OTP / Radius setup

M-Pin SSO allows you to configure one or more RADIUS hosts for which One-Time-Passwords (OTPs) generated by M-Pin SSO may be used to authenticate. The basic idea behind this is that you go to e.g. http://mympinsso.com/otp and when you login with the pinpad, you are presented with a One Time Password which is valid for a default of 100 seconds. You can then use this password to login to your RADIUS-configured application.

otp

Below you will find a tutorial on how to configure an Ubuntu RADIUS server to allow a user to log into it using SSH and an OTP generated by M-Pin SSO.

All other RADIUS clients can make use of the instructions below on how to configure RADIUS on M-Pin SSO so that your MPin SSO server is set up to generate OTPs for your RADIUS client. To learn how to configure other RADIUS clients to communicate with your Mpin SSO server, please refer to their own documentation.

This provides a basic configuration overview of authenticating to a VPN Server, using the M-Pin SSO, where the VPN Server and the SSO communicate via the RADIUS protocol.

The steps for the authentication are given below:

  1. You authenticate with the M-Pin PinPad and are given a One Time Password (OTP) valid for 100 seconds, generated by the SSO server.
  2. You then use the OTP generated from the SSO as a password, and the M-Pin identity (the email address) as a username.
  3. The VPN Server verifies your OTP with the SSO and logs you in.

The overview is shown in the following diagram:

VPN OTP diagram

We will now take you through setting up a basic RADIUS server and configuring both it and your MPin SSO instance to communicate so that you can use e.g. http://mympinsso/otp to generate One Time Passwords that can be used to gain ssh access to the RADIUS server.

We will be using a Linux machine with PAM RADIUS authentication.

  • Users must have the same user names in their user accounts on the Ubuntu RADIUS client and in M-Pin SSO. For example, if a user is registered on your MPin SSO server as john.smith@miracl.com, they must also be registered as john.smith@miracl.com on your RADIUS server. This will be illustrated below.

  • UDP port 1812 must be opened and reserved for M-Pin SSO.‚Äč This is the port on which M-Pin SSO listens for RADIUS authentication requests. This will also be illlustrated below.

Go to your MPin SSO instance and login as an administrator. In the MPin SSO admin interface, One Time Password is controlled in two sections:

  1. OTP is turned on or off in Global Settings > RADIUS Settings:

    radius settings 1

    radius settings 2

    It is not necessary to make any adjustments here -- the default settings mean that it is turned on and ready to work. You may, however, wish to turn on 'Delete OTP after first use' which means that the OTP will not be able to be used more than once, even within the expiration time (100 secs as default).

  2. The RADIUS server details are configured by going to OTP > Radius Hosts and selecting 'Add Radius Hosts':

    Radius hosts

    Radius add host

    Name: the name of your RADIUS Host profile - this can be anything, but it makes sense to name it after the RADIUS service you are connecting to (e.g. SSH)

    Host: the public host name or IP address of your RADIUS host. Note that, if using an IP address, the format is xx.xx.xx.xx -- i.e. with no 'http://' prefix.

    Secret: is the arbitrary string (i.e. make it up yourself and make it reasonably complex e.g. 'm*ccqdsX0__l17') that you can assign and must be entered both here (i.e. on the MPin SSO server) and on the RADIUS server, as will be seen below.

    Append domain name (Conditional): - Leave this empty. This field is for if the RADIUS server employs a domain-based naming convention for User Names. When this convention is employed, the RADIUS server is configured to add a specific domain name as part of each User Name. For example, if the RADIUS server adds the domain example.com, and a user's M-Pin SSO Username is john.smith@miracl.com, then the resulting User Name for the RADIUS authentication would be petko@miracl.com@example.com. In this case, must enter 'example.com' in the Append domain name: field.

    LDAP Profile (Optional): - if you have any LDAP profiles configured on your M-Pin SSO, select the required on from the drop-down list. For more information on configuring DAP profiles, see Configuring LDAP.

These instructions are based on a clean install of Ubuntu 14.

  • Install SSH Server:
    sudo apt-get install openssh-server

  • ‚ÄčInstall PAM RADIUS Authentication Module:
    sudo apt-get install libpam-radius-auth

  • Configure SSHD for RADIUS Authentication by editing /etc/pam.d/sshd and adding the following line as the second line of the file:
    auth required /lib/security/pam_radius_auth.so

  • You may also need to comment out the following line so that the system does not attempt to authenticate via standard Unix password authentication even after a successful RADIUS Authentication:
    @include common-auth

  • Edit the file /etc/pam_radius_auth.conf and under the line:
    127.0.0.1 secret 1

  • Add the line:
    IP_address(:port) shared_secret timeout
    Where IP_address is the IP address (and port, if using a RADIUS port other than the port defined in /etc/services) of your M-Pin SSO server, shared_secret is a string which matches the value entered in the MPin SSO admin console, as explained above; timeout is the timeout value in seconds.
    The three lines in your file should now look something like:

    # server[:port] shared_secret      timeout (s)
    127.0.0.1       secret                1
    52.206.84.194   m*ccqdsX0__l17        3
  • It may be necessary, particularly if you are using AWS, to edit the ssh config file, so:

    sudo vi /etc/ssh/sshd_config

    Then allow password authentication:

    PasswordAuthentication yes

  • Restart the SSH service by running:

    sudo service ssh restart

  • Now add yourself as a user:

    sudo adduser --force-badname john.smith@miracl.com

    The --force-badname parameter is necessary, as an email address is not a uniform unix format for a username

    Enter a unix password when prompted (and default blank entries for all other user fields)

That completes the setup of your simple RADIUS server.

To enable the MPin SSO server and the RADIUS server to communicate with each other it is necessary to open port 1812 on both servers, to the ip address of the other.

So, on AWS, you would add a rule on the SSO Server:

sso udp port

Where 52.xxx.xx.xx is the IP address of the RADIUS client.

And, on the RADIUS server, you would add a rule:

radius udp port

Where 53.xxx.xx.xx is the IP address of the SSO server.

Exit your RADIUS server and attempt to ssh back in using the user you have just added:

ssh john.smith@miracl.com@12.34.56.789

When prompted, enter the unix password you created with the adduser command. You should find that authentication is denied, which means that disabling @include common-auth in /etc/pam.d/sshd has had the desired effect!

To actually log in, obtain your One Time Password by going to http://mympinsso.com/otp in your browser, then register and log in with the pinpad. You will be given an OTP, which you can enter in your ssh terminal prompt to gain access to the RADIUS server.