How to setup PhenixID MFA Server as a MS CHAPv2 proxy

This document describes how PhenixID MFA Server is setup as a MS CHAPv2 Radius Server proxy.

Overview

PhenixID MFA Server supports the MS CHAPv2 radius protocol:

  • Username, password and PhenixID One Touch is currently the only supported authentication mechanism
  • PhenixID MFA Server works as a radius proxy between a radius client and a backend Radius MS CHAPv2 Radius server, such as Microsoft NPS, which performs the password validation.

Schematic overview

1. Radius client sends Access-Request call with end user userID and password

2. PhenixID MFA, acting as a proxy, forwards the request to the backend Radius MS CHAPv2 server

3. Backend Radius MS CHAPv2 server validates password and returns result to PhenixID MFA Server

4. PhenixID MFA Server controls result from backend Radius MS CHAP v2 server:

  • Access-Reject -> See 5
  • Access-Accept -> Performs additional One Touch challenge for the user (profile bound to userID)

5. PhenixID MFA returns result to the Radius client.

 

System requirement

  • PhenixID MFA v3.0 or later
  • MS CHAPv2 Radius server, such as Microsoft NPS, configured as the backend Radius server

Configuration

Load Radius proxy module

  • Login to Configuration Manager
  • Click on the pen to the right of Modules
  • Add Radius proxy module:
	{
		"id":"mschap-radius-proxy-module",
		"name":"com.phenixidentity~phenix-radius-proxy",
		"enabled":"true",
		"config":
		{
		}
	}

- Click Stage changes and Commit changes

- Click on the pen to the right of NODE_GROUPS

- Add the newly added module to the list of modules:

"module_refs": "mschap-radius-proxy-module,X,Y,Z..."

- Click Stage changes and Commit changes

- The next step is to setup the proxy connection. This is a radius  connection on a specific port that redirects the calls to another radius  server that is specified by host and port.

id - The id of this connection

port - The local port, ie the PhenixID MFA Server listening port, of the proxy radius connection

server_host - The backend Radius MS CHAPv2 server host

server_port - The backend Radius MS CHAPv2 server port

- Click on the pen to the right of Radius Proxy Connections and add this configuration:

	{
		"id":"mschap-radius-connection",
		"description":"Proxy connection",
		"config":
		{
			"port":"1812",
			"server_host":"192.168.98.165",
			"server_port":"1813"
		}
	}

- Click Stage changes and Commit changes

- The next step is to add a radius proxy authenticator. Currently, PhenixID One Touch (OneTouchAuthenticator) is the supported authentication mechanism.

id - The id of the authenticator

name - Must be OneTouchAuthenticator for now

radius_proxy_config - The id of the proxy configured in previous step.

pipeID - Id of a pipe, verifying the user. This pipe will only perform verification. Any data fetched in the pipe will NOT be added to the radius response.

selector - (Optional) to separate connections from different sources.

- Click on the pen to the right of Authentication - Radius Proxy and add this configuration.
 Please change the selector option to suite your environment.

	{
		"id":"auth-radius-proxy",
		"name":"OneTouchAuthenticator",
		"description":"Radius proxy authenticator",
		"config":
		{
			"radius_proxy_config":"mschap-radius-connection",
			"pipeID":"UserLookupWithLDAP",
			"selector":"44=onetouch"
		}
	}

- Click Stage changes and Commit changes

- Click on the pen to the right of Pipes and add this configuration. Please change this to suite your environment (ie different user source, LDAP settings, no user store validation at all):

{
  "id": "UserLookupWithLDAP",
  "description": "Verify that user exists in LDAP",
  "valves": [
    {
      "name": "LDAPSearchValve",
      "config": {
        "connection_ref": "e379a2be-86be-4194-a53d-462bde7b6eeb",
        "base_dn": "dc=example,dc=local",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "uid={{request.username}}"
      }
    }
  ]
}

- Click Stage changes and Commit changes

Test

- Use a radius client testtool, such as EAPTest, to test your configuration.

If needed, enable debug mode on PhenixID MFA to perform error tracing and debugging.