Table of Contents

Configuring PhenixID MFA Server as an MS-CHAPv2 Proxy

Overview

PhenixID Authentication Service (PAS) can be configured to function as a RADIUS proxy server for MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2). This configuration is widely used to enhance the security of VPN authentications by introducing multi-factor authentication (MFA) capabilities. The setup leverages PhenixID MFA Server to act as an intermediary, forwarding authentication requests from RADIUS clients (e.g., VPN endpoints) to a backend MS-CHAPv2-compliant RADIUS server, such as Microsoft Network Policy Server (NPS).

In this proxy scenario:

  • PhenixID MFA Server facilitates secure communication between the client and backend server.
  • The backend RADIUS MS-CHAPv2 server handles password validation, while PhenixID MFA Server manages additional authentication layers, such as One Touch.

This architecture provides a seamless way to introduce MFA into environments where password validation must remain with an existing backend RADIUS server.

Why Use PhenixID as a Proxy?

  1. Enhanced Security: Adds a second authentication layer (e.g., PhenixID One Touch) without altering existing password validation systems.
  2. Compatibility: Works with a wide range of RADIUS clients and backend RADIUS servers, ensuring smooth integration.
  3. Centralized Control: Allows administrators to manage authentication policies and MFA configurations from a single point.

Limitations

While the setup enhances security and maintains compatibility, there are some limitations:

  • Limited Authentication Methods: Only supports Username/Password and PhenixID One Touch mechanisms, as PAS cannot inject additional data into the flow.
  • Dependency on Backend Validation: Password validation is entirely handled by the backend MS-CHAPv2 server. Any issues with the backend server affect the overall authentication process.

By understanding these capabilities and limitations, administrators can determine if this proxy setup aligns with their organizational needs for securing VPN and RADIUS-based authentications.

Flow Overview

The authentication flow proceeds as follows:

sequenceDiagram
    participant RADIUSClient as RADIUS Client
    participant PhenixID as PhenixID MFA Server (Proxy)
    participant BackendRADIUS as Backend RADIUS MS-CHAPv2 Server

    RADIUSClient ->> PhenixID: Access-Request (Username, Password)
    PhenixID ->> BackendRADIUS: Forward Access-Request
    BackendRADIUS ->> PhenixID: Validation Response (Accept/Reject)

    alt Access-Reject
        PhenixID ->> RADIUSClient: Access-Reject
    else Access-Accept
        PhenixID ->> PhenixID: Perform One Touch Challenge
        PhenixID ->> RADIUSClient: Final Response (Accept)
    end

Explanation

  • The flow starts with the RADIUS Client sending an Access-Request with the user's credentials to the PhenixID MFA Server.
  • The PhenixID MFA Server forwards this request to the Backend RADIUS MS-CHAPv2 Server for validation.
  • Depending on the validation result:
    • If the backend server responds with a rejection (Access-Reject), the PhenixID MFA Server immediately relays this response to the RADIUS Client.
    • If the backend server responds with an acceptance (Access-Accept), the PhenixID MFA Server performs an additional One Touch challenge (if configured).
  • Finally, the PhenixID MFA Server sends the result (accept or reject) back to the RADIUS Client.

Configuration

Step 1: Load the RADIUS Proxy Module

  1. Login to the Configuration Manager.

  2. Navigate to Modules and click the pencil icon to edit.

  3. Add the following RADIUS proxy module configuration:

    {
    "id": "mschap-radius-proxy-module",
    "name": "com.phenixidentity~phenix-radius-proxy",
    "enabled": "true",
    "config": {}
}

  4. Click Stage Changes and then Commit Changes.

  5. Navigate to NODE_GROUPS and click the pencil icon to edit.

  6. Add the new module to the module_refs list:

    "module_refs": "mschap-radius-proxy-module,X,Y,Z..."

  7. Click Stage Changes and then Commit Changes.

Step 2: Set Up the Proxy Connection

This connection specifies the backend MS-CHAPv2 RADIUS server that PhenixID MFA Server will forward requests to.

  1. Navigate to Radius Proxy Connections and click the pencil icon to edit.

  2. Add the following configuration:

    {
    "id": "mschap-radius-connection",
    "description": "Proxy connection",
    "config": {
        "port": "1812",
        "server_host": "192.168.98.165",
        "server_port": "1813"
    }
}
    • port: The local port PhenixID MFA Server will listen on.
    • server_host: Hostname or IP address of the backend RADIUS server.
    • server_port: Port on the backend RADIUS server for receiving requests.

  3. Click Stage Changes and then Commit Changes.

Step 3: Add a RADIUS Proxy Authenticator

The authenticator defines how requests are forwarded and optionally integrates PhenixID's One Touch challenge.

  1. Navigate to Authentication - Radius Proxy and click the pencil icon to edit.

  2. Add the following configuration:

    {
    "id": "auth-radius-proxy",
    "name": "OneTouchAuthenticator",
    "description": "Radius proxy authenticator",
    "config": {
        "radius_proxy_config": "mschap-radius-connection",
        "pipeID": "UserLookupWithLDAP"
    }
}
    • radius_proxy_config: References the proxy connection created earlier.
    • pipeID: References a pipe for user validation.
    • selector: (Optional) Filters connections based on attributes.

  3. Click Stage Changes and then Commit Changes.

Step 4: Add a Validation Pipe

The validation pipe ensures the user exists in the directory and performs any additional checks required.

  1. Navigate to Pipes and click the pencil icon to edit.
  2. Add the following pipe configuration:

Here’s the updated example with a FlowFailValve that triggers if flow.isEmpty():

{
  "id": "UserLookupWithLDAP",
  "description": "Verify that user exists in LDAP",
  "valves": [
    {
      "name": "LDAPSearchValve",
      "config": {
        "connection_ref": "e379a2be-86be-4194-a53d-462bde7b6eeb",
        "base_dn": "dc=example,dc=local",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "uid={{request.User-Name}}"
      }
    },
    {
      "name": "FlowFailValve",
      "config": {
        "reason": "User not found in LDAP",
        "exec_if_expr": "flow.isEmpty()"
      }
    }
  ]
}

Explanation:

  1. LDAPSearchValve:

    • Searches for the user in the LDAP directory using the provided uid filter.
    • If the user exists, their details are added to the flow.

  2. FlowFailValve:

    • Triggers if the flow.isEmpty() expression evaluates to true, meaning no user details were found in the LDAP search.
    • Returns a failure response with the specified reason: "User not found in LDAP".

This ensures the flow gracefully handles cases where the user does not exist in LDAP, providing clear feedback for debugging or logging purposes.

  1. Click Stage Changes and then Commit Changes.

Testing

  1. Use a RADIUS client testing tool, such as EAPTest, to validate your configuration. (Note: EAPTest is available only on Linux.)
  2. Test the setup with your preferred VPN client.
  3. If issues occur, enable debug mode on PhenixID MFA Server for error tracing and troubleshooting.

Summary

By following this guide, you can configure PhenixID MFA Server to act as an MS-CHAPv2 RADIUS proxy, enabling secure VPN authentication with optional MFA challenges. This setup integrates with backend RADIUS servers, such as Microsoft NPS, to validate credentials while providing additional layers of security with PhenixID's One Touch authentication.

RADIUS MS-CHAPv2 Password