Document Actions
4.
How to install the WiKID Strong Authentication Server - Enterprise Edition - Page 4
Up one level
Enabling a Protocol Module
Protocol modules enable the WiKID Strong Authentication Server to provide authentication services to various types of network clients. Currently, the Community Edition of the WiKID Strong Authentication Server provides support for LDAP, TACACS+ and wAuth.
The wAuth protocol is the native interface to the WiKID Strong Authentication Server. This protocol uses SSL and certificate authentication to allow distributed (or local) clients to communicate authentication data over an insecure network. The demonstration registration system (/opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp or https://servername/WiKIDAdmin/exmample.jsp) uses a Java bean (wClient) to verify user authentication information. See this document on editing this file.
Select the [Protocol Modules] header option to begin the initialization. You will see a list of protocol modules available on this server, as in Figure 16.
Figure 16 – Un-initialized Protocols
Note: The wAuth protocol is enabled automatically as no other protocol will operate without it.
Configuring RADIUS
As with the wAuth protocol, RADIUS is supported through the use of a protocol module. You must initialize and enable RADIUS for RADIUS-based devices to communicate with the WAS.
Select the RADIUS protocol to view the initialization parameters in Figure 17.
Figure 17 - Radius Configuration Screen
The required parameters for the RADIUS module are:
Host Name – A descriptive label for this protocol module on this host.
IP Address – The IP address where this module will be accessible.
Port – The TCP port number this protocol will bind with (the standard RADIUS port is 1812).
Multihomed – Select if this module should listen for connection on every network interface.
Debug Level - The debug level for logging events for this protocol.
Use Accounting – Indicates whether RADIUS accounting will be turned on.
Accounting Port – If RADIUS accounting is to be used, the port that the RADIUS accounting listener will run on (standard is 1813).
Restrict Network Clients – Deprecated, network clients MUST be restricted; an unknown/unregistered network client is unsupported. This value in not used and will be removed in a future version of the server.
Password Encoding – the encoding type for passwords passed by a network client.
Secret Encoding – the encoding type for the shared secret passed by the network client when the network client communicates with the RADIUS protocol module.
In general, you do not want to change any of these choices unless you really know what you are doing.
Enable the RADIUS protocol by clicking on the “Enable” link.
Note: You must stop and start the WiKID server after enabling the RADIUS protocol. Login to the authentication server as root and type “stop”. This will shutdown the WAS services. Once the services are stopped, type “start” at the command prompt. You will be prompted for the wAuth passphrase. This is the passphrase you created in step 1 for the intermediate certificate. Entering the correct passphrase will allow the server to begin using the new certificate for client authentication.
When using RADIUS, you must include the shared secret in the protocol specific section of the configuration when you create the Network Client later in the set up process. Without a shared secret for the network client AND on the network client, RADIUS communication will not function properly.
You may also include specific return parameters in the form in the Return Parameters text area. To support multiple parameters, put each on a separate line. For example, if you want to specify an idle timeout of 1 minute for the session, you may include the parameter as follows:
Idle-Timeout=60
This text area accepts all standard RADIUS settings as detailed in RFC 2865. Through this text area you can support AppleTalk and other protocols. Future releases of the WAS will make this task easier for common parameters. IMPORTANT: This text area is NOT required. If nothing is included in this text area, TCP/IP will be supported by default.
NOTE: the RADIUS protocol module accepts the following RADIUS encoding types: PAP, CHAP, MSCHAP and MSCHAPV2.
RADIUS network clients vary greatly from vendor implementation to vendor implementation. Please refer to your vendor’s documentation for configuring your network client to use RADIUS.
Enabling the LDAP Protocol
Click on the LDAP protocol on the Enable Protocols page to bring up the the Enable LDAP page. The required parameters for the LDA{ module are:
LDAP_wauth_host: IP address of the WiKID Server that will validate LDAP bind requests (always 127.0.0.1)
LDAP_wauth_kfile Location of the Network Client cert for LDAP access to the WiKID Server (usually /opt/WiKID/private/localhost.p12)
LDAP_wauth_pass Passphrase for the Network Client cert above.
LDAP_wauth_port Port the WiKID server is listening on (usually 8388) NB: LDAP will actually listen on port 10389
LDAP_wauth_server 12-digit code for the domain LDAP will check bind requests against
Once complete, click Update
Creating Network Clients
Network clients are systems that request one-time password validation from a WiKID Strong Authentication Server. These systems act in a proxy capacity, accepting questionable information from users and communicating with the WiKID Strong Authentication Server for validation. Network clients utilize one of the installed protocol modules. The protocol module must be installed, initialized and enabled before you can configure add a network client for it.
Each network client must be configured on the WiKID Strong Authentication Server before it will allow the client to request validation. For wAuth clients, this will require the generation of a certificate for the network client. The exception is the localhost client that is pre-installed by default. You may (and should) regenerate this certificate, as well as any remote client certificates, on a periodic basis. Figure 18 shows the initial network client screen.
Figure 17 - Initial Network Client Screen
Select – Create new Network Client - to begin adding a network client. You will be presented with a screen similar to Figure 19 below.
Figure 19 - Network Client Properties Screen
These are the general network client properties. These values are required for each network client configured, regardless of the protocol selected. Property definitions are:
Name – The descriptive name of the server. This will be the primary display name in the administrative system and in system logs and reports. It is recommended that you use a combination of hostname, and WiKID domain for clarity.
IP Address – The IP address of the network client.
Protocol – The communications protocol used by this network client. Only protocols previously enabled will be available. The protocol selection will dictate the additional properties that must be defined for this client.
Domain – This is the WiKID authentication domain in which this client will request credential validation.
If you are creating a Wauth network client, you will need to create a Certificate for the network client. Complete the required information as shown in Figure 20. Note the the network doesn't require a routeable Fully Qualified Domain Name. It is acceptable to use a computer name or a nickname such as “www” or “extranet” rather than “vpn.wikidsystems.com” or “extranet.wikidsystems.com”.
Figure 20 – Creating a Certificate for a Wauth Network Client
If you are creating a RADIUS network client, you will need to enter a shared secret. You may also enter additional parameters as discussed above.
Figure 21 - Creating a Radius Network Client - Page 2 - Setting the shared secret.
We have now configured a two-factor domain, enabled authentication protocols and created network clients. All that remains is to enable users for two-factor authentication and test.
support
Forgot your password?
Best Practices
Download the WiKID Enterprise Server 3.4 RPMs
