To authenticate against usernames and passwords stored in a remote database table, MOVEit DMZ can use the MOVEit RADIUS/ODBC Authentication service. This service accepts RADIUS requests from MOVEit DMZ and then looks up the attempted username and password from a local ODBC source.
Almost any database can be supported with this mechanism, as the service uses an arbitrary ODBC connection string and generic SQL queries. (MySQL and SQL Server examples are provided.)
The most secure way to run this service is to install it on the same machine as the database server; in this case all usernames and passwords are protected with the encrypted RADIUS channel. A less secure way is to install this service on a different internal machine; in this case the username and password is encrypted between MOVEit DMZ and the box running the MOVEit RADIUS/ODBC Authentication service, but is probably not encrypted between the MOVEit RADIUS/ODBC server and the database server. The least secure way is to install this service on the MOVEit DMZ system itself; in this case the username and password are sent in the clear between the MOVEit DMZ and an internal database server.
To install the MOVEit RADIUS/ODBC Authentication service, you need to download and install two packages:
The MOVEit RADIUS-ODBC Authentication SERVER will install as a Microsoft Service, so you can start and stop it with the Services control panel or a "net stop/start moveitradius" command from the command prompt. Unlike some other MOVEit services, MOVEit RADIUS-ODBC service itself has no user interface. Serious errors encountered by the service are logged in the Application event log under MOVEitRADIUS.
There is also a GUI configuration CLIENT installed with the MOVEit RADIUS-ODBC Authentication package. This client can be started from the START menu via "Programs | MOVEit DMZ | Configure MOVEit RADIUS"
For the purposes of illustration, assume a system called "dotnet.corp.stdnet.com" is running MOVEit DMZ. A second system called "jglshuttle.corp.stdnet.com" hosts both the username/password database service and the MOVEit ODBC-RADIUS Authentication service.
The usernames and passwords are stored in a (MySQL) database called "radiustest" in a table called "userlookup".
On MOVEit DMZ, an administrator sets up a remote RADIUS authentication source to point to "jglshuttle.corp.stdnet.com" and enters the shared secret.
Finally, to configure the MOVEit RADIUS-ODBC service, an administrator opens the "Configure MOVEit Radius" utility and enters the following values:
The values on this dialog are used in the following way by the MOVEit RADIUS-ODBC service
Make sure to fill in ALL values, otherwise the MOVEit RADIUS-ODBC service will likely NOT work.
All values set using this configuration dialog are saved to the "HKLM\SOFTWARE\Standard Networks\MOVEitRadius" registry entry. The values of the Shared Secret and the Database Password are encrypted here, and can only be set through this dialog. To use new settings, the MOVEit RADIUS service must be restarted.
One way to test the operation of the configured MOVEit RADIUS-ODBC service is to simply try signing on with registered users from a properly configured MOVEit DMZ session. RADIUS messages and errors will appear in the MOVEit DMZ debug log when the debug level is set to DEBUG ALL.
An alternate way to test the operation of this (or any) RADIUS service is to download and run the "MOVEitRADIUSTestClient" (available in the Distribution \ MOVEit \ DMZ \ Extras folder on the MOVEit support site, https://moveitsupport.ipswitch.com).
WARNING: Do NOT install the MOVEit RADIUS Test Client on your MOVEit DMZ machine. The interaction of some underlying libraries used by both the test client and MOVEit DMZ could cause MOVEit DMZ to NOT authenticate RADIUS users.
Installation
Like MOVEit DMZ itself, the RADIUS test client requires the use of the .NET Framework. Install the framework before proceeding. Installation of the RADIUS test client simply involves extracting the contents of a ZIP file into a single folder on your test machine. (MOVEit Wizard can, of course, unzip this file if another ZIP utility is not available.) Make sure to install the test client on the machine you intend to test from. Running the client from a remote file server may cause permissions problems which could keep the client from running correctly. If you see the error "The .Net framework did not grant the permission....", this is most likely the cause.
Operation
The MOVEit RADIUS test client is a graphical utility named MOVEitExtAuthTest.exe. Run it by double-clicking on the file. Then, fill in the appropriate information for the RADIUS server you wish to test, and click the Authenticate button.
Diagnosing RADIUS
The following screenshots show the MOVEit RADIUS test client in action as it encounters one successful signon and three different common problems.
Connected OK, Authenticated OK:
Connected OK, Bad Username or Password:
Failed to Connect - Invalid Host:
Failed to Connect - RADIUS Service Not Listening (Wrong Server?):