2FA VPN – Radius

Configure the VPN concentrator to authorize users against Radius server. Test it and if everything works as it should add Notakey in between to provide second factor.

Create an VPN application in the Notakey authentication server if you don’t have it done already. More …

Copy access ID , you will need it later.

On-premise version setup

You have to configure built in auth-proxy service. Here you can find reference to all possible configuration settings: Authentication Proxy

Point your concentrator to NAA instead of Radius server.

repare configuration json, change “vpn_access_id” (Application access ID in the Notakey appliance dashboard, see picture above) and “vpn_radius_address” (Your real Radius server IP).

{
"vpn_port_in": "1812",
"vpn_port_out": "1812",
"vpn_radius_address": "10.0.1.23",
"vpn_secret_in": "secret_from_concentrator",
"vpn_secret_out": "secret_to_radius_server",
"vpn_access_id": "c468f008-485b-b11c-aad9672fbae1",
"vpn_message_ttl": "30",
"message_title": ""Proceed with login to VPN as {0}? 😎"",
"message_description": ""Allow {0} login?""
}

Feed configuration keys with command:

ntk cfg set :ap '{
"vpn_port_in": "1812",
"vpn_port_out": "1812",
"vpn_radius_address": "10.0.1.23",
"vpn_secret_in": "secret_from_concentrator",
"vpn_secret_out": "secret_to_radius_server",
"vpn_access_id": "c468f008-485b-b11c-aad9672fbae1",
"vpn_message_ttl": "30",
"message_title": ""Proceed with login to VPN as {0}? 😎"",
"message_description": ""Allow {0} login?""
}' --json-input

and restart auth-proxy:

ntk ap restart

We are using “:” before the ap key, so this setup is stored globally in the cluster. If you have many VM you just need to restart ap service on each of them.

User name should be the same in the Notakay appliance and in the Radius

Cloud version setup

You have to use dockerized auth-proxy service in your local network as a proxy to the radius server. Communication in between auth-proxy and Notakey appliance is encrypted and safe to be used outside LAN. Example:

docker run --name auth-proxy \
-e NOTAKEY_HOST="https://2fa.your_company.com/api" \
-e NOTAKEY_ACCESS_ID="c468f008-485b-b11c-aad9672fbae1" \
-p 1812:1812/udp \
-e LISTEN_ADDRESS=0.0.0.0 \
-e ADDRESS_SECRET_IN=0.0.0.0:secret_in \
-e DOWNSTREAM_ADDRESS=10.0.1.23 \
-e SECRET_OUT=secret_out \
notakey/authproxy:latest

You can configure more than one concentrator with different secrets by adding more -e ADDRESS_SECRET_IN=0.0.0.0:secret_in variables.

Leave a Comment