices.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 51 of 61
12 Appendix 2: Using LDAPS
The GreenRADIUS Virtual Appliance has support for LDAPS to allow it to securely connect to
directory servers for importing and authenticating users.
To use LDAPS, first set the “Use Secure Connection” option to ‘Yes’. Set the Port as ‘636’, the
default port for LDAPS.
Ensure other details are set as per LDAPS configuration:
Setting the Port field to blank or zero will result in GRVA using the default port for LDAP (389)
or LDAPS (636), depending on if “Use Secure Connection” is set as No or Yes.
12.1 Setting LDAPS for GreenRADIUS Virtual Appliance:
Administrators must add the CA certificate from the AD/LDAP server.
When GRVA is configured to use LDAPS communication, it asks for the certificate while
communicating. The CA certificate must be provided to the GRVA instance and be configured
in the ldap.conf file.
Quick Setup Steps:
1) Obtain the CA certificate used to sign the CSR for AD/LDAP
2) Copy it to /etc/ssl/certs on GreenRADIUS host
3) Add the following lines to /etc/ldap/ldap.conf:
# Define location of CA Cert
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_CACERTDIR /etc/ssl/certs
#--end--
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 52 of 61
4) Put the hostname in the "user import" screen of GreenRADIUS instead of the IP
address (Make sure the host entry is present in the DNS server or in /etc/hosts file)
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 53 of 61
13 Appendix 3: Importing Users from Active
Directory/OpenLDAP
13.1 Importing Users from Active Directory:
The organization in this example uses Active Directory (AD) to organize users. They have
offices around the country, with one AD domain for all locations. Each office has their users
organized in one or more Organizational Units (OUs). There are only a few users from each
different office that initially (during a testing period) will be given the privilege to log in remotely
using YubiKey two-factor authentication.
We are assuming that Active Directory domain is configured at IP address 192.168.1.48 in
domain GreenRADIUS.com hence Base DN is “DC=GreenRADIUS,DC=com”
We want to import the users managed by user ‘Administrator’ hence User DN is
“CN=Administrator,CN=Users,DC=GreenRADIUS,DC=com”
We put an Administrator account password of AD in the password field and set the filter as
“(ObjectClass=person)” and the Login Name Identifier as “sAMAccountName”
A sample configuration for Active Directory is shown in the image below:
Importing Users from OpenLDAP server on the GRVA instance:
For quick evaluation and testing, the GreenRADIUS Virtual Appliance comes preconfigured
with an OpenLDAP server with1 administrator and 5 users defined in an Organizational Unit.
User names are from user1 to user5 and all users have the same password Green Rocket
Security
The domain preconfigured for OpenLDAP server is “example.com”, hence the Base DN is
“DC=example,DC=com”.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 54 of 61
We want to import all the users managed by the Admin user, hence User DN is
“CN=admin,DC=example,DC=com”
We put the admin user account password of LDAP in password field (Green Rocket Security),
the filter as “(ObjectClass=person)” and the Login Name Identifier as “uid”
A sample configuration for OpenLDAP is shown in the image below:
Save the configuration by clicking on the ‘Save’ button and then click on the “Import Users”
button to import the users. After a successful communication with the OpenLDAP Server, a
message will be displayed indicating that users have been imported successfully.
The users and groups will be displayed in the “Users/Groups” tab according to their hierarchy in
the Active Directory as shown in the image below:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 55 of 61
In the above image, all the groups are displayed. If you click on the group you can see the
users belonging to that group.
For Example: If you click on the ‘Domain Users’, all the users belonging to the group ‘Domain
Users’ will get displayed on the screen, as shown in the image below.
In the case of importing the users from LDAP, we get the users and OUs according to their
hierarchy in the LDAP in the “Users/Groups” tab.
For Example: After importing the users from LDAP, as shown in the below screen, we have
OUs (like groups, people) as well as users present inside the domain(like EXUser1)
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 56 of 61
If you click on the ‘people’, all the users and OUs present in the OU ‘people’ are displayed.
Here we get ‘admin_users’ OU along with all the users that belongs to the OU ‘people’.
If you click on the OU ‘admin_users’ you will get the all the users and OUs belonging to the OU
‘admin_users’ and so on.
Special group “All Users” display a list of all users in the LDAP or AD.
Sometimes it is easier to just view all users without worrying about what OU or Group they are
a member of. GreenRADIUS therefore automatically create a special single group called ‘All
Users’ displaying all the users present in the LDAP/AD.
When you click on the ‘All Users’, all the users present in AD/LDAP are displayed in
alphabetical order.
After importing the Users along with their hierarchical information from LDAP/AD, any group
which does not contain any (imported) users are not displayed in the Users/Group tab.
13.2 Importing users with a specific group membership:
GreenRADIUS can be set up to import users from different OUs but having specific group
membership. The Directory administrator can set up a new group in AD called “testing”. The
group “testing” can then be added to the AD import filtering import criteria and thereby only
users in the “testing” group will be imported. See below for steps to set it up:
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 57 of 61
1) We are assuming that the Active Directory domain is GreenRADIUS.com and all the
users that need to use YubiKeys have been assigned to be members of the group
called “testing”. The complete distinguished name (DN) of the “testing” group is
“CN=testing,CN=Users,DC=GreenRADIUS,DC=com”
2) In order to import only users belonging to this group, “testing” under OU “Users”, you
need to provide the Filter in the “Users Import” field as follows:
“memberOf=CN=testing,OU=Users,DC=GreenRADIUS,DC=com”
3) The rest of the parameters will remain the same.
13.3 Importing users from multiple groups:
1) It is possible to import users belonging to multiple groups. See the example below.
2) In the domain GreenRADIUS.com you need to import the users belonging to both
groups “testing” and “marketing”
3) The complete DN of testing group is
“CN=testing,CN=Users,DC=GreenRADIUS,DC=com”.
4) The complete DN of marketing group is
“CN=marketing,OU=test,DC=GreenRADIUS,DC=com”
5) In order to import only users belonging to both these two groups, you need to apply the
Filter in the “Users Import” field as follows:
(|(memberOf=CN=testing,CN=Users,DC=GreenRADIUS,DC=com)(memberOf=CN=ma
rketing,OU=test,DC=GreenRADIUS,DC=com))
6) The rest of the parameters will remain the same.
If a username is changed in AD/LDAP, after importing users again, then the new username
gets assigned to respective uid and all the YubiKey credentials get assigned to the new
username.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 58 of 61
14 Appendix 4: Web API
The YubiKey provides secure additional authentication factor to web services and the various
other applications. GreenRADIUS Validation Protocol is a Web API from GreenRADIUS virtual
Appliance that can be used for implementing strong two-factor authentication using an existing
enterprise directory. The Web API leverages existing GreenRADIUS capabilities to provide
strong two-factor authentication.
The Web API verifies the username+password+OTP as per the configuration defined in the
GreenRADIUS Virtual Appliance. Web API validates the OTP first. After successful validation of
the OTP it will verify username password with LDAP or AD then it checks the mapping of the
registered Token and provided OTP.
Please refer to GreenRADIUS_Web_API.pdf for more information about the Web API.
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 59 of 61
15 Appendix 5: GreenRADIUS Virtual Appliance Port
Information
Sr. No Protocol Port
1. LDAP 389
2. LDAPS 636
3. Webmin 443
4. Validation Request to the YubiHSM
8002
5. freeradius 1812
6. Web-API 80
7. ykval 80
8. ykropval 80
9. Ykmap-sync 80
10. Ykval-sync 80
©2014-2015 Green Rocket Security Inc. All rights reserved. Page 60 of 61
16 Appendix 6: Restricting Access to Webmin
As a best practice for additional security, Green Rocket Security recommends updating the
Webmin configuration to restrict access to the Webmin Console only from specific whitelisted
IP addresses or the local LAN.
The steps to set this configuration are described below:
1. In the Webmin Console, navigate to Webmin Configuration -> IP Access Control
page and select option “Only allow from listed addresses”.
i. To restrict access to specific IP addresses, enter the list of IP addresses
ii. To allow access from any address on the local network (LAN) only, click the
option “Include local network in list”
2. Save the configuration changes
For additional information, refer the images below.