VMware NSX Network Detection and Response RADIUS Integration

Integration with an external RADIUS server provides authentication and authorization services for the User Portal running on On-Premises appliances.

About RADIUS Integration

RADIUS servers provide centralized Authentication, Authorization, and Accounting management. VMware supports the integration of the Analyst, Manager, and/or All-In-One in an On-Premises environment with an external RADIUS server.

Terminology

The following terms are used in this documentation:

FreeRADIUS

An open source, high performance, RADIUS suite that supports all common authentication protocols. The VMware NSX Network Detection and Response integration has been tested with the FreeRADIUS server implementation.

RADIUS Dictionary

The dictionary file contains a list of RADIUS attributes and values. These attributes and values are then used to map between descriptive names and on-the-wire-data. The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients. The dictionary is specific to each RADIUS server.

Network Access Server

A Network Access Server (NAS) is a single point of access to a remote resource. In this integration, the On-Premises Analyst, Manager, or All-In-One is the NAS.

Limitations

The following are the limitations of the RADIUS integration:

  • RADIUS is used for authentication only.

    Note: This does not apply if the attribute provision_users=true.

  • The user account must already exist on the On-Premises Analyst, Manager, and/or All-In-One appliance.

    Note: This does not apply if the attribute provision_users=true. When this attribute is set to true, user accounts and roles are automatically created based on the responses received from the RADIUS server.

  • Password Authentication Protocol (PAP) is the only supported authentication type.

  • The FreeRADIUS dictionary and the vmware_nsx dictionary have been tested and are supported configurations. Other dictionaries may be configured. See Configure a custom dictionary for custom dictionary configuration or contact VMware Support.

Architecture

When using the VMware NSX Network Detection and Response/RADIUS integration, the On-Premises Analyst, Manager, or All-In-One can be configured to send RADIUS Authentication requests to a configured RADIUS server. Users then have the option to choose whether they want to authenticate using the default On-Premises Analyst, Manager, or All-In-One authentication or through the RADIUS Server.

The current implementation of RADIUS authentication uses PAP authentication by passing a shared secret between the NAS and the RADIUS server. The protocol conceals the actual password using the following implementation.

Upon a successful authentication response from the RADIUS Server, the On-Premises Analyst, Manager, or All-In-One will authenticate the user to the User Portal. The authentication will only work if the user account already exists on the User Portal and its mapping is correct (see RADIUS mapping). These conditions do not apply if the attribute provision_users=true.

After the RADIUS authentication has completed and is validated, the user will be logged into the On-Premises Analyst, Manager, or All-In-One.

Requirements

The following are required for RADIUS integration:

  • VMware NSX Network Detection and Response On-Premises 7.3 or higher.

  • FreeRADIUS is fully tested and supported on version 2.1.12. The freeRADIUS dictionary will work with some other RADIUS servers, including Windows Server 2016 Network Policy Server.

    The vmware_nsx dictionary is fully tested with the ClearPass RADIUS server and supported.

    Other RADIUS servers may work by configuring custom dictionaries (see Configure a custom dictionary). Contact VMware Support if there is a compatibility issue with the RADIUS server.

  • RADIUS mapping uses the presence of the User-Name attribute to map user identities. In order for the On-Premises Analyst, Manager, or All-In-One to authenticate the user based on the response from the RADIUS server, one of the following two conditions must be met:

    User-Name attribute in response

    If the User-Name attribute is present in the authentication response, this value is used to authenticate to the On-Premises Analyst, Manager, or All-In-One. For example, assume DOMAIN\jdoe is the username of the original authentication request, the response from the RADIUS server must be mapped to the correct username on the On-Premises Analyst, Manager, or All-In-One, such as jdoe@DOMAIN.com.

    No User-Name in response

    If there is no User-Name in the authentication response, then the username of the request will be used. For example, if a valid authenticate response is returned for jdoe@DOMAIN.com, then this is used to authenticate to the On-Premises Analyst, Manager, or All-In-One.

  • A valid dictionary must be presented to the RADIUS client. If the server_type parameter for the configuration is freeradius (the default), then the dictionary of FreeRADIUS version 2.1.12 will be used.

RADIUS Configuration

Configure the VMware NSX Network Detection and Response Appliance

To configure a RADIUS server to be used for authentication for the On-Premises Analyst, Manager, or All-In-One, refer to the Lastline RADIUS API documentation. Specifically, refer to the /papi/radius/configure method, which is used to configure an appliance to perform authentication through a RADIUS server.

Authentication

Account-based authentication is the only supported authentication method for RADIUS configuration. Use the following curl command to authenticate a user:

curl -X POST "https://<FQDN>/papi/login" -d "username=USERNAME&password=PASSWORD" -c COOKIENAME

In the above example:

  • FQDN The fully qualified domain name of the On-Premises Analyst, Manager, or All-In-One.

  • USERNAME The VMware NSX Network Detection and Response portal account username.

  • PASSWORD The VMware NSX Network Detection and Response portal account password.

  • COOKIENAME The name that you enter for the cookie.

After the user is authenticated, you can use the following curl command as a test:

curl -X POST "https://<FQDN>/papi/ping" -b COOKIENAME

Configure a dictionary

The following dictionary is an example of a valid RADIUS configuration:

{
  "appliance_uuid": "0a1b2c3d4e5f6e7d8c9b9a8b7c6d5e4f",
  "enabled": true,
  "server_type": "freeradius",
  "server": "freeradius.example.com",
  "auth_port": 1812,
  "secret": "mysupersharedradiussecret",
  "nas_identifier ": "LL Manager"
}

This configuration can be performed using a curl command, such as the following:

$ curl --data "appliance_uuid=0a1b2c3d4e5f6e7d8c9b9a8b7c6d5e4f" \
       --data "enabled=true" \
       --data "server_type=freeradius" \
       --data "server=freeradius.example.com" \
       --data "auth_port=1812" \
       --data "secret=mysupersharedradiussecret" \
       --data "nas_identifier=LLManager" \
       --cookie COOKIENAME \
       --request POST "https://<FQDN>/papi/radius/configure"

In the above example:

  • FQDN The fully qualified domain name of the On-Premises Analyst, Manager, or All-In-One.

Configure a custom dictionary

The VMware NSX Network Detection and Response/RADIUS integration has been tested with the FreeRADIUS server implementation. If you use a different type of RADIUS server (not compatible with FreeRADIUS), or the default dictionary provided with the installation does not work, you can provide a custom dictionary. This custom dictionary must be placed in the following directory: /var/lib/pyrad/dicts/other/dictionary. The server_type for configuration MUST be set to other.

The allowed values for server_type are freeradius, vmware_nsx, or other.

Successful configuration

After a successful POST to the configuration API, the On-Premises Analyst, Manager, or All-In-One executes a retrigger configuration operation. This may take a few minutes. After it completes, the User Portal login page will have a RADIUS Sign On prompt:

Portal login page with RADIUS Sign On

If the RADIUS Sign On checkbox is selected, the user authenticates through the configured RADIUS server. If the checkbox is not selected, then authentication is performed through the User Portal on the On-Premises Analyst, Manager, or All-In-One.

If this login page is not displayed, then there was either an error in the configuration or the configuration process is still pending. To view this information, visit the appliance action logs page, located on the AdminAppliancesLogsAction Logs tab on the User Portal. Refer to the Action logs tab help page.

RADIUS Integration with ClearPass

Use this procedure to configure RADIUS integration with ClearPass.

  1. In your ClearPass setup, define a dictionary. You can use the following XML to add it: 
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="6.9"/>
<Dictionaries>
    <Vendor vendorEnabled="true" prefix="VMware" name="Radius:VMware" id="6876">
    <RadiusAttributes>
        <Attribute profile="in out" type="String" name="VMware-NSX-Auth-Role" id="1"/>
    </RadiusAttributes>
    </Vendor>
</Dictionaries>
</TipsContents>
  2. In your ClearPass setup, define the VMware NSX Network Detection and Response user roles that are supported. The following are the supported user roles:
    • administrator
    • analyst
    • read_only
    Important: The syntax is important. For example, entering Administrator will not work.
  3. Configure ClearPass to use the provided dictionary to return a user role as a value for VMware-NSX-Auth-Role in its response.
    Note: Dictionaries can be imported in the Administration section of the ClearPass UI.
  4. Map the roles to the ClearPass roles.
    Note:
    • It is a best practice to create map role mappings with logical names. For example, the ClearPass database has a user with the role NSX_Admin which maps to the administrator role when ClearPass sends its response.
    • Custom roles are supported but must be prepended with the word custom. For example, custom:Trusted Associate.
  5. Add the information about the VMware NSX Network Detection and Response appliance to the Devices section in ClearPass. The following information is required:
    • IP address of the traffic coming from the appliance.
    • Secret token for RADIUS to use.
  6. In ClearPass, create a new Service to handle the authentication/authorization for the appliance.
    1. Set Type to RADIUS Enforcement ( Generic ).
    2. Enable Authorization.
    3. Configure Service Rule to capture any requests from the appliance.
      For example, if the traffic has a NAS-Identifier of NSXManager. NAS-Identifier is a custom value that can be specified when configuring the appliance's RADIUS integration. This is not the only rule that will work though and it is recommended to create a rule that works best for you.
    4. Set Authentication Method to [SSO].
    5. Configure Authentication and Authentication Sources to point to wherever user information is being held.
      If your users are in the ClearPass database, you should select [Local User Repository] [Local SQL DB]. But it is recommended to select sources that work best for your environment.
  7. Configure the appliance for RADIUS.
    You can do this by following the Configure the VMware NSX Network Detection and Response Appliance with the following exceptions:
    • The server_type value should be vmware_nsx instead of freeradius.
    • The attribute provision_users should be set to true, for example, provision_users=true. It currently defaults to false.