RADIUS authentication is a centralized authentication, authorization, and accounting management for users who connect and use a network service. Users authenticate with their two-factor tokens, and systems authenticate via a shared private key.


RADIUS Information

The Token Authentication service via RADIUS is divided into four servers, two at ML and two at NWSC. Of the two at each site, one is just a proxy provided so that external hosts can use the service, and the second is an actual authentication server. While client hosts can make requests of any of the four servers that are reachable to them for a user logon, most individual users can only be authenticated if the particular server they are homed to is up and functioning. This is due to the fact that tokens have state that is kept on the home server. There is no good way to replicate state information in real time between sites, therefore RADIUS is not a replicated service. However, users using Duo for authentication are homed to both sites. This is possible because the vendor resides in the cloud.

Generally, Boulder-based staff and visitors are homed at ML, while NWSC-based staff and collaborating remote (university) users who primarily have tokens to access supercomputing resources at NWSC, are homed at NWSC (there are a few exceptions, such as some Boulder staff that primarily work on NWSC-based systems).  So if we lose one site due to a power down or other outage, there will be some users who will be unable to authenticate because they are homed at the downed site. Again, as stated above this is not true for users using Duo.

RADIUS Service-Level Agreement (SLA)


RADIUS Servers

Name ServerIP AddressTypeLocation
radius.ucar.edu128.117.64.179InternalML
radius.nwsc.ucar.edu128.117.177.5InternalNWSC
xradius.ucar.edu192.43.244.190External ProxyML
xradiusn.nwsc.ucar.edu128.117.182.8External ProxyNWSC



Host Configuration

System configurations are mostly specific to CentOS, but other Linux flavors are similar. In order to authenticate, you need a couple things.


Staff need a two-factor token. This can be their cell phone, personal phone, office phone or something issued to them (Yubikey) via Duo and provided by CISL. Please see the Authentication and Security page for further information on tokens and obtaining them.

Currently on Linux systems staff/users who opted for Duo as their UCAS token will first authenticate against Active Directory using their CIT password and then they will use Duo. Currently Yubikey users only have to use a pin and then touch the Yubikey to authenticate.


Every system/server you want to utilize UCAS token auth needs the RADIUS module installed and needs to be configured to use it. Configuration includes creating the file /etc/raddb/server in /etc/raddb containing the RADIUS server:port, secret key and timeout value set to 59.

[root@host.ucar.edu ~]# cat /etc/raddb/server
radius.ucar.edu:1812 <secret_key> 59

The raddb directory and server file should have read permissions for root only. Nothing open to the world and it is not necessary for any group permissions to be set. Secret keys are requested via help tickets to cislhelp@ucar.edu. The secret will be emailed to you via encrypted email. The secret keys are IP specific so dynamic hosts will not work. When configuring the server file, currently each client is only authenticating against one of the four RADIUS servers. When making requests for secret keys, please indicate if the server is hosted in Boulder or Cheyenne and if it is on an internal or external network.


Compiling the pam_radius module and placing it in /lib64/security (or /lib/security on 32bit systems).

PAM Module Source Code

UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
PermitRootLogin no



Modifying /etc/pam.d/* files to include the PAM module along with your other authentication types.

Suggested config:

INTERNAL HOSTS:
auth required /lib64/security/pam_radius_auth.so debug  prompt=TokenResponse:
 
EXTERNAL HOSTS:
auth required /lib64/security/pam_radius_auth.so debug  realm=TOKEN prompt=TokenResponse: