Configure ThreatGrid RADIUS over DTLS Authentication for Console and OPadmin Portal

Introduction

This document describes Remote Authentication Dial In User Service (RADIUS) authentication feature which was introduced in the ThreatGrid (TG) version 2.10. It allows users to log in to the Admin portal as well as Console portal with credentials stored in the Authentication, Authorization and Accounting (AAA) server.

In this document you find necessary steps to configure the feature.

Prerequisites

Requirements

• ThreatGrid version 2.10 or higher
• AAA server that supports RADIUS over DTLS authentication (draft-ietf-radext-dtls-04)

Components Used

• ThreatGrid Appliance 2.10
• Identity Services Engine (ISE) 2.7

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

This section provides detailed instructions on how to configure ThreatGrid Appliance and ISE for RADIUS Authentication feature.

Note: In order to configure the authentication, ensure that communication on port UDP 2083 is allowed between ThreatGrid Clean interface and ISE Policy Service Node (PSN).

Configuration

Step 1. Prepare ThreatGrid certificate for authentication.

RADIUS over DTLS uses mutual certificate authentication which means that the Certificate Authority (CA) certificate from ISE is needed. First check what CA signed RADIUS DTLS certificate:

Step 2. Export the CA certificate from ISE.

Navigate to Administration > System > Certificates > Certificate Management > Trusted Certificates, locate the CA, select Export as shown in the image, and save the certificate to the disk for later:

Step 3. Add ThreatGrid as Network Access Device.

Navigate to Administration > Network Resources > Network Devices > Add to create a new entry for TG and enter the Name, IP address of the Clean interface and select DTLS Required as shown in the image. Click Save at the bottom:

Step 4. Create an Authorization Profile for Authorization Policy.

Navigate to Policy > Policy elements > Results > Authorization > Authorization Profiles and click Add. Enter Name and select Advanced Attributes Settings as shown in the image and click Save:

Step 5. Create an authentication policy.

Navigate to Policy > Policy Sets and click "+". Enter Policy Set Name and set the condition to NAD IP Address, assigned to TG's clean interface, click Save as shown in the image:

Step 6. Create an authorization policy.

Click on the ">" to go to the authorization policy, expand the Authorization Policy, click "+" and configure as shown in the image, after you finish click Save:

Tip: You can create one authorization rule for all your users that match both conditions, Admin and UI.

Step 7. Create an identity certificate for ThreatGrid.

ThreatGrid's client certificate must be based on Elliptic Curve key:

openssl ecparam -name secp521r1 -genkey -out private-ec-key.pem

It has to be signed by the CA which ISE trusts. Check Import the Root Certificates to the Trusted Certificate Store page for more information of how to add CA certificate to ISE Trusted Certificate Store.

Step 8. Configure ThreatGrid to use RADIUS.

Log in to admin portal, navigate to Configuration>RADIUS. In RADIUS CA Certificate paste the content of the PEM file collected from ISE, in Client Certificate paste PEM formatted certificate received from CA and in Client Key paste content of private-ec-key.pem file from the previous step as shown in the image. Click Save:

Note: You must reconfigure TG appliance after you save RADIUS settings.

Step 9. Add RADIUS Username to console users.

In order to log in to console portal, you must add the RADIUS Username attribute to the respective user as shown in the image:

Step 10. Enable RADIUS only authentication.

After successful log in to the admin portal, a new option appears, which completely disables local system authentication and leaves the only RADIUS-based one.

Verify

After TG has been reconfigured, log off and now the log in pages look like in the images, admin and console portal respectively:

Troubleshoot

There are three components that could cause problems: ISE, network connectivity and ThreatGrid.

• In ISE, ensure that it returns ServiceType=Administrative to ThreatGrid's authentication requests. Navigate to Operations>RADIUS>Live Logs on ISE and check details:

• If you don't see these requests, do a packet capture on ISE. Navigate to Operations>Troubleshoot>Diagnostic Tools>TCP Dump, provide the IP in Filter field of the TG's clean interface, click Start and try to log in on ThreatGrid:

You must see that number of bytes increased. Open pcap file in Wireshark for more information.

• If you see the error "We're sorry, but something went wrong" after you click Save in ThreatGrid and the page looks like this:

That means that you most probably used RSA key for the client certificate. You must use ECC key with the parameters specified in step 7.