<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 13. RADIUS Authentication</title><link rel="stylesheet" type="text/css" href="gug.css" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="home" href="index.html" title="Guacamole Manual" /><link rel="up" href="users-guide.html" title="Part I. User's Guide" /><link rel="prev" href="openid-auth.html" title="Chapter 12. OpenID Connect Authentication" /><link rel="next" href="adhoc-connections.html" title="Chapter 14. Ad-hoc Connections" />
            <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no, target-densitydpi=device-dpi"/>
        </head><body>
            <!-- CONTENT -->

            <div id="page"><div id="content">
        <div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. RADIUS Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="openid-auth.html">Prev</a> </td><th width="60%" align="center">Part I. User's Guide</th><td width="20%" align="right"> <a accesskey="n" href="adhoc-connections.html">Next</a></td></tr></table><hr /></div><div xml:lang="en" class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="radius-auth"></a>Chapter 13. RADIUS Authentication</h2></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="radius-auth.html#radius-downloading">Downloading the RADIUS authentication extension</a></span></dt><dt><span class="section"><a href="radius-auth.html#installing-radius-auth">Installing RADIUS authentication</a></span></dt><dt><span class="section"><a href="radius-auth.html#guac-radius-config">Configuring Guacamole for RADIUS authentication</a></span></dt><dt><span class="section"><a href="radius-auth.html#completing-radius-install">Completing the installation</a></span></dt></dl></div><a id="idm46248439943488" class="indexterm"></a><p>Guacamole supports delegating authentication to a RADIUS service, such as FreeRADIUS, to
        validate username and password combinations, and to support multi-factor authentication.  This
        authentication method must be layered on top of some other authentication extension, such as
        those available from the main project website, in order to provide access to actual
        connections.</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="radius-downloading"></a>Downloading the RADIUS authentication extension</h2></div></div></div><p>The RADIUS extension depends on software that is covered by a LGPL license, which is
            incompatible with the Apache 2.0 license under which Guacamole is licensed.  Due to this
            dependency, the Guacamole project cannot distribute binary versions of the RADIUS extension.
            If you want to use this extension you will need to build the code - or at least the RADIUS
            extension yourself.  Build instructions can be found in the section
            <a class="xref" href="installing-guacamole.html" title="Chapter 2. Installing Guacamole natively">Chapter 2, <em>Installing Guacamole natively</em></a>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="installing-radius-auth"></a>Installing RADIUS authentication</h2></div></div></div><p>The RADIUS extension must be explicitly enabled during build time in order to generate
            the binaries and resulting JAR file.  This is done by adding the flag <code class="option">-Plgpl-extensions</code>
            to the Maven command line during the build, and should result in the output below:</p><div class="informalexample"><pre class="screen"><code class="prompt">$</code> <strong class="userinput"><code>mvn clean package -Plgpl-extensions</code></strong>
<code class="computeroutput">[INFO] --- maven-assembly-plugin:2.5.3:single (make-source-archive) @ guacamole-client ---
[INFO] Reading assembly descriptor: project-assembly.xml
[INFO] Building tar: /home/guac/guacamole-client/target/guacamole-client-1.0.0.tar.gz
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] guacamole-common .................................. SUCCESS [6.037s]
[INFO] guacamole-ext ..................................... SUCCESS [5.382s]
[INFO] guacamole-common-js ............................... SUCCESS [0.751s]
[INFO] guacamole ......................................... SUCCESS [9.767s]
[INFO] guacamole-auth-cas ................................ SUCCESS [2.811s]
[INFO] guacamole-auth-duo ................................ SUCCESS [2.441s]
[INFO] guacamole-auth-header ............................. SUCCESS [1.875s]
[INFO] guacamole-auth-jdbc ............................... SUCCESS [0.277s]
[INFO] guacamole-auth-jdbc-base .......................... SUCCESS [2.144s]
[INFO] guacamole-auth-jdbc-mysql ......................... SUCCESS [5.637s]
[INFO] guacamole-auth-jdbc-postgresql .................... SUCCESS [5.465s]
[INFO] guacamole-auth-jdbc-sqlserver ..................... SUCCESS [5.398s]
[INFO] guacamole-auth-jdbc-dist .......................... SUCCESS [0.824s]
[INFO] guacamole-auth-ldap ............................... SUCCESS [2.743s]
[INFO] guacamole-auth-noauth ............................. SUCCESS [0.964s]
[INFO] guacamole-auth-openid ............................. SUCCESS [2.533s]
[INFO] guacamole-example ................................. SUCCESS [0.888s]
[INFO] guacamole-playback-example ........................ SUCCESS [0.628s]
[INFO] guacamole-auth-radius ............................. SUCCESS [17.729s]
[INFO] guacamole-client .................................. SUCCESS [5.645s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:20.134s
[INFO] Finished at: Wed Jan 31 09:45:41 EST 2018
[INFO] Final Memory: 47M/749M
[INFO] ------------------------------------------------------------------------</code>
<code class="prompt">$</code></pre></div><p>After the build completes successfully, the extension will be in the
            <code class="filename">extensions/guacamole-auth-radius/target/</code> directory, and will be
            called guacamole-auth-radius-1.0.0.jar.  This extension file can be copied to
            the <code class="filename">GUACAMOLE_HOME/extensions</code> directory.
            <span class="emphasis"><em>If you are unsure where <code class="varname">GUACAMOLE_HOME</code> is located on
            your system, please consult <a class="xref" href="configuring-guacamole.html" title="Chapter 5. Configuring Guacamole">Chapter 5, <em>Configuring Guacamole</em></a> before
            proceeding.</em></span></p><p>Extensions are loaded in alphabetical order, and authentication is performed
            in the order in which the extensions were loaded.  If you are stacking the
            RADIUS extension with another extension, like the JDBC extension, in order to
            store connection information, you may need to change the name of the RADIUS
            extension such that it is evaluated prior to the JDBC extension - otherwise
            an authentication failure in one of the previous modules may block the RADIUS
            module from ever being evaluated.</p><p>To install the RADIUS authentication extension, you must:</p><div class="procedure"><ol class="procedure" type="1"><li class="step"><p>Create the <code class="filename">GUACAMOLE_HOME/extensions</code> directory, if it
                    does not already exist.</p></li><li class="step"><p>Copy <code class="filename">guacamole-auth-radius-1.0.0.jar</code> into
                        <code class="filename">GUACAMOLE_HOME/extensions</code>.</p></li><li class="step"><p>Configure Guacamole to use RADIUS authentication, as described
                    below.</p></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="guac-radius-config"></a>Configuring Guacamole for RADIUS authentication</h2></div></div></div><a id="idm46248438908272" class="indexterm"></a><a id="idm46248438861168" class="indexterm"></a><p>This extension provides several configuration properties in order 
            to communicate properly with the RADIUS server to which it needs to authenticate.  It is 
            important that you know several key pieces of information about the RADIUS server - 
            at a minimum, the server name or IP, the authentication port, the authentication 
            protocol in use by the server, and the shared secret for the RADIUS client.  If you 
            are responsible for the RADIUS server, you'll need to properly configure these items 
            to get Guacamole to authenticate properly.  If you're not responsible for the RADIUS 
            server you will need to work with the administrator to get all of the necessary 
            configuration items for the server.  These items will need to be configured in the 
            <a class="link" href="configuring-guacamole.html#initial-setup" title="guacamole.properties"><code class="filename">guacamole.properties</code></a> 
            file.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><span class="property">radius-hostname</span></span></dt><dd><p>The RADIUS server to authenticate against.  If not specified, 
                        localhost will be used.</p></dd><dt><span class="term"><span class="property">radius-auth-port</span></span></dt><dd><p>The RADIUS authentication port on which the RADIUS service is
                        is listening.  If not specified, the default of 1812 will be
                        used.</p></dd><dt><span class="term"><span class="property">radius-shared-secret</span></span></dt><dd><p>The shared secret to use when talking to the RADIUS server.  This
                        parameter is required and the extension will not load if this is not
                        specified.
                        </p></dd><dt><span class="term"><span class="property">radius-auth-protocol</span></span></dt><dd><p>The authentication protocol to use when talking to the RADIUS server.
                        This parameter is required for the extension to operate.  Supported
                        values are: pap, chap, mschapv1, mschapv2, eap-md5, eap-tls, and eap-ttls.
                        Support for PEAP is implemented inside the extension, but, due to a regression
                        in the JRadius implementation, it is currently broken.  Also, if you specify
                        eap-ttls you will also need to specify the
                        <span class="property">radius-eap-ttls-inner-protocol</span> parameter in order to
                        properly configure the protocol used inside the EAP TTLS tunnel.</p></dd><dt><span class="term"><span class="property">radius-key-file</span></span></dt><dd><p>The combination certificate and private key pair to use for TLS-based
                        RADIUS protocols that require a client-side certificate.  This parameter
                        should specify the absolute path to the file.  By default the extension
                        will look for a file called radius.key in the GUACAMOLE_HOME directory.
                        </p></dd><dt><span class="term"><span class="property">radius-key-type</span></span></dt><dd><p>The file type of the keystore specified by the <span class="property">radius-key-file</span> 
                        parameter.  Valid keystore types are pem, jceks, jks, and pkcs12.
                        If not specified, this defaults to pkcs12, the default used by 
                        the JRadius library.</p></dd><dt><span class="term"><span class="property">radius-key-password</span></span></dt><dd><p>The password of the private key specified in the 
                        <span class="property">radius-key-file</span> parameter.  By default the extension   
                        will not use any password when trying to open the key file.</p></dd><dt><span class="term"><span class="property">radius-ca-file</span></span></dt><dd><p>The absolute path to the file that stores the certificate authority
                        certificates for encrypted connections to the RADIUS server.  By default
                        a file with the name ca.crt in the GUACAMOLE_HOME directory will be used.
                        </p></dd><dt><span class="term"><span class="property">radius-ca-type</span></span></dt><dd><p>The file type of keystore used for the certificate authority.  Valid formats are
                        pem, jceks, jks, and pkcs12.  If not specified this defaults to pem.</p></dd><dt><span class="term"><span class="property">radius-ca-password</span></span></dt><dd><p>The password used to protect the certificate authority store, if
                        any.  If unspecified the extension will attempt to read the CA
                        store without any password.</p></dd><dt><span class="term"><span class="property">radius-trust-all</span></span></dt><dd><p>This parameter controls whether or not the RADIUS extension
                    should trust all certificates or verify them against known good
                    certificate authorities.  Set to true to allow the RADIUS server
                    to connect without validating certificates.  The default is false,
                    which causes certificates to be validated.</p></dd><dt><span class="term"><span class="property">radius-retries</span></span></dt><dd><p>The number of times the client will retry the connection to the 
                        RADIUS server and not receive a response before giving up.  By default
                        the client will try the connection at most 5 times.</p></dd><dt><span class="term"><span class="property">radius-timeout</span></span></dt><dd><p>The timeout for a RADIUS connection in seconds.  By default the client
                        will wait for a response from the server for at most 60 seconds.</p></dd><dt><span class="term"><span class="property">radius-eap-ttls-inner-protocol</span></span></dt><dd><p>When EAP-TTLS is used, this parameter specifies the inner (tunneled)
                        protocol to use talking to the RADIUS server.  It is required when the
                        <span class="property">radius-auth-protocol</span> parameter is set to eap-ttls.
                        If the <span class="property">radius-auth-protocol</span> value is set to something
                        other than eap-ttls, this parameter has no effect and will be ignored. Valid
                        options for this are any of the values for
                        <span class="property">radius-auth-protocol</span>, except for eap-ttls.</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="completing-radius-install"></a>Completing the installation</h2></div></div></div><p>Guacamole will only reread <code class="filename">guacamole.properties</code> and load
            newly-installed extensions during startup, so your servlet container will need to be
            restarted before HTTP header authentication can be used. <span class="emphasis"><em>Doing this will
            disconnect all active users, so be sure that it is safe to do so prior to
            attempting installation.</em></span> When ready, restart your servlet container
            and give the new authentication a try.</p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="openid-auth.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="users-guide.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="adhoc-connections.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. OpenID Connect Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Ad-hoc Connections</td></tr></table></div>

            </div></div>
        <!-- Google Analytics -->
        <script type="text/javascript">
          (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
          (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
          m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
          })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

          ga('create', 'UA-75289145-1', 'auto');
          ga('send', 'pageview');
        </script>
        </body></html>