Configuring CC to use 2FA via RADIUS¶
Lantronix Control Centers (CC) and Local Managers (LMs) can be configured to authenticate against two-factor authentication (2FA) systems. In most cases this is accomplished by setting the CC to send authentication requests to the RADIUS interface of the 2FA service or client software. Details of the client software configuration vary by service – see this guide for configuring the Okta 2FA service as an example.
To configure the CC to use LDAP or LDAPS to connect to a 2FA server, see this guide.
Step 1 - Configure Control Center Authentication AAA Settings¶
Login to the Control Center.
Navigate to the Administration > AAA Settings page.
Make the following changes to the AAA Settings. Settings may vary based on the 2FA service being used.
| Setting | Value | Description |
|---|---|---|
| Authentication Type | RADIUS | - |
| Authentication Method | PAP | - |
| Authentication Timeout | 45 | Authentication Timeout is the number of seconds before the next RADIUS server or Fail Over to Local is tried. SSH to a Local Manager times out after 60 seconds, so it is best to keep this timeout short. When in doubt, leave this at 12 seconds. |
| User Remote Authorization | User determined | Some AAA servers support returning group names that can be used to assign privileges to users. To use this feature enable Use Remote Authorization. |
| Create Users | User determined | On successful authentication, if Use Remote Authorization is enabled and Create Users is enabled, the user is created to the local user database if they do not already exist. |
| Cache Passwords | User determined | Enable Cache Passwords to save the password on successful authentication. |
| Fail Over to Local | User determined | Enable Fail Over to Local to allow authentication of users against their stored password when no configured authentication server is available. |
Make the following changes to the Authentication Server Settings.
| Setting | Value | Description |
|---|---|---|
| IP | X.X.X.X | The IP address of the 2FA service or client. Clients installed on the CC such as Okta or Google Authenticator will use 127.0.0.1 for the IP address. |
| Port | User defined | Must match the port number used in the Okta RADIUS application. |
| Secret | User defined | Must match the secret used in the Okta RADIUS application. |
Click Save.
Step 2 - Configure Local Managers Authentication Settings¶
Login to the Control Center.
Navigate to the Inventory page and click on the Root Group (the default is Your Company).
Open the Security menu and click on Authentication.
For Authentication Type select Control Center. Check the box Force Update on children and then click Save.
Note: This will tunnel all RADIUS AAA packets through the Control Center using TLS 1.3.
Control Center and Local Manager RADIUS configuration for Okta RADIUS agent is now complete.