RadSec Clients & Proxied RADIUS Clients

This user guide provides step-by-step instructions for setting up RadSec clients and Proxied RADIUS clients in MetaDefender IT Access (MDITA).

"RadSec Clients" enables you to configure secure communication between RADIUS clients (e.g. switches, wireless controllers, or APs) that support RadSec protocol, and the MDITA RADIUS server.

"Proxied RADIUS Clients" allows you to configure communications between RADIUS clients that don't support RadSec protocol, and a "proxy" can relay RADIUS messages to the MDITA RADIUS server securely using RadSec.

This user guide covers two main workflows:

1. Creating MDITA-side configuration for clients that support the RadSec protocol
2. Creating MDITA-side configuration for clients that do not support the RadSec protocol

Create RadSec Clients

RadSec Clients are devices or systems that connect to a RadSec Proxy for secure communication with a RADIUS server. There are several options and configurations required for each type of RadSec Clients.

Create RadSec Client that auto detect the RadSec Client vendor

1. Log into the MetaDefender IT Access console as an administrator

2. Navigate to Secure Access and then RADIUS NAC

3. Click on RadSec Clients tab

4. Click Add RadSec Client button

   • Provide a name for the RadSec Client
   • By default, Automatically detect the RadSec Client vendor is checked
   • Enter a Passphrase used to encrypt the private key associated with the client certificate that will be generated for this RadSec client
   • Click on Add

5. Upon successfully creation, a message popup should appears reminding user to download the associate certificate.

Create RadSec Client with a specific Vendor

1. Log into the MetaDefender IT Access console as an administrator

2. Navigate to Secure Access and then RADIUS NAC

3. Click on RadSec Clients tab

4. Click Add RadSec Client button

   • Provide a name for the RadSec Client
   • Uncheck Automatically detect the RadSec Client vendor
   • Select a specific Vendor(*)
   • Input the Passphrase
   • Click on Add

5. Upon successfully creation, a message popup should appears reminding user to download the associate certificate.(**)

(Current supported Vendors: Aruba, Cisco. For any other Vendors that does not exists in the list will be grouped under Other. For OPSWAT Proxy, this configuration is used for clients that do not support the native Radsec protocol but must go through a Radsec Proxy. No IP address is required as MetaDefender IT Access will automatically identify the clients and its vendor attribute.

Create Proxied RADIUS Clients

1. Click "Add Proxied RADIUS Client" on the "Proxied RADIUS Clients" tab.
2. Fill in a "Client Name". This can be anything you wish.
3. Select the vendor of your client from the "Vendor" drop down (e.g. Cisco). If the correct vendor isn't present, select "Other".
4. Fill in the IP address from which the proxy should expect to see RADIUS traffic from your client.

Download RadSec Clients Certificate

In this step, you will download the certificate specific to the mode chosen for the RadSec Client (Non-Behind Proxy). The certificate ensures the authenticity and encryption of the communication between the RadSec Client and the RadSec Proxy.

To download the certificate,

1. Log into the MetaDefender IT Access console as an administrator
2. Navigate to Secure Access and then RADIUS NAC
3. Click on RadSec Clients tab
4. Click on the three dots icon
5. Select Download Certificate (This option will not available if the selected item is created with Behind Proxy mode)

A sample Certificate folder should looks like:

Import RadSec Clients Certificate to RadSec Proxy

To import the Certificate to RadSec Proxy server:

1. Connect to your Proxy server
2. Locate your raddb folder, by default the path should be radsec-proxy/raddb/ Copy the downloaded files to /certs folder

An example:

.radsec-proxy  

|-raddb

  |-- certs

  |   |-- ca.pem

  |   |-- Client.crt

  |   |-- Client.csr

  |   |-- Client.key 

  |   |-- Client.p12

  |   |-- Client.pem

  |-- clients.yml

  |-- servers.yml

.radsec-proxy  

|-raddb

  |-- certs

  |   |-- ca.pem

  |   |-- Client.crt

  |   |-- Client.csr

  |   |-- Client.key 

  |   |-- Client.p12

  |   |-- Client.pem

  |-- clients.yml

  |-- servers.yml

Define the RARIUS Client information

cat raddb/clients.yml

​

# -*- text -*-

##

## clients.yml -- client configuration directives

##

#######################################################################

#

#  Define RADIUS clients (usually a NAS, Access Point, etc.).

​

#

#  Defines a RADIUS client.

#

#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,

#  to allow testing of the server after an initial installation.  If you

#  are not going to be permitting RADIUS queries from localhost, we suggest

#  that you delete, or comment out, this entry.

#

clients:

  #  Each client has a "short name" that is used to distinguish it from

  #  other clients.

  #

  localhost:

    #  host will accept IPv4

    #

    host: 172.21.0.1

    #key - a secret shared between NAS & RadSec proxy

    key: radsec

  aruba:

    host: 10.40.176.34

    key: radsec

  cisco-wireless:

    host: 10.40.176.37

    key: radsec

  cisco-wired:

    host: 10.40.176.45

    key: radsec

  unifi:

    host: 10.40.180.243

    key: radsec

3. Define the RadSec Server configuration

cat raddb/servers.yml

​

# -*- text -*-

##

## server.yml -- server configuration directives

##

#######################################################################

#

#  Define RadSec servers that radsec-proxy will forward requests to.

#

server:

  ipv4_addr: 13.215.2.253

  port: 2083

  ca_file: /etc/raddb/certs/ca.pem

  radsec_cert_file: /etc/raddb/certs/RadSec-Client-179-179.pem

  private_key_passphrase: P@ssw0rd@123456 # if does not set, you have to convert pkcs8 priv key to pkcs1 using openssl

  radsec_key_file: /etc/raddb/certs/RadSec-Client-179-179.key

  timeout_in_seconds: 30 # if does not set, default is 30

4. Bring up RadSec-Proxy

Up radsec-proxy with this command:

#RADSEC_INGRESS_HOST is public IP of the RADIUS NAC

docker run -d -v /root/radsec-proxy/raddb:/etc/raddb -p 1812-1813:1812-1813/udp public.ecr.aws/s3n8e8z8/radsec-proxy:latest

Managing RadSec Clients

1. Log into the MetaDefender IT Access console as an administrator
2. Navigate to Secure Access and then RADIUS NAC
3. Click on RadSec Clients tab
4. To edit a Client:

• Click on a specific RadSec Client
• Change to the new expected value
• Click on Save

5. To delete a Client:

• Click on three dots icon
• Click on Remove button

Connection indicator

Provides a status of network connection in real-time. If the icon is displayed in green this mean the connection between RadSec Client & RadSec Server has been established successfully. Otherwise the icon will displayed as grey, indicates that the connection is experiencing issue.

Last Connected

Indicates the last time a connection establish successfully