Airwalk Reply is helping a client to set up their digital infrastructure in a hybrid cloud environment (Azure Cloud and on-premise) including managing network devices like routers and switches. Conventionally, authentication of network devices access is done by setting up user accounts and credentials in configuration of authentication servers. However, this is not free of problems. The shared password could be leaked in the traffic between the device and the authentication server. As security is always our utmost concern, we decided to develop a more robust mechanism for authentication for network device access using modern cloud facilities.
The must-have requirements are:
Integration with Active Directory so that no new user accounts need to be provisioned
One-Time-Password challenge must be adopted to prevent the use of leaked passwords
The other nice-to-have requirements are:
A web client to retrieve the OTP challenge to avoid software installation
The backend should be serverless to minimise the administration overhead
This article outlines the high level design of workflow and architecture. We will also discuss the choice of technology stack.
Technology Stack
Since we are building on the Azure cloud platform, after some studies, the following Azure technologies are proposed:
Flow of authenticating and acquiring One-Time-Password
The user clicks a login link of a web portal. An Azure AD login page shows up and asks for targeted AD account to authenticate.
After successful authentication, the AD server returns an authorisation code, in the form of a Javascript Web Token (JWT) in the user session.
The user clicks a request link and the One-Time-Password request is sent with the token and API subscription key to Azure API Management endpoint.
After validating the token and the API subscription key, Azure API Management service forwards the request to the Azure Functions service.
The Functions service generates an OTP code and stores it with the AD user email address into a Cosmos DB.
The Functions service also returns the OTP code to the user.
Flow Diagram of Authenticating and Acquiring One-Time-Password
Flow of Network Device Access Authentication
The user enters the AD email address as the user name and the OTP code as the password to gain access to a network device.
The network device forwards the credentials to the RADIUS server via a load balancer endpoint for authentication.
The RADIUS server routes the credentials with a REST request to the Azure Functions service.
The Functions service validates the OTP code from the CosmosDB with the AD user email address.
Upon successful validation, the Functions service returns an OK status code to the RADIUS server.
The RADIUS server responds to the network device with Access-Accept status.
Flow Diagram of Network Device Access Authentication
Cloud Architect Diagram
Introduction of Technology Stack
HashiCorp Terraform
HashiCorp Terraform is a cloud agnostic tool to help adopting the practice of Infrastructure As Code (IaC). It can help to provision and manage infrastructure resources on different cloud vendors with its corresponding cloud provider plug-ins.
HashiCorp Packer
HashiCorp Packer is an open source tool to facilitate the creating of virtual machine images on various cloud vendors in an automatic way. Machine images can be configured, e.g. with chosen OS, instance type, in a builder template in JSON format and different actions (e.g. copy files, run shell scripts) can be applied by various provisioners.
FreeRADIUS
FreeRADIUS is a free server suite supporting RADIUS network protocol to provide centralized Authentication, Authorization and Accounting. It is modular and one module is rlm_rest. It enables the server to send RESTFul requests to other services. In our use case, it sends RESTFul requests to the Azure Functions service.
Azure Active Directory
Azure Active Directory is the Azure cloud-based identity and access management service which controls access of external and internal resources. This use case makes use of the features of single sign-on and multi-factor authentication.
Microsoft Authentication Library (MSAL) for JS
Microsoft has published a javascript implementation here that allows the app to sign in the user, maintain session, and get tokens to other web APIs, all within the client JavaScript code. Use of implicit grant flow allows the app to get tokens without performing a back-end server credential exchange.
Azure API Management Service
Azure API Management Service provides an API gateway for backend services, which is the Azure Functions service in our use case. API policies can be added and configured to implement validation and transformation without a single line of code.
Azure Functions
One-Time-Password generation and validation logic can be run in the Azure Functions service, which is serverless and saves the hassle of provisioning and managing the application servers.
Azure Cosmos DB
Azure Cosmos DB is an Azure serverless database service which supports semi-structured data. It bills for provisioned throughput and consumed storage by the hour. Combining both features make it a good candidate for data storage in our use case.
Virtual Machine Scale Set and Azure Load Balancer
The freeRADIUS service needs to be run on a virtual machine and high availability is a required feature in case of system outage. Virtual Machine Scale Set serves our purpose by running multiple VM instances across Availability Zones. It also supports auto-scaling based on host metrics like CPU usage. It integrates with Azure Load Balancer which serves a single endpoint for external resources to connect and distribute the requests.
