Gluu Radius oxTrust Integration

[uprightech]

Design A User Interface and a REST API in oxTrust for Gluu Radius Server

The objective here is to design a user interface and REST API for Gluu Radius Server. The items we will like to have configurable are the following:

• Configuring Radius Server Authentication and Authorization Ports
• Configure OpenID Settings for the server
• Add / Edit / Delete Radius Clients

1 - Data Structures Description

The LDIF file containing the data description can be found here. From now on , data structrure is just a way of talking about an LDIF entry. There are two data structures which are of interest:

1.1 oxRadiusServerConfiguration

This is the main radius server configuration. It has the following attributes:

• oxRadiusListenInterface. This is a string containing the interface (ip address) the radius server listens on. This attrribute (for now) isn't configurable. It's default value is 0.0.0.0
• oxRadiusAuthenticationPort. This is an integer containing the authentication port the radius server listens on. It's default value is 1812
• oxRadiusAccountingPort. This is an integer containing the accounting port the radius server listens on. It's default value is 1813
• oxRadiusOpenIdBaseUrl. This is a string containing the base Url of the oxAuth server. E.g. https://dc.gluu.org
• oxRadiusOpenIdUsername. This attribute merits an additional explanation. The radius server , in order to authenticate users (via the /token endpoint) . An OpenID client is created for this purpose. This is the said client's username.
• oxRadiusOpenIdPassword. This attribute contain's the corresponding OpenID password for the OpenID username. This password is two pass encoded (not plaintext).
• oxRadiusAcrValue . This attribute is a string containing the script name (Resource Owner Password Grant) which will be executed during authentication.
• oxRadiusAuthScope. This attribute is a string containing the DN of a scope used during authentication. There can be more than one of these attribute values (more than one scope).
• oxRadiusAuthenticationTimeout. This attribute is an integer containing the timeout (in milliseconds) for an authentication request.

1.2 oxRadiusClient

This is the configuration for a Radius client. Each radius client connecting to the radius server for authentication uses a client secret , and the server checks if the configured ip address of the client corresponds to the ip address of the radius client. The data structure has the following attributes:

• oxRadiusClientName. This attribute is a string containing the radius client's name.
• oxRadiusClientIpAddress .This attribute is a string containing the radius client's ip address.
• oxRadiusClientSecret. This attribute is a string containing the radius client's secret. The secret is two-pass encoded.
• inum . A unique ID for the client (generated).

2 - UI Mockups

Below are the UI Mockups and corresponding actions where they come in play.

2 - 1 Side Nav Item For Gluu Radius

A sidebar nav Item will be created for Gluu Radius , with the following subnav Items

• Configuration. On clicking on this sub nav item , the user is taken to a page with two tabs , where he can configure Gluu Radius Server.
• Radius Clients. On clicking on this sub nav item , the user is taken to a page with a list of radius clients. It will be similar in design to how OpenID clients are managed.

2 - 2 Server Configuration Tab

The user gets here by clicking on the Configuration Sub-nav and selecting the Server Configuration tab if it's not selected. There are just two entries here for the server's listen ports.

2 -3 OpenID Config Tab

The user gets here by clicking on the Configuration Sub-nav and selecting the OpenID Config tab if it's not selected. Here , a couple items are configurable.

• OpenID Client. This is a drop down menu with a couple available OpenID clients the server can connect with for authentication. On saving , the credentials for the selected openID client are pulled from the config and saved on oxRadiusOpenIdUsername and oxRadiusOpenIDPassword.
  • Acr value. This is a drop down menu , with a list of all available (enabled) Resource Owner Password Grant Scripts that can be used for authentication.
  • Scopes. This section will list selected scopes (just like in the settings for a standard OpenID client) , and will give the means to add/remove scopes.

2 - 4 Radius Clients Page

The user gets here by clicking on the Radius Clients Sub-nav. This displays a list of Radius Clients (searcheable) and also contains a action html elements to add a new client , view/edit an existing client's configuration or delete a client.

2 - 5 Add Radius Client Page

The user gets here by clicking on Add Radius Client on the Radius Clients Page. This displays a form which can be used to add a radius client.

2 - 6 Edit Radius Client Page

The user gets here by clicking on a Radius Client on the Radius Clients Page. This displays a form with at least the client's ID filled , with the other fields editable.

[nynymike]

Nice design. Can we use wildcards for IP address? It might be hard for a RADIUS client to know it's IP address. Ideally, admins would be able to use a subnet mask. Also, the RADIUS config should be hidden if the RADIUS server is not installed as part of setup.

[uprightech]

The usage of wildcards is totally possible. May need a few modifications at the level of gluu radius , but we should be fine. I'll copy/steal a couple of ip configuration patterns from existing radius software. Thanks for that suggestion !