Crestron - RADIUS Configuration – RSA Ready Implementation
2 years ago

This section describes how to integrate Crestron with RSA Authentication Manager using RADIUS.

Configure RSA Authentication Manager

RSA Authentication Manager for Both Authentication and Authorization

Perform these steps to configure RSA Authentication Manager.
Procedure
  1. Vendor-specific Radius attributes (VBA) are needed to send authorization information back to Crestron. To add those, use the following steps:
    1. Log in to the operations console and navigate to Deployment Configuration > RADIUS Servers.
    2. Click the server, and then click Manage Server Files.
    3. Obtain a copy of the Crestron RADIUS dictionary and rename the file to 'dictionary.crestron'.image.png
    4. On the Dictionary Files tab, click Add New.
    5. Select the Crestron dictionary file and click Submit.
    6. On the Configuration Files tab, edit the vendor.ini file.
    7. Add the details as shown in the following figure.image.png
    8. Click Save.
    9. On the Configuration Files tab, edit the dictionary file and add the line as shown in the following figure.image.png
    10. Click Save and restart RADIUS Server. If it is running previously but fails to start now, examine the changes recently made and ensure that they are correct.
  2. Add RADIUS client by using the following steps:
    1. Log in to the Security Console (SC) and navigate to RADIUS Clients > Add New.
    2. Enter a name for the client; for example, 'DMNVX-350-001'.
    3. Enter the IP address of the Crestron device.
    4. Set the Make/Model to 'Crestron' since the Crestron device and the Authentication Manager are exchanging Crestron-specific RADIUS attributes (for authorization).
    5. Configure a shared secret that will also be used on the Crestron device.
    6. Click Save and Create Associated Agent.
    7. Set the agent-specific attributes, but for this example, retain the default values.
    8. Click Save.
  1. A new user attribute (Identity Attribute) needs to be added to the RSA Authentication Manager internal database. This attribute is used to set the user's access level on a Crestron device. The attribute will be mapped to a RADIUS attribute that Authentication Manager sends back when user authentication is successful. To add this identity attribute, use the following steps:
    1. In the Security Console, navigate to Identity > Identity Attribute Definitions, and click Add New.
    2. Retain category as 'Attributes'. This new attribute can be mandatory or optional. Mandatory attributes must be set for any users added after they have been defined.
    3. Set the data type format to 'String'.
    4. Add the values 'administrator', 'programmer', 'operator', 'user', and 'connect' to the predefined list entries. Retain the default values for the remaining options.
  1. User attribute (Identity Attribute) should be mapped to RADIUS attribute that Authentication Manager sends back when user authentication is successful. RADIUS profile also uses RADIUS attributes. To add the RADIUS attribute, follow these steps:
    1. Navigate to RADIUS > RADIUS User Attribute Definitions > Custom Attributes and click Add New Custom Attribute.
    2. For the access level attribute, set the attribute number as 64.
    3. Set the attribute name to 'Crestron-Access-Level'. This name must match the attribute with the same number in the Crestron RADIUS dictionary.
    4. Click Yes for the Map to an Identity Attribute option and select the new Access Level attribute from the list.
    5. Click Save.
5. You can configure a RADIUS profile on the Authentication Manager that uses RADIUS attributes. The profile can be assigned to a set of users. If you need to change a RADIUS attribute, you can change it in one place instead of changing it for each user.
    1. Navigate to RADIUS > Profiles and click Add New.
    2. Name the profile as 'Crestron-Administrator'.
    3. In Return List Attributes, select Crestron-Access-Level.
    4. Unlike a RADIUS User Attribute, a RADIUS Attribute added to a profile cannot be mapped to an Identity Attribute. Provide the attribute value on this page. Enter 'administrator' for the value. 
    5. Click Add, and then click Save.
You can associate a RADIUS profile with a RADIUS client agent, trusted users, or users. To associate it, click the drop-down menu beside the RADIUS profile created and select any from associated users, associated trusted users, or associated agents.  
  1. When using Windows Active Directory as the identity source, proceed with the following steps:
    1. Add the Active directory:
      1. Log in to the Operations Console.
      2. Click Identity Sources > Add New.
      3. Provide a name for the identity source; for example, 'WindowsAD'.
      4. The Directory URL appears in this format, 'ldap://<FQDN of Windows AD server>.
      5. The Directory User ID is the ID of a Windows user that RSA will use to access LDAP information. This can be an existing user, or you can create a new user dedicated to this purpose. Enter the full directory pathname for the user. For example, the user "rsauser" in the domain "mydomain.com" would be entered as "cn=rsauser,CN=Users,dc=mydomain,dc=com".
      6. Enter the Windows password for the Directory User ID as the Directory Password.
      7. To verify the connection, click Test Connection.
      8. Click Next to proceed to the identity source mapping screen.
      9. Set the User Base DN to the point in the organizational hierarchy that represents the set of users you want to add to RSA Authentication Manager. For example, to add all users in the domain "mydomain.com", set this value to "dc=mydomain,dc=com".
      10. Set the User Group Base DN similarly. In this example, it can be set to the same value as the User Base DN to import all user groups.
      11. Clear the Directory is an Active Directory Global Catalog check box and select Authenticate users to this identity source.
      12. Retain the default values for the remaining fields and click Save and Finish.
    2. Link the identity source. Before linking the new identity source, you must log out of the security console and log back in. 
      1. Navigate to Setup > Identity Sources and click Link Identity Source to SystemThe Windows AD source appears in the Available box.
      2. Select it and click the arrow to move it to the Linked box.
      3. Click Save.
      4. To see the Windows users, navigate to Identity > Users > Manage Existing and select the Windows AD identity source from the list.
      5. Click Search.
7. Assign an access level. When a user is configured in the RSA Authentication Manager local database, the attribute is set to assign an access level to the user. When users are added from an external identity source like Windows AD, this attribute must be set manually for each user. You can map the attribute to a Windows attribute also. Navigate to the details of the user who logs in from the device, and then define the attribute.
    1. Navigate to Identity > Users > Manage Existing.
    2. Select the Windows identity source, and then click Search to display the list of Windows users.
    3. Click the desired user and click Edit.
    4. Scroll down and select the appropriate access level from the list. Users will have this access level after logging in to a Crestron device.
    5. Click Save.
After setting authentication methods and access level, the users can log in to the Crestron device with their Windows login ID and RSA fixed passcode or SecurID token.
Notes:
  • Users’ Windows passwords are imported by RSA and can be used for logging in to the RSA Self-Service Console. The Windows password cannot be used for authenticating to a Crestron device. For RSA to authenticate users, they must have one or both of a fixed passcode or SecurID token assigned.
  • The RADIUS server sends RADIUS user attributes along with the profile return list attributes to a RADIUS client. These assigned RADIUS user attributes override the attributes assigned to the user or trusted user through profiles.
  • If a RADIUS profile is used after adding the dictionary file and making changes to the configuration files, create the RADIUS client by selecting the dictionary from select make/model option before creating the profile.

RSA Authentication Manager for Authentication and Windows Network Policy Server for Authorization

You can use RSA Authentication Manager to perform user authentication and Windows Network Policy Server (NPS) to perform authorization. This can be done whether users on Authentication Manager are local or have been added from a Windows identity source. The approach works either way if usernames on both Windows and Authentication Manager are the same.
RADIUS requests from Crestron devices will first go to NPS and then will be forwarded to RSA Authentication Manager.

Procedure

  1. To make NPS and Authentication Manager communication work, add Authentication Manager as a remote RADIUS server group to NPS and create a connection request policy. Perform the following steps:
  1. In NPS console, right-click RADIUS Clients and Servers.
  2. Click Remote RADIUS Server Groups and click New.
  3. Provide a name for the group and enter the details for the RSA Authentication Manager server, and then click OK. The shared secret must be the same on the NPS configuration when NPS is configured as a client on RSA Authentication Manager.
  4. Set up a connection request policy on NPS to forward RADIUS requests to RSA. In NPS console, right-click Policies > Connection Request Policies, and click New.
  5. Enter a name for the policy; for example, 'Forward to RSA'.
  6. On the Conditions tab, click Add and add any conditions. For example, add a user match condition.
  7. Click Next.
  8. In the next window, select Forward Requests and use the server group name configured.
  9. Click Next.
  10. In the Configure Settings window, select Vendor Specific, and then click Add.
  11. In the Vendor list, select Custom, and then click Remote-RADIUS-To-Windows-User-Mapping.
  12. Click Add.
  13. In the next window, select True and click Ok.
  14. Click Close.
  15. Click Next, and then click Finish.
The custom RADIUS attribute set in this policy makes NPS use a Network Policy when a RADIUS access-accept comes back from RSA Authentication Manager. NPS returns the user access level to the Network Policy that is described in the next step (Add a Network Policy to NPS for User Authorization).
If you already have other connection request policies in NPS, they are listed in the order of precedence. NPS uses the first policy that matches with the incoming RADIUS access request.
  1. The connection request policy will match a user or users who belong to an existing Windows group either directly, or through a group hierarchy. The administrator group created in the previous section (for example, "Crestron_Administrators) is used here. Perform the following steps to add a network policy to NPS for user authorization.
  1. Right-click Policies and click Network Policies.
  2. Click New.
  3. Provide a name for the policy (for example, 'Connections from Crestron Administrators') and click Next.
  4. In the Conditions window, click Add.
  5. Select User Groups and click Add.
  6. Add each group that should have administrator access. In this example, only one group is needed ("Crestron_Administrators") if all administrators were added to it.
  7. Click Next.
  8. Select Access Granted and click Next.
  9. On the Authentication Methods screen, select MS-CHAP and Unencrypted authentication. Note that Windows may show a warning for selecting an insecure method.
  10. Click Next.
  11. On the Configure Settings screen, select Vendor Specific under RADIUS Attributes, and then click Add.
  12. In the Vendor list, select Custom.
  13. In the Attributes list, select Vendor-Specific and click Add.
  14. In the Attribute Information window, click Add.
  15. Select Enter Vendor Code and enter '3212', Crestron's IANA-assigned vendor ID, in the box. 
  16. Select Yes and click Configure Attribute.
  17. Enter '64', the attribute number for Crestron-Access-Level, in the vendor-assigned attribute number box. 
  18. In the attribute format list, select String, and in the Attribute value box, enter 'administrator'.
  19. Click Ok on the screens and click Close. A vendor-specific attribute appears in the policy Attributes area.
  20. Click Next and click Finish.
This policy will allow NPS to append a Crestron-specific access level to the RADIUS access-granted message. This level is assigned to the user on the device after a successful login.
The network policies are listed in the order of precedence. NPS uses the first matching policy.
  1. Both NPS and Authentication Manager must know a shared secret for communication. Configure NPS as a RADIUS client in Authentication Manager by performing the following steps:
  1. In the security console, navigate to RADIUS Clients and click Add New.
  2. Provide a name for the client; for example, 'Windows NPS'.
  3. Enter the IP address of the Windows server.
  4. Set the Make/Model to 'Standard Radius'. NPS will append Crestron VSAs to the RADIUS responses that are sent to the Crestron device.
  5. Configure the same shared secret that was configured for the NPS Remote RADIUS Server Group in the previous section.
  6. Click Save and Create Associated Agent.
  7. Set the agent-specific attributes. For this example, retain the default values.
  8. Click Save.
  1. Add an NPS authentication domain to the device. The domain login requests that use the configured domain name will be sent from the device to NPS. Use the ADDAUTHDOMAIN command on the device to add a RADIUS-type authentication domain with the Windows NPS server as the host.
You can now log in to the Crestron device with the username and authentication domain. The password will be either the RSA fixed passcode for the user or the user's SecurID token, depending on how the user's authentication methods were configured.
Note:
If Authentication Manager is configured to send authorization data back to the Crestron device in a Crestron VSA, it can conflict with a VSA added by NPS. The Crestron device will use the first Crestron-Access-Level VSA in a RADIUS Access-Accept message. This may cause a problem if Authentication Manager and NPS differ on the authorization level, resulting in a user being granted an unexpected access level.

Configure Crestron

Using Toolbox

  1. Configure the device with RSA server details using the ADDAUTHDOMAIN console command.
addauthdomain -n:domain_name -h:host [-t:{AD | RADIUS}] {-p:shared_secret} | {- d:device_account [-k:keytab_filename] [-r:realm_name]} [-v]
 -n:domain_name - Specifies the name of the authentication domain to configure.
 -h:host - Specifies either an IP address (v4 or v6) or server name that will authenticate/authorize users logging in to this device.
 -t:domain_type - Indicates the authentication/authorization protocol to use for network logins with this domain (defaults to AD if not provided).
For RADIUS domains:
 -p:shared_secret -The password used to authenticate this device to a domain-side server.
For AD domains:
 -d:device_account - The domain-side computer account associated with this device.
 -k:keytab_filename - The name of the keytab file to use when authenticating to the domain. The keytab file must be uploaded to the /SYS/ folder on the device, and will use a default name if not specified.
 -r:realm_name - The name of the authentication realm (defaults if not specified).
 -V - Attempts to validate the configuration with the domain.
Example: addauthdomain -n:radius.crestron.com -h:10.20.30.40 -t:radius -p:password
  1. Launch Crestron Toolbox and run the TESTLOGIN commands as shown in the following figure. Log in to the device using the username with the name of the authentication domain associated with RSA Authentication Manager. When prompted for a password, use the fixed passcode, which has been set during the user creation/authentication configuration process. image.png

Using SSH

  1. Launch an SSH client and authenticate using SSH console as shown in the following figure. Log in to the device using the username with the name of the authentication domain associated with RSA Authentication Manager. When prompted for a password, use the fixed passcode, which has been set during the user creation/authentication configuration process. image.png

Using WebUI

  1. Launch WebUI interface and log in using the username with the name of the authentication domain associated with RSA Authentication Manager.  As the password, use the fixed passcode that has been set during the user creation/authentication configuration process. image.pngimage.pngimage.png
Note:
Fixed passcodes are not the recommended authentication methods. RSA also provides the option of using SecurID soft tokens (RSA Authenticator app) and SecurID 700 Hardware tokens. In both cases, users will have the option to use PIN+Token or PIN alone when asked for a password depending on the token policy configured in RSA Authentication Manager.

 

The configuration is complete.

Return to Crestron - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?