Configure Radius Clients
Use this window to define your RADIUS client’s IP Address, shared secret, default domain and any dictionary profile setting
Supported RADIUS functions:
Basic Password Authentication via the attribute "User-Password"
Profiles that apply to all users
Unsupported RADIUS functions:
Profiles that map to one or more users but not all of them
Note: If user profiles or accounting are required it is recommended that an additional third party Radius server such as funk’s Steel Belt RADIUS or Cisco’s ACS RADIUS server is used. See http://www.funk.com/ or http://www.cisco.com. To authenticate users via Steel Belt or Cisco’s Proxy Radius, this will pass RADIUS authentication requests to Bomgar Verify RADIUS Server and allow you to manage accounting and user profiles within Steel Belt or Cisco ACS.
To Configure Radius Clients select the Radius Tab
NAS IP Address
This is the IP address of the RADIUS client that will be sending RADIUS authentication requests. It must be entered in the format xxx.xxx.xxx.xxx or default
If "default" is used as the IP Address, all unknown Radius client IP Addresses will use these settings.
To create a new Radius client configuration select New and enter the required details. To copy an existing Radius Client, select the configuration to copy and click on Copy. To delete a Radius Client, select the Client to delete and click on Delete.
Note: If the security server has more than one network interface card, SecurEnvoy’s Radius service will start a listener on each of them
Managed Shared Secret
This is a secret (password) that must be entered exactly the same at both the RADIUS client end and in this entry box.
If this secret is not entered the same at both ends the Bomgar Verify Radius server will ignore incoming network packet.
Note: Bomgar Verify supports the use of ASCII 127 for the shared secret, extended characters (ASCII 128) like £ signs are not supported. Also note that some RADIUS clients have limitations on the length of the shared secret.
Authenticate Passcode Only
If this check box is selected then only the 6 digit passcode will be authenticated. This option should only be used if the Radius client has already authenticated a password or PIN and only requires the second factor to be checked by this server.
Passcode prompt is on a separate dialogue box
This setting will instruct the Bomgar Verify Radius server to challenge response all authentications. The user will then login with UserID and PIN/Password, after which they will then be challenged for the passcode, irrelevant of mode in operation – Pre Load OTP, Daycode, TMP code.
Note: This option will only work if “Real time passcodes” are enabled within the section 4 Configuration
If the UserID does not include a domain name then the selected domain name will be used. Alternatively you can select “search” Bomgar Verify will then process each valid configured domain until a match is found upon the UserID. This works well in environments that have network equipment that removes the domain portion of the UPN or domain NetBIOS logon
Note: Selecting “Search” as the default domain MUST only be used for up to 5 domains as each domain may take up to 2 seconds to reply. The UserID must be unique across all domains being searched
Allow These Domains
If this is set then users can only authenticate to the selected domain name(s). This is ideal for managed service providers that do not wish customers from one domain to cross over to other customer domains.
Only Allow Users that are in the LDAP group
Bomgar Verify can only authenticate users if they are a member of a specific LDAP group.
Click the “Change Group” button to select the desired group from the available LDAP domain groups.
Settings allow for a single selected LDAP group or any LDAP group membership.
Override Customer name in SMS message
Enter the text that you wish to supply within the passcode message. Leave blank for default message.
Passback data to Radius client in Attribute
Configure Single sign and group membership via RADIUS attribute 25 (Default port); please see your network vendor documentation for use of this RADIUS attribute.
- No information passed back
- Password is passed back
- LDAP group members are passed back, this can be the FQDN or the short NetBIOS naming convention.
- User UPN can be passed back, this allows user to application mapping.
Declare trusted networks that do not require a 2FA logon experience, Space separated IP's (Example 10.* 220.127.116.11) NAS must send IP address in attribute 31.
Declare blocked networks, that are not allowed to authenticate against the Bomgar Verify RADIUS server, this could be due to a brute force attack or DOS attack against RADIUS. Any request from these networks is dropped and not processed. Space separated IP's (Example 10.* 18.104.22.168) NAS must send IP address in attribute 31.
Attributes (Not displayed by default
To Display Attribute setting, select Config from the menu and Check "Radius Attributes" in the Admin GUI section.
The RADIUS standard uses lists of agreed settings called Dictionary’s; Bomgar Verify is installed with a list of the main dictionaries. This can be viewed by selecting the link radius.dct.
The main file is RADIUS.dct. Also included are most manufacturers published extensions.
See the following examples for details of how to enter Attributes.
There are a number of options that can be used. From the traditional response of a:
- IP Address
To a completely dynamic read of DATA in any LDAP attribute. Support is included for:
- LDAP String
- LDAP IP Address
- LDAP Number
Trusted Group (no 2FA required)
Version 1.1 now has the ability to trust AD groups per Radius Client. This means that members of the selected AD group will not require 2FA when authenticating to a Radius Client with trusted groups enabled.
Trusted Groups also supports nested groups but selecting nested groups may reduce performance. The Trusted Groups option is not available in the Radius tab by default. To enable this option, ensure that “Authenticate passcode only” is ticked and click on Update
If Oneswipe Push is enabled, then the Radius Client timeout should be set to 29 seconds.
To add a Trusted Group click on Change Group, search for the required group by entering the first few characters of the AD group’s name and then select it.
If required, AD groups can also be deleted from Trusted Groups by selecting them and clicking on the Delete Group button.
You wish to add the standard Attribute “Framed-Protocol” and set it to “PPP”
For 32 bit installations:
Open the file Program Files\Bomgar\Security Server\Data\RADIUS\DICT\RADIUS.dct
For 64 bit installations:
Open the file Program Files(x86)\Bomgar\Security Server\Data\RADIUS\DICT\RADIUS.dct
Locate the line that contains Framed-Protocol - This line defines the Number (7) and Type (number)
Below this line are the values that can be set, PPP has a VALUE of 1
In the GUI admin window enter the following:
At the column Number enter 7 Ignore the Column VendorID
At the column Type select Number
At the column Value enter 1
You wish to add a Cisco vendor Attribute “3076-26” to define an IP address and Netmask per user, in addition you also require to provide a string for additional authorisation parameters.
Select the RADIUS profile you wish to edit.
At the column Number enter 8 (IP Address), enter 3076-26 in Column VendorID.
At the column Type select LDAP IP Address.
At the column Value enter the LDAP attribute that contains this information. In this example LDAP attribute “company” was used.
Complete this task for the netmask setting
At the column Number enter 9 (IP Address), enter 3076-26 in Column VendorID.
At the column Type select LDAP IP Address.
At the column Value enter the LDAP attribute that contains this information. In this example LDAP attribute “department” was used.
Finally add settings for the “string” settings
At the column Number enter 25 (string), leave Column VendorID blank.
At the column Type select LDAP string.
At the column Value enter the LDAP attribute that contains this information. In this example LDAP attribute “PostalCode” was used.
The RADIUS response is shown as to what is returned to the Cisco device. These settings are all user specific.
Example 3 Configuration of Routing and Remote Access - RRAS
Windows 2003 server SP1 - IPSec VPN
1. Install Routing and remote access service if not already installed
2. Launch Routing and remote access MMC, select server and click “configure and enable Routing and remote access”
3. Follow wizard and setup for VPN access, set up for IPSec VPN. Start RRAS service
4. Select the server within RRAS MMC, go to properties
5. Select Security, select Radius for Authentication provider, select configure. Populate with Radius information. Timeout should at least be 10 seconds.
6. Select Authentication methods, deselect all, and only enable PAP protocol.
7. Restart RRAS service.
Client Windows XP SP2
1. Create new network connection wizard, select VPN
2. Go to properties, select Security tab, select Advanced, and go to settings.
3. Change Data encryption to “Optional encryption”, and only select PAP for protocols.
4. Enter Pre shared key for IPSec settings.
Configuration of Bomgar Verify
To help facilitate an easy to use environment, Bomgar Verify can utilise the existing Microsoft password as the PIN. This allows the users to only remember their Domain password. Bomgar Verify supplies the second factor of authentication, a dynamic one time passcode (OTP) which is sent to the user’s mobile phone.
Launch the Bomgar Verify admin interface, by executing the Local Security Server Administration link on the Bomgar Verify Security Server.
Click “Config” Select Windows – Microsoft Password is the PIN under PIN Management
This will now use the users existing password as the PIN. Click “Update” to confirm the changes
Click the “Radius” Button
Enter IP address and Shared secret for each Server that has Routing and Remote Access installed and wishes to use Bomgar Verify Two-Factor authentication.
Click “Update” to confirm settings.
Click “Logout” when finished. This will log out of the Administrative session.
Enter the UserID in the Username field
Enter password and passcode in the password field.