The Radius plugin is based on a modified freeradius container.
The default configuration, if no env parameters are provided, is:
- SECRET =
Notakey - PASSWORD =
notakey21
It means that all users with the given password will be accepted by the Radius server and there is no need to configure them separately. The main authentication happens on the user’s smartphone. The smartphone onboarding process remains the same: you can define users in the NAA or you can use an external db, like LDAP or Active Directory, or combined.
Plugin configuration:
# Define image to load for this plugin
$ ntk cfg setc :plugins.radius.image "notakey/radius-all:latest"
Additionally you can define these environment values:
- SECRET: value you have to define in Authentication Proxy as
vpn_secret_out - PASSWORD: global password
- U_PASSW: default is true; if set to false then the global password will be disabled
- USERn: n>0, you can define USER1, USER2 etc.; for those users PASSW1, PASSW2 should be defined as well
- PASSWn: n>0, password for added users. The global password, even if enabled, will not work for manually added users.
Example of how to manually add two users:
# You can add as many users as you want, username should be the same as
# onboarded in the NAA. Onboarding password is different from this. You can
# leave it as is if you want to use here any username with psw "notakey21"
$ ntk cfg setc :plugins.radius.env.USER1 "John"
$ ntk cfg setc :plugins.radius.env.PASSW1 "Doe12"
$ ntk cfg setc :plugins.radius.env.USER2 "Bob"
$ ntk cfg setc :plugins.radius.env.PASSW2 "graCe3"
How to start the plugin:
# First you have to download the image
$ ntk plugins update
==> Updating plugin radius
image: notakey/radius-all:latest pull finished
# Now you can start it
$ ntk plugins start
==> Validating plugin radius configuration
Checking software image...
required: notakey/radius-all:latest
==> Starting plugin radius instance
image: notakey/radius-all:latest
started fedf2243c5bf
If the plugin launches successfully, add configuration to the authentication proxy:
# Authentication proxy will recognize Radius server by container's name
$ ntk cfg set :ap.vpn_radius_address "radius"
# Set your secret (Default is Notakey. In and out secret should be the same)
$ ntk cfg set :ap.vpn_secret_out "Notakey"
$ ntk cfg set :ap.vpn_secret_in "Notakey"
# Set Application Access ID as seen on Dashboard Application settings page
$ ntk cfg set :ap.vpn_access_id "c468f008-485b-b11c-aad9672fbae1"
Configure the authentication proxy for incoming requests and you are all set. See the appliance documentation and the step-by-step guide VPN 2FA with RADIUS.