OpenRDX

RADIUS Server

The OpenRDX RADIUS server is implemented in Rust and provides high-performance authentication and accounting services.

Features

• Authentication methods:
  • PAP (Password Authentication Protocol)
  • CHAP (Challenge Handshake Authentication Protocol)
  • MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
  • MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol v2) with improved error messages
  • EAP (Extensible Authentication Protocol)
    • EAP-TLS
    • EAP-TTLS
    • EAP-PEAP
    • EAP-SIM
    • EAP-AKA
    • EAP-AKA’
• NAS Device Matching:
  • Primary matching by NAS-Identifier (RADIUS attribute 32)
  • Fallback to IP-based secret lookup
  • Automatic NAS device identification from RADIUS packets
  • Support for multiple NAS devices with unique identifiers
• Accounting support
  • Start/Stop records
  • Interim updates
  • Session tracking
  • MongoDB storage
• RadSec (RADIUS over TLS) support via RadSec Proxy
  • Secure RADIUS communication
  • TLS 1.2/1.3 support
  • Certificate-based authentication
  • Client and server modes

Configuration

Core Service

The RADIUS server is configured through environment variables:

# RADIUS settings
RADIUS_AUTH_PORT=1812
RADIUS_ACCT_PORT=1813
RADIUS_SECRET=your_shared_secret

# Database settings
DB_HOST=postgres
DB_PORT=5432
DB_NAME=openrdx
DB_USER=postgres
DB_PASSWORD=postgres

# MongoDB settings
MONGODB_URI=mongodb://mongodb:27017/radius_accounting

# Logging
LOG_LEVEL=info

RadSec Proxy

The RadSec proxy is configured through environment variables:

# RadSec settings
RADSEC_LISTEN_PORT=2083
RADSEC_TLS_CERT=/etc/radsecproxy/certs/server.crt
RADSEC_TLS_KEY=/etc/radsecproxy/certs/server.key
RADSEC_TLS_CA=/etc/radsecproxy/certs/ca.crt

Usage

Standard RADIUS

For standard RADIUS communication, clients should connect to UDP ports 1812 (authentication) and 1813 (accounting).

RadSec

For secure RADIUS communication over TLS:

1. Configure your RADIUS client to use RadSec:

   radsec {
     server radsec.example.com:2083 {
       secret your_shared_secret
       tls {
         ca_file /path/to/ca.crt
         cert_file /path/to/client.crt
         key_file /path/to/client.key
       }
     }
   }
   

2. The RadSec proxy will handle the TLS connection and forward requests to the core service.

Security Considerations

• Always use strong shared secrets
• Keep certificates and private keys secure
• Use TLS 1.2 or higher for RadSec
• Regularly rotate certificates
• Monitor for suspicious activity
• Use proper firewall rules to restrict access

Monitoring

The RADIUS server provides detailed logging for:

• Authentication attempts
• Accounting records
• TLS handshakes
• Error conditions

Logs are stored in MongoDB for analysis and auditing.

NAS Device Configuration

NAS-Identifier Matching

The RADIUS server matches NAS devices primarily by NAS-Identifier (RADIUS attribute 32) extracted from authentication requests. This provides more reliable identification than IP-based matching alone.

Configuration:

1. Each NAS device must have a unique nas_identifier configured in the database
2. The NAS device sends its identifier in the NAS-Identifier attribute (32) in RADIUS requests
3. The server matches the identifier to find the corresponding NAS device and secret

Benefits:

• More reliable than IP-based matching (works with NAT, load balancers)
• Supports multiple NAS devices behind the same IP
• Better for dynamic IP environments
• Clearer identification in logs and accounting records

Fallback:

• If NAS-Identifier is not present in the request, the server falls back to IP-based secret lookup
• IP-based matching uses subnet-based secret configuration

Troubleshooting

Common issues and solutions:

1. Authentication failures:
   • Check shared secrets
   • Verify user credentials
   • Check certificate validity for EAP methods
   • For MS-CHAPv2: Check error messages for specific failure reasons
     • “Password incorrect or NT-Response validation failed” - Password mismatch
     • “Invalid NT-Response length” - Protocol error
     • “Missing peer-challenge” - Missing required MS-CHAPv2 attributes
2. NAS matching issues:
   • Verify NAS-Identifier is configured in NAS device settings
   • Check that NAS device sends NAS-Identifier attribute (32) in requests
   • Verify NAS device is active in the database
   • Check logs for NAS matching details
3. RadSec connection issues:
   • Verify TLS certificates
   • Check firewall rules
   • Ensure proper TLS version support
4. Accounting problems:
   • Check MongoDB connection
   • Verify accounting port access
   • Check for duplicate session IDs
5. MS-CHAPv2 specific issues:
   • Check that password is stored correctly (plain text for MS-CHAPv2)
   • Verify challenge/response lengths match expected values
   • Review debug logs for detailed authentication flow
   • Ensure MikroTik or other NAS device is configured to send MS-CHAPv2-Response correctly

This site is open source. Improve this page.