Friday 15 July 2011

Yubikey Radius on Premise V3 setup guide

Yubico have just released version 3 of their excellent Radius on premise virtual appliance for authenticating users with a Yubikey as a dual factor authentication.  It now supports multiple Yubico validation servers so is more resilient, has better user management and logging as well as being available in OVF format which should make importing into virtual environments less VMWare specific.

This is a quick guide to how I got it working for my (SBS2003 & Netscreen SSG 140 firewall) VPN's.

Release notes and download links for the appliance and guide can be found here:  As usual with Yubico the guides are clear and take you through the setup step by step.

I downloaded the VMWare image file, extracted and then imported into VMWare using the VMWare Convertor program available from VMWare for importing backups.  Its a very small VM - 8GB hdd, 256MB Ram and 1 virtual CPU.  Imported to VMWare in 3 minutes.

When run the appliance gets an IP address via DHCP so I set this to static by logging on to the console of the VM (user yubikey, pass yubico) then opening a terminal and editing the /etc/network/interfaces file (root default password is also yubico).  Rebooted the machine and logged in from my desktop to the web interface, changed default passwords, logged in again to check.  I tried changing the IP from within Webmin at first but it did not seem to save correctly.

Now it is time to start setting up the Yubikey magic.  There is a seperate Webmin module for Yubikey under the System heading.  Enter your (authentication) domain name and click add.  Under global configuration I entered my API ID and key (generate yours here: You can also enable auto provisioning (so the first time a Yubikey is used its permanently assigned to that users account.  I don;t like doing this as when I import users I get the whole domain where I really only need a handful of people to be able to connect remotely.  If you only have a few users or want all of your users to be able to connect its a very nice feature to have.

Back on the domain tab I clicked on my domain name then users import.  This is where I had trouble when I set up the previous version of ROP as unless you use it a lot the LDAP syntax can be a bit confusing.
Host: IP address of domain controller
Port: should be 389
LDAP: change to version 3
BaseDN: Where are your users stored in active directory?  Mine looks like this: "OU=SBSUsers,OU=users,OU=MyBusiness,DC=mydomain,DC=com"
UserDN: User with access to connect to active directory (your user account?)  Mine looks like this: "CN=My Name,OU=local,OU=SBSUsers,OU=users,OU=MyBusiness,DC=mydomain,DC=com" - all users in this folder and all subfolders will be imported.
Password: password of the user account specified above
Schedule I left blank (one time import so it will not auto update usernames)
Filter: "(objectClass=person)" - only pull through user accounts
Notes: I left blank
Login Name Identifier: "sAMAccountName"

Hit "Import Users" and you should get a message reporting success.  Go back to the users tab and you should have a long list of peoples accounts from Active Directory.  From here you can manually add a yubikey to users accounts.

Next I need to tell the ROP server to accept queries from my firewall.  This is done on the configuration tab for the domain and just needs the firewalls IP address and shared secret.  One very nice new feature of ROP3 is the RadTest tab which lets you test an account is working.  Getting failures on the firewall can be a pain because its not always obvious where the issue lies - this lets you eliminate the ROP side of things easily and quickly as if it works here it must be the firewall with issues.  However there is one point that is important:   IN ORDER TO USE THE BUILT IN RadTest TAB YOU FIRST HAVE TO ADD THE LOCAL IP TO THE LIST OF ALLOWED CLIENTS UNDER THE DOMAIN->CONFIGURATION TAB!  I lost some hair trying to work out why it was not working - I assumed that the new feature to test if things were working would be allowed through by default.  My bad - very obvious mistake of mine with hindsight!  If the RadTest seems to do nothing keep waiting - its not too obvious it is doing something if it is hitting a timeout.

Once tested you should be able to point your systems at its IP address (Radius port 1812, accounting port 1813) and start authenticating your domain users with Yubikeys.  At some point I'll document how I setup the Netscreen SSG 140 side of this to give my users dual factor VPN access to my network.  If that would be handy to anyone drop me a comment and I'll move it up my list of things to post.

[UPDATE 12 March 2012: Done! Click here for my guide on setting up a dual factor VPN on Netscreen firewalls]

No comments:

Post a Comment