Skip to content

Commit c0ed0c7

Browse files
committed
docs: update RADIUS Gateway Guide with missing features and fixes
- Update feature list with all features from releases v1.2 through v1.7.1 - Remove incorrect X-MSS-MSISDN VSA claim (not implemented in code) - Add RADIUS client retry recommendation to NAS Requirements - Add ldapsearch debugging command for LDAP troubleshooting - Add Amazon ECR pull command and fix Docker Hub/ECR links - Add RIG-specific radclient test examples to annexes
1 parent 9f7948e commit c0ed0c7

3 files changed

Lines changed: 59 additions & 6 deletions

File tree

docs/radius-interface-gateway-guide/annexes.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,31 @@ echo "User-Name=test,User-Password=mypass,Framed-Protocol=PPP" | \
4949
echo "Message-Authenticator = 0x00" | /usr/local/bin/radclient localhost:1812 auth s3cr3t
5050
```
5151

52+
#### Testing a RIG Instance
53+
54+
The following examples show how to use `radclient` to test a running RIG instance specifically.
55+
56+
**Without LDAP** — the MSISDN is provided as part of the User-Name:
57+
58+
```bash
59+
echo "User-Name=<MyMobileNumber>@<mycompany.com>,NAS-Identifier=<ch_mycompany>" | \
60+
radclient -c 1 -r 1 -x -t 30 <server-ip> auth <shared-secret>
61+
```
62+
63+
**With LDAP** — the RIG service retrieves the user's mobile number via LDAP:
64+
65+
```bash
66+
echo "User-Name=<username>,User-Password=<user-password>,NAS-Identifier=<ch_mycompany>" | \
67+
radclient -c 1 -r 1 -x -t 30 <server-ip> auth <shared-secret>
68+
```
69+
70+
**OTP (SMS) challenge-response** — if the authentication falls back to OTP via SMS, you will receive an `Access-Challenge` response that includes a `State` value. You must respond with another `Access-Request` that includes the OTP as `User-Password` and the retrieved `State` value:
71+
72+
```bash
73+
echo "User-Name=<MyMobileNumber>@<mycompany.com>,User-Password=<otp>,State=<state>,NAS-Identifier=<ch_mycompany>" | \
74+
radclient -c 1 -r 1 -x -t 30 <server-ip> auth <shared-secret>
75+
```
76+
5277
### RADIUS Online Test
5378

5479
The idBlender company provides a free online web application that functions as a RADIUS client. It uses a backend service to perform the actual RADIUS request (so it is not the browser that sends the RADIUS requests, but a backend service) and can be used to test publicly available RADIUS servers.

docs/radius-interface-gateway-guide/deployment.md

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ The following points must be considered before you proceed with the deployment.
2828

2929
- The NAS RADIUS Access-Request packet contains either a **unique NAS-Identifier attribute** or it has a **unique and static source IP address/range**. RIG will pick the configuration based on this info.
3030
- The RADIUS client timeout shall be set to **60 seconds**. This ensures enough time for the user to respond to the Mobile ID authentication request.
31+
- The RADIUS client retry shall be set to no more than **1**. The client should not retry because there might still be a Mobile ID authentication session ongoing.
3132

3233
### Connectivity Requirements
3334

@@ -45,6 +46,16 @@ You can verify the LDAP connectivity using the following command on the node whe
4546
ldapwhoami -x -w <passwd> -D "cn=<tbd>,ou=<tbd>,dc=<tbd>,dc=<tbd>" -H ldap://<ldap.myserver.com>:389
4647
```
4748

49+
When troubleshooting LDAP configuration issues, you can use `ldapsearch` to query user attributes directly:
50+
51+
```bash
52+
ldapsearch -LLL -H ldap://<ldap.myserver.com>:389 \
53+
-b "ou=<tbd>,dc=<tbd>,dc=<tbd>" \
54+
-D "cn=<admin>,dc=<tbd>,dc=<tbd>" \
55+
-w <passwd> \
56+
-s sub "(&(objectclass=inetOrgPerson)(uid=<user>))"
57+
```
58+
4859
You can verify the Mobile ID API connectivity using the following command on the node where the RIG container application is running:
4960

5061
```bash
@@ -61,11 +72,11 @@ Here is an I18N Error Message JSON configuration example. Add the JSON content e
6172

6273
## Docker Run
6374

64-
You can pull the Docker images from [Docker Hub](https://hub.docker.com/) (or alternatively from Amazon ECR).
75+
You can pull the Docker images from [Docker Hub](https://hub.docker.com/repository/docker/mobileidch/mid-radius-rig) or from [Amazon ECR](https://gallery.ecr.aws/mobileidch/mid-radius-rig).
6576

6677
For high availability, you will need the following components, running at least two instances each:
6778

68-
- **Mobile ID RADIUS Interface Gateway application**[Docker Hub](https://hub.docker.com/) or Amazon ECR
79+
- **Mobile ID RADIUS Interface Gateway application**[Docker Hub](https://hub.docker.com/repository/docker/mobileidch/mid-radius-rig) or [Amazon ECR](https://gallery.ecr.aws/mobileidch/mid-radius-rig)
6980
- **Redis database** using `redis` (requires 3 nodes for HA; alternatively, `keydb` may be used)
7081
- **Redis web management tool** using `redis-commander` to manage the Redis database content
7182
- **UDP network load balancer** using `nginx` with a custom `nginx.conf` configuration
@@ -76,6 +87,12 @@ How to pull an image from Docker Hub:
7687
docker pull mobileidch/mid-radius-rig
7788
```
7889

90+
How to pull an image from Amazon ECR:
91+
92+
```bash
93+
docker pull public.ecr.aws/mobileidch/mid-radius-rig
94+
```
95+
7996
How to run a Docker application:
8097

8198
```bash

docs/radius-interface-gateway-guide/introduction.md

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,10 @@ During authentication via RADIUS, an extra step requires users to confirm the ac
1010

1111
Some clients might decide to move from 1FA (one-factor authentication) to 2FA: username + password and Mobile ID. Other clients might decide to stick with 2FA but replace the existing combination of username + password and security device challenge with username + password plus Mobile ID as additional MFA.
1212

13-
RADIUS users are typically defined in the format `user@domain`. However, Mobile ID requires the phone number (MSISDN) of the user. Therefore, the phone number of the target user should be provided with one of the following options (RIG supports all three):
13+
RADIUS users are typically defined in the format `user@domain`. However, Mobile ID requires the phone number (MSISDN) of the user. Therefore, the phone number of the target user should be provided with one of the following options:
1414

1515
- RIG connects to a customer's **Directory Service (LDAP)** to retrieve user attributes such as phone number (MSISDN) or other optional attributes such as User-Language, MobileID serial number, or the user's preferred authentication method.
1616
- The RADIUS client provides the **MSISDN as part of the User-Name** (e.g. `4179xxxxxxx@mydomain.com`).
17-
- The RADIUS client provides the **MSISDN via Vendor Specific Attribute** (`X-MSS-MSISDN`).
1817

1918
## RIG Feature List
2019

@@ -23,12 +22,24 @@ RADIUS users are typically defined in the format `user@domain`. However, Mobile
2322
- Multitenancy
2423
- Cloud-native microservice architecture (horizontal scalability)
2524
- Authentication: Mobile ID SIM, Mobile ID App, OTP Text SMS
26-
- Geofencing
27-
- LDAP lookup (`userPassword`, `mobile`, `preferredLanguage`, `midSerial`, `preferredMFA`)
25+
- Automatic authentication fallback with configurable priority
26+
- MFA method selection via LDAP group membership (`memberOf`)
27+
- MFA method "None" (temporarily disable MFA per user or group)
28+
- Geofencing (whitelist/blacklist configuration, AD group-based, configurable confidence scores)
29+
- LDAP(S) integration (`userPassword`, `mobile`, `preferredLanguage`, `midSerial`, `preferredMFA`)
30+
- LDAP search scope and referral configuration
31+
- Flexible LDAP search filters with multiple username placeholders
32+
- LDAP authentication without admin/service user
33+
- User Account Control attribute support
2834
- Mobile ID user's serial number validation (optional)
35+
- RADIUS Accounting
36+
- RADIUS Class attribute in Access-Accept
2937
- Custom RADIUS Reply Messages for Access-Reject
3038
- Custom Text SMS notification for specific error events
39+
- Accounting Webhook (forward accounting traffic to external systems)
3140
- Supports Fortinet Vendor Specific Attributes (VSA)
41+
- Support for Docker secrets via `_FILE` environment variables
42+
- BlastRADIUS mitigation — Message-Authenticator support (CVE-2024-3596)
3243

3344
### Features Planned
3445

0 commit comments

Comments
 (0)