KB Article #180793
RADIUS Authentication plugin for SecureTransport - installation and configuration
This article is intended to be a guidance and provide an example basic setup for the RADIUS Authentication plugin for SecureTransport.
Table of contents
Introduction
The RADIUS Authentication plugin enables SecureTransport (ST) to support Basic Authentication against a RADIUS server source for user and administrator accounts. The plugin can be deployed on either ST Edge or BackEnd Server. It is not included in the core ST product and can be downloaded from the Axway Marketplace free of charge.
Installation
Download
The RADIUS Authentication plugin can be downloaded from the Axway Marketplace from this link.
Prerequisites
Before proceeding further, check the Prerequisites section of the README.md file, which is available in the plugin zip archive.
Remove previous deployments (if any)
Make sure that there are no files/folders from previous versions of the RADIUS Authentication plugin. For that purpose, check the <FILEDRIVEHOME>/plugins/authentication/ folder, and remove everything related the previous version of this plugin (if they exist). Refer to the README.md for a complete list of files and folders.
Unzip the package
Extract the zip archive with the RADIUS Authentication plugin axway-securetransport-plugins-authentication-radius*.zip into <FILEDRIVEHOME>/plugins/authentication/.
Add a logger
You need to add a dedicated Transaction Manager (TM) logger for the newly deployed RADIUS Authentication plugin, so that events related to the Connector are available in the Server Log. Follow the steps below.
Take a backup copy of the <FILEDRIVEHOME>/conf/tm-log4j.xml file;
Open the <FILEDRIVEHOME>/conf/tm-log4j.xml file for editing;
Add the following logger in the beginning of the loggers section of the file, with the desired logging level:
<logger name="com.axway.st.plugins.authentication" additivity="false">
<level value="info" />
<appender-ref ref="ServerLog" />
</logger>
<logger name="org.tinyradius" additivity="false">
<level value="info" />
<appender-ref ref="ServerLog" />
</logger>
To enable debug logging, set the level value to debug. However, change the value with caution. It is recommended to switch to levels different than INFO only temporarily, e.g. during troubleshooting sessions.
Save the file
Restart ST's services
<FILEDRIVEHOME>/bin/stop_all
<FILEDRIVEHOME>/bin/start_all
Verify the installation
Go to the Admin UI → Operations → Server Configuration page and search for the Plugins.Authentication.Admin.Registry and Plugins.Authentication.EndUser.Registry configuration options.
Enable the RADIUS Authentication plugin
Important: Before enabling the external authentication plugin, make sure its sources are configured and there is at least one ST administrator account with local credentials, that does not exist in the external authentication sources.
Administrator accounts
To enable the plugin and authenticate ST Administrator accounts set the value of the Server Configuration parameter Plugins.Authentication.Admin.Registry to radius-authentication
User accounts
To enable the plugin and authenticate ST Administrator accounts set the value of the Server Configuration parameter Plugins.Authentication.EndUser.Registry to radius-authentication
Configuration
To configure the RADIUS Authentication plugin, set the following options with appropriate values on the Server configuration page.
All of the below values should be provided by the RADIUS Administrator.
Primary RADIUS server options
Plugins.Authentication.radius-authentication.primaryHostName: Primary Radius server IP or FQDN.
Plugins.Authentication.radius-authentication.primaryPort: Primary Radius server port.
Plugins.Authentication.radius-authentication.primaryProtocol: Primary Radius server authentication protocol; pap or chap are supported.
Plugins.Authentication.radius-authentication.primarySharedSecret: Primary Radius server shared secret exchanged between Radius server and Secure Transport.
Example of all primary RADIUS server configuration parameters
Secondary RADIUS server options
If you have more than one RADIUS server - a fall-back server, for example - you can configure SecureTransport with a secondary RADIUS server for redundancy and the authentication will be redirected to the second server in case the primary RADIUS is not available.
Plugins.Authentication.radius-authentication.secondaryHostName: Secondary Radius server IP or FQDN.
Plugins.Authentication.radius-authentication.secondaryPort: Secondary Radius server port.
Plugins.Authentication.radius-authentication.secondaryProtocol: Secondary Radius server authentication protocol; pap or chap are supported.
Plugins.Authentication.radius-authentication.secondarySharedSecret: Secondary Radius server shared secret exchanged between Radius server and Secure Transport.
Test the setup
Test the end user account authentication
Navigate to Admin UI → Accounts → User Accounts → New Account and create an end user account. Make you sure that the Password is stored locally (not in external directory) checkbox is left unchecked.
New account configuration. Notice the unchecked "Password is stored locally (not in external directory)" checkbox.
Try to login to ST with the new account. If the authentication is successful, you should see the below message in the Server Log:
Successful end user authentication via RADIUS
Test the administrator authentication
Navigate to Admin UI → Accounts → Administrators → New Administrator and create an administrator account. Make you sure that the Password is stored locally (not in external directory) checkbox is left unchecked.
New administrator configuration. Notice the unchecked "Password is stored locally (not in external directory)"
checkbox.
Try to login to ST with the new administrator account. If the authentication is successful, you should see the below message in the Server Log:
Successful administrator authentication via RADIUS
Known issues and Limitations
Administrators or end users with externally saved password cannot use ST dual authentication.