Documentation

RADIUS integration

Introduction

This page covers the integration of SFTPPlus with an RADIUS server to authenticate accounts (file transfer users).

Authentication of Web Manager administrators account is not yet supported and we are working to support this use case. Contact us if you need to use RADIUS to authenticate administrators.

Check the RADIUS configuration documentation, to find all the available RADIUS authentication configuration options.

The implementation follows the RFC 2865 standard.

It supports multiple Filter-ID attributes, but this usage is not encouraged by RFC 5080.

Limitations

Below is a list of known limitations of the SFTPPlus RADIUS integration. If you require any of the missing features, please contact our support team:

  • Only UDP transport protocol is supported.

  • PAP, CHAP, MS-CHAP-V1 and MS-CHAP-V2 are supported for sending the initial username and password request. When the RADIUS server requires a challenge, the challenge is sent using PAP.

  • Only IPv4 RADIUS servers are supported.

A maximum of 255 concurrent login attempts are supported. This is a limitation of the RADIUS protocol that only supports 255 parallel communication channels between the RADIUS server and any RADIUS client. SFTPPlus acts as a RADIUS client. You can have more than 255 concurrent SFTPPlus active file transfer sessions, as long as they don't trigger the login step at the same time. Once a user is authentication, the connection channel to the RADIUS server is released and the same channel can be used to authenticate another user. When more than 255 concurrent logins are requested, SFTPPlus will delay some of the requests

Security considerations

Only use RADIUS over internal networks. The communication between SFTPPlus and the RADIUS server is protected using extremely weak methods.

RADIUS relies on MD5 and is not FIPS compliant.

Group membership

Most RADIUS based servers are configured to only provide the authentication service, without providing any information that can be used for file access authorization.

By using the base_groups configuration option you can automatically associate users authenticated using RADIUS to the list of configured groups and authorize the user to any files configured for those groups and enforce any permissions configured for those groups.

Some RADIUS server can return a set of attributes as part of the access-accept response. SFTPPlus can use the information provided by these attributes to decide how to associate the authenticated users to one or more groups.

Any attribute in supported, including the Reply-Message or Filter-ID

Associating a group based on the response attributes is done configured via the group_mapping option which has the following syntax:

group_mapping =
    radius-attribute-name, MATCHING_EXPRESSION, PRIMARY-GROUP-UUID, OPIONAL-SECONDAY-GROUP_UUID

The lines are defined as comma separated lines of 3 or more elements:

  • The first element is the name of the RADIUS attribute.

  • The second element is the value of the attribute which can be matched based on a strict value (case-insensitive), globbing or on regular expressions.

  • The remaining elements are the UUIDs of the SFTPPlus groups which should be associated on a match. The first in the list is the primary group for the authenticated account.

Below is an is an example:

[authentications/d87d-4a3c-d732]
type = radius
name = Internal RADIUS
base_groups = 987d-54da-db3c, 8623-d321-acd8

group_mapping =
    Filter-ID, *-sales, 54ae-987d-09ff, 987d-88de-4213, 8fde-54da-00aa
    Filter-ID, *-support, 5b9f-2600-ebd6
    Reply-Message , m/sales-force-[1-3]/, 8fde-54da-00aa

When the RADIUS server return an access-accept message with an attribute of Filter-ID uk-support, the account will be associted to the group with UUID 5b9f-2600-ebd6.

When no match is found, the account will be associated to the groups defined by the base_groups.

RADIUS as first factor for another authentication method

You can configure SFTPPlus to use RADIUS as the first factor for another authentication method. This is done by setting the continue_on_access_accept = Yes option.

RADIUS as second factor for another authentication method

FIXME: Add docs in separate PR.

RADIUS with MFA as wrapper for password based authentication

Some RADIUS servers, like Cisco Duo Authentication Proxy or newer versions of RSA SecurID Authentication Managers, can validate both the username password and a second factor like an one time code, mobile push notification or SMS code.

Most RADIUS servers only returns an accept response, without providing additional authentication information about the authenticated users.

If your RADIUS server returns extra attributes in the accept response, you can use group_mapping configuration option to define different authentication lever based on the returned attributes. Check the information from the previoius section about how to use the group_mapping configuration options.

The information from this section assumes that your RADIUS server does not return any attributes that can be use to associated an authenticated user to an SFTPPlus group.

Check the separate documentation section for the case in which your RADIUS server only validates a single factor, like one time code, and should be used as the second factor in addition to another password based authenication method.

For the scenario from this section, the RADIUS server does the full credentials validation, both first factor and second factor, using the RADIUS Access-Challenge request.

The first factor is always username and password.

The second factor can be an one time code, an action code, or event a secondary password. The second factor can also be formed by a series of one time codes sent as separate requests.

Many legacy authentication methods like operating systems local or domain accounts or Active Directory or LDAP accounts only support username and password credentials, without support for multi-factor authentication.

A RADIUS server can be used to enhance the security of these systems. Products like Cisco Duo Authentication Proxy, RSA SecurID IAM, or Microsoft Network Policy Server (NPS) can be used on top of existing authentication to provide MFA support.

This works in the following way: * SFTPPlus will prompt the end user for username and password credentials (first factor). * If the credentials are valid the RADIUS server will send a challenge request * SFTPPlus will prompt the end user for additional input (second factor) * If the second factor is accept, user is authenticate * The RADIUS server might ask for more challenges as part of the second factor authenication process and SFTPPlus will prompt the end user to enter additional input.

This is done by setting the on_access_accept = continue-to-authorization option.

SFTPPlus can perform a full authentication against the RADIUS server, including the MFA challenge code or token, and on success, continue to authentication with same username or password against another non-MFA autentication methods. In this case, RADIUS will guard and protect access to SFTPPlus via MFA, and once RADIUS has accepted the user, the login can continue with a legacy authentication metnhod.

Assuming that we have the following configuration option for an SFTP server:

[authentications/755d0786]
name = Radius Failover
type = radius
address = 10.12.23.1
nas_port = 42
authentication_type = MS-chap-V2
continue_on_access_accept = True
continue_on_access_reject = False

[authentications/9d588f08]
name = Windows Users
type = os

[service/67d2e02c-31a3-11f1-b687-0fa1a87bb3b3]
name = SFTP internal
authentications = 755d0786, DEFAULT-AUTHENTICATION

SFTPPlus will first try to authentication the provided username and password using the RADIUS server. If the RADIUS server asks for a token, one time code or push notification confirmation, SFTPPlus will proceed to complete the challenge and send the required response to the RADIUS server.

Once the RADIUS server has accepted the authentication, SFTPPlus will forward the initial username and password to the Windows operating system authentication process. This is start a new full login request with the Windows Operating system. The login attempt will be included in any Windows logs and any Windows specificy security policies will be applied.

You can use SFTPPlus to combine RADIUS with any other authentication method that supports username and password credentials.

Note

Make sure the RADIUS method is configured first in the list of authentication methods for a service.

The next authentication method will receive the credentials using the username and password provided during the initial RADIUS access request. If RADIUS server requires an access-challenge response, the value used for the challenge is ignored. The value provided for a challenge is usually a single time use token or access code and is not designed to be used with other authentication methods.

Single step access-challenge login

Some RADIUS servers will accept the initial username and password credentials and then ask the client to provide an additional challenge response which can be a one time code or some sort of option to select the MFA method.

This is a 2 step login process. The file transfer clients will send the username and password and then the RADIUS server will ask for another password.

Not all file transfer clients support this 2 step login process and only support sending the username and password as a single step. If the password is not accepted in the single login step, the wholee authenticatio process is considered failed.

SFTPPlus allows providing both the password and the additional RADIUS challenge value as part of the initial password value.

This is done by setting extract_mfa_from_password = Yes.

File transfer clients will then provide both the password and the challenge value concatenated as a comma separted value and sent as the initial password value. The format is PASSWORD,SECOND_CODE.

For example, if user JohnD will try to authentication with password mySecret1 and RADIUS requires a one time token that currently has value 621821, the file transfer client will use these valued during the login process:

  • username: JohnD

  • password: mySecret1,621821

This also works when SFTPPlus is configured to continue the authentication process after a successful RADIUS response. In this case SFTPPlus will continue the authenication process and will use only the actual password value mySecret1 without the MFA value.

Optional RADIUS authentication

You can configure SFTPPlus to use RADIUS as an optional authentication method. This is done by setting the continue_on_access_reject = Yes option.

SFTPPlus supports using multiple authentication methods at the same time, and a list and order of these methods is defined for each file transfser service via the service authentications option.

Assuming that we have the following configuration option for an SFTP server:

[authentications/755d0786]
name = Radius Failover
type = radius
address = 10.12.23.1
nas_port = 42
authentication_type = MS-chap-V2
continue_on_access_reject = True

[authentications/DEFAULT-AUTHENTICATION]
name = SFTPlus embedded accounts
type = application

[service/67d2e02c-31a3-11f1-b687-0fa1a87bb3b3]
name = SFTP internal
authentications = 755d0786, DEFAULT-AUTHENTICATION

SFTPPlus will first try to authentication the provided username and password using the RADIUS server. If the RADIUS server rejects the credentials, SFTPPlus will continue and try to authenticate the connection against the users defined inside the SFTPPlus own user management system.

RADIUS
Banning users