Lantronix Control Center and Local Manager 2FA with Okta¶
This document describes the configuration of a Lantronix Control Center (CC) to use Okta Two Factor Authentication (2FA) for user authentication.
Overview¶
Configuring a Lantronix Control Center to use Okta for 2FA requires several steps. Administrators will configure their Okta RADIUS Application within the Okta security portal, then install the Okta RADIUS Client on the Control Center, and then configure the Control Center to perform user authentication using the Okta RADIUS 2FA service.
Step 1 - Configuring the RADIUS Application in Okta’s Portal¶
This guide is for installing and configuring a RADIUS application within Okta for use by a Lantronix Control Center and Local Managers.
Note: This guide contains screen captures of a third-party application which may be updated at any time. The application UI may differ from the examples shown here.
Login to Okta with an account with appropriate privileges to build a RADIUS application.
Under the Applications menu click Applications.
Click Browse App Catalog.
Within the search bar type RADIUS, then click on RADIUS Application.
Click Add Integration.
Under General Settings add a descriptive name for the application and click Next.
Under Sign-On Options make sure the following are selected. Click Done when complete.
| Authentication | Okta Performs primary authentication | Note |
|---|---|---|
| UDP Port | User Defined (Typically 1812) | Must match RADIUS settings on Control Center and Local Managers |
| Secret Key | User Defined | Must match RADIUS settings on Control Center and Local Managers |
| Application username format | User Defined | This is the format the user will use when logging into the CC/LM |
Under Assignments add the users and/or the groups affiliated with the application.
Note: These user and group names will need to match the user and group names in the Lantronix Control Center.
Click Assign to add the user/group. Add all that are required.
You should now see all the users/groups on the Assignments page.
Click the Sign On tab and then under Advanced RADIUS Settings click Edit to make additional configurations.
Under Client IP, enable the Report Client IP option with the following setting:
| Setting | Value |
|---|---|
| RADIUS end-user IP attribute | 31 Calling-Station-id |
Under Groups Response, enable the Include groups in RADIUS response option with the following settings:
| Setting | Value |
|---|---|
| Radius attribute | 26 Vendor-Specific |
| 10243 | |
| 3 | |
| Group memberships to return | Add all groups affiliated with the application |
| Response format | Delimited list |
| Delimiter | , (comma) |
| Group name format | ${group.name} |
Under Authentication, enable the following options:
- Accept password and security token in the same login request
- Permit Automatic Push for Okta Verify Enrolled Users
- Single-line MFA prompt
Scroll to the Sign On Policy.
Depending on your policy you may need to add the IP address on the CC to the list of gateway IPs under Security > Networks.
Click Save when done.
RADIUS Application configuration is now complete.
Step 2 - Installing the Okta RADIUS Agent¶
Login to your Okta account.
Navigate to Settings > Downloads.
Scroll to Okta RADIUS Server Agents and click Download Latest for Okta RADIUS Server Agent (RPM).
Import the RPM to the Control Center home directory (/home/emsadmin) using SCP or other transfer protocol (you must know the emsadmin password).
Note: The current version number may differ from the example.
scp OktaRadiusAgentSetup-2.20.0.rpm emsadmin@<Your CC IP Address>:/home/emsadmin/
Open a CLI session to the Control Center and login as emsadmin and run the following commands.
Note: The current version number may differ from the example.
sudo su - (changes to root user, use emsadmin password)
cd /home/emsadmin - (changes directory to where rpm is located)
sha512sum /home/emsadmin/OktaRadiusAgentSetup-2.20.0.rpm - (prints checksum, verify they match)
rpm -Uvh OktaRadiusAgentSetup-2.20.0.rpm - (installs the rpm)
Enter the base URL for your Okta organization and hit enter. Typically it’s https://YourOrganization.okta.com.
Note: If you have admin in the URL it is incorrect.
You will see lots of messages. Wait until you see a unique URL to copy and paste to your web browser.
This URL will redirect you to an Okta login screen. Login with the account that will be used as the Radius Service account.
Note: This account must have application admin privileges.
Make sure you see Okta RADIUS Agent, then click Allow Access.
On the next screen, click Continue.
Once you click Continue, go back to the Control Center CLI and you should see more messages. If your account permissions are valid, you will see Registering Agent Successful, at which point the installation is complete.
Note: You must have a RADIUS application built on Okta to accept/deny the incoming RADIUS AAA packets. If you see a failure message make sure the account you are using has appropriate privileges.
Okta Radius Agent installation is now complete.
Step 3 - Configuring Control Center to use Okta 2FA¶
Login to the Control Center.
Navigate to the Administration > AAA Settings page.
Make the following changes to the AAA Settings.
| Field | Value | Description |
|---|---|---|
| Authentication Type | RADIUS | - |
| Authentication Method | PAP | - |
| Authentication timeout | 45 | Authentication Timeout is the number of seconds before the next RADIUS server or Fail Over to Local is tried. SSH to a Local Manager times out after 60 seconds, so it is best to keep this timeout short. When in doubt, leave this at 12 seconds. |
| Use Remote Authorization | User Determined | Some AAA servers support returning group names that can be used to assign privileges to users. To use this feature enable Use Remote Authorization. |
| Create Users | User Determined | On successful authentication, if Use Remote Authorization is enabled and Create Users is enabled, the user is created to the local user database if they do not already exist. |
| Cache Passwords | User Determined | Enable Cache Passwords to save the password on successful authentication. |
| Fail Over to Local | User Determined | Enable Fail Over to Local to allow authentication of users against their stored password when no configured authentication server is available. |
Make the following changes to the Authentication Server Settings.
| Setting | Value | Note |
|---|---|---|
| IP | 127.0.0.1 | You must use CC’s local loopback IP |
| Port | User Defined | Must match the port number used in the Okta RADIUS application |
| Secret | User Defined | Must match the secret used in the Okta RADIUS application |
Click Save.
Local Managers RADIUS / Control Center Authentication Configuration¶
Login to the Control Center.
Navigate to the Inventory page and click on the Root Group (the default is Your Company).
Open the Security menu and click on Authentication.
For Authentication Type select Control Center. Check the box Force Update on children and then click Save.
Note: This will tunnel all RADIUS AAA packets through the Control Center using TLS 1.3.
Control Center and Local Manager RADIUS configuration for Okta RADIUS agent is now complete.