Configuration guide

Table of Contents

Introduction

This guide describes how to configure the Mideye Server. For installation of the Mideye Server, see Windows installation guide and Linux installation guide.

Database Connection

Refer to Pre install checklist for software and hardware requirements regarding the database.

Configure the Database

After a new installation of the Mideye Server, a popup window with the text “Database Connection not properly set up” will be shown when opening Mideye Configuration Tool.

Installing or upgrading a Mideye Server requires a database account with rights to ALTER, CREATE and DELETE tables in the Mideye database.

Configure the following to complete the database connection:

Database Type: Select SQL Server or MySQL*.
Database address: Enter the database hostname or IP.
TCP-port: The default TCP port for SQL Server is 1433. For MySQL it is 3306. This can be modified if needed.
Connection idle time: Default value is 10 minutes. This parameter is rarely changed.

User: Enter the username of the database user. This user must have alter, create and delete permissions.
Password: Enter the password of the database user.
Database name: Enter the database name. Be advised that Mideye requires a pre-configured empty database. Refer to Microsoft or CentOS documentation on how to create an empty database.
Domain (optional): Enter domain name if the database is part of a domain.
Instance(optional): If instances are used, enter the instance name. Be advised that Mideye Server will automatically use port udp/1434 when searching for databases inside an instance.

Configure database connection

Configure database connection

* Note: On Windows, to connect to a MySQL database, the JDBC driver must be installed manually. This operation is done after installing the Mideye Server. Close the Mideye Configuration Tool (if open), and do the following:

  • Download mysql-connector.jar from the Mideye downloads portal (user credentials are provided by Mideye Support).
  • Copy mysql-connector.jar to MideyeServer\lib.
  • Copy mysql-connector.jar to MideyeServer\webserver\lib.
  • Copy mysql-connector.jar to MideyeServer\webserver\webapps\ROOT\WEB-INF\lib.

Open the Mideye Configuration Tool. It should now be possible to select and use a MySQL database.

Troubleshooting the Database Connection

Microsoft SQL Server Express

Note: If the express version is used, TCP/IP is not enabled by default. This can be enabled from “SQL Server Configuration Manager”, submenu “SQL Server Network Configuration”. Once enabled, open properties for TCP/IP and add 1433 to ‘TCP Port” at the bottom of the window (IPAll).

SQL Server Configuration Manager

SQL Server Configuration Manager

Error message: Cannot Connect to Database

Mideye Configuration Tool will not start if a connection to the database cannot be established. If the connection appears to be hanging, try closing down Mideye Configuration Tool, and take a backup of \Mideye Server\config\ DbConnection.properties, delete the file, and start Mideye Configuration Tool again.

General configuration

Connection to Mideye Switch

Mideye helpdesk will assign each customer a unique TCP port to be used for communicating with Mideye´s central service. This port can only be reached from predefined IP-addresses.

To configure the TCP port, do the following:

  • Contact Mideye Support at support@mideye.com or phone +46854514750 to obtain a unique TCP port. Include the public IP-address(es) that the Mideye-server originates from.
  • In Mideye Configuration Tool, tab ‘General’, enter the TCP port in the “Switch port:” field.
Specify the Switch port

Specify the Switch port.

  • Click “Save” and “Close” to restart the services.

Verify connectivity

Make sure that both 217.151.192.84 and 79.136.112.54 are reachable from the Mideye Server on the assigned TCP port. This can be verified by using Telnet from a Windows Command Prompt or a Linux terminal. A successful connection results in a blank page, and an unsuccessful connection results in an error message “Connecting to 79.136.112.54…Could not open connection to the host, on port XXXXX: Connect failed”.

Note that Mideye Support first opens for traffic in the backup switch (79.136.112.54). The opening in the primary switch (217.151.192.84) will only be done after volume traffic has been detected in the backup switch.  It is safe to proceed with the configuration while waiting for the opening in the primary switch.

Telnet to 79.136.112.54 on the customer specific TCP-port

Telnet to 79.136.112.54 on the customer-specific TCP port

Successfully connected to 79.136.112.54

Successfully connected to 79.136.112.54

Connection to 79.136.112.54 failed.

Connection to 79.136.112.54 failed

Troubleshooting

Connection failed

If the connection fails to both IP-addresses, check if there is any firewall blocking the TCP connection. If the problem persists, contact Mideye Support for real-time firewall logging.

Change of public IP address

If the Mideye server is moved and/or originates from a new public IP address, Mideye Support must be informed about the new IP.

Mideye Web Admin

The following sections describe how to configure the Mideye Web Admin.

Login with local database accounts

When using the Mideye Web Admin for the first time, a root account can be used to create administrator and operator accounts. The root account can be temporarily enabled and should be disabled when not in use.

  • Open Mideye Configuration Tool, tab “General” and select “Web” in the menu to the left.
  • Unmark the checkbox “Lock ROOT User” and specify a password.
  • Click “Save” followed by “Close” to restart the services.
Enable to root account

Enable the root account

  • Mideye Web Admin can be reached directly from a browser using https://serverIP:8443/webadmin/login.xhtml.  On Windows, it can also be reached from the Start menu, under ‘Mideye Server’.
  • Log in using the root account, with the password specified above.
Login using root account

Login using root account

  • Select “Create a Mideye user”.
  • Specify a username, password and phone number for the administrator and select User Type ‘Web Administrator’. Choose Authentication Type and click “Create”.
Create an administrator

Create a web administrator

A Web Administrator account has full access to the Mideye Web Admin, with permissions to add, delete and modify any account, as well as access to all authentication and accounting logs.

A Web Operator account has limited access, and is used for viewing authentication and accounting logs.

Log in using the administrator created above. If successful, disable the ROOT account in Configuration Tool and restart the services.

LDAP login (optional)

As an alternative to local database accounts, existing LDAP (e.g. Active Directory) accounts can be used for Web Admin login.

Prerequisite

To enable LDAP login for Mideye Web Admin, an existing LDAP Server must be configured. See section LDAP Server Configuration for detailed how to set up an LDAP Server in Mideye Configuration Tool.

Configuration

  • Open Configuration Tool, navigate to the LDAP Server tab and choose to modify an existing LDAP profile.
  • Navigate to “LDAP-RADIUS” tab, mark the “LDAP-RADIUS Translation” checkbox and specify the attribute name “memberOf”. This restricts access to Web Admin based on group membership.
LDAP-RADIUS Translation Configuration

LDAP-RADIUS Translation Configuration

  • Configuration Tool -> General, select ‘Web’ in the left menu. Specify the group memberships required for Administrator and Operator accounts. Group names can be specified using wildcards/Java regular expressions, e.g. CN=Mideye-administrators.*
DN for Mideye Administrators and Operators

DN for Mideye Administrators and Operators

  • Configuration Tool -> RADIUS Clients:  select the pre-configured RADIUS client for Mideye Web Admin.
Radius Client for Web Administration Interface

Radius Client for Mideye Web Admin

  • Select ‘Modify’.  In the LDAP Servers tab, assign the previously configured LDAP profile to this client.
Assign the LDAP-server(s) to the RADIUS-client

Assign the LDAP-server(s) to the RADIUS-client

Generate a new self-signed certificate

Mideye is pre-configured with a self-signed certificate for https access to the Web Admin. To generate a new self-signed certificate, execute the following command from the Mideye Server bin-directory:

MideyeWebConfig configure server

Note: This command will replace the file /opt/mideyeserver/certificates/webserver_https.keystore and reset the web server configuration. If client certificate validation has been previously enabled, generating a new server certificate will restore the default settings, i.e. viewing Mideye Web Admin will no longer require a client certificate.

The service ‘Apache TomEE’ must be restarted for the changes to take effect.

Optional: replace the self-signed certificate with a custom certificate

Two alternatives for replacing the self-signed certificate are presented below, either using PFX/PKCS12 or using JKS/JCEKS formats.

Alternative 1: Use PFX (PKCS12) format

PFX-certificates can easily be generated using IIS on a CA-server. Open Internet Information Service (IIS), navigate to the root and open “Server Certificates”

Open Server Certificates

Open Server Certificates

In the right action bar, click Create Domain Certificate

Common name: the FQDN of the URL that will be used to access the web admin.

Fill in the rest of the required fields and click Next.

Create a domain certificate

Create a domain certificate

Select the CA and give the certificate a friendly name. Click Finish.

Select the Certificate Authority

Select the Certificate Authority

Right-click the created certificate and choose export. Save the certificate and set a password. This password will be re-entered in the server.xml file further down in the guide.

Copy the exported certificate to C:\Program Files (x86)\Mideye Server\certificates\filename.pfx

Before editing the server.xml file located in C:\Program Files (x86)\Mideye Server\webserver\conf\, make sure to take a backup.

Open server.xml as an administrator with a text editor.

At the end of the xml-file at the <Connector port=”8443″, replace:

truststorePass="hN+JeFqq5hSsNaw" sslEnabledProtocols="TLSv1.2" keystoreFile="C:\Program Files (x86)\Mideye Server\certificates\webserver_https.keystore" truststoreFile="C:\Program Files (x86)\Mideye Server\certificates\webserver_https.keystore" keystorePass="hN+JeFqq5hSsNaw" maxThreads="150" useServerCipherSuitesOrder="true" clientAuth="false">

With

sslEnabledProtocols="TLSv1.2" keystoreFile="C:\Program Files (x86)\Mideye Server\certificates\FQDN.pfx" keystoreType="PKCS12" keystorePass="password" maxThreads="150" useServerCipherSuitesOrder="true" clientAuth="false">

The result should look something like:

<Connector port="8443" scheme="https" enableLookups="false" acceptCount="100" secure="true" minSpareThreads="25" maxSpareThreads="75" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxHttpHeaderSize="8192" disableUploadTimeout="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1.2" keystoreFile="C:\Program Files (x86)\Mideye Server\certificates\name.pfx" keystoreType="PKCS12" keystorePass="password" maxThreads="150" useServerCipherSuitesOrder="true" clientAuth="false"></Connector>

The service ‘Apache TomEE’ must be restarted for the changes to take effect. 

Alternative 2: Use JKS / JCEKS format

  • Take a backup and delete the self-signed certificate \Mideye Server\certificates\webserver_https.keystore.
  • Name the new custom certificate ‘webserver_https.keystore’ and place it in the same directory as the old, deleted webserver_https.keystore
  • In Mideye Server\webserver\conf\server.xml, find <Connector port=“8443” … > (at the end of the file) and modify the truststorePass and keystorePass with the password set for the new certificate.

The service ‘Apache TomEE’ must be restarted for the changes to take effect. 

Optional: enable client certificate authentication

Per default, access to the Mideye Web Admin is protected with https using a self-signed certificate, generated during the installation. This certificate secures the communication between client and server.

In order to require client validation when accessing Mideye Web Admin, a client certificate needs to be generated and signed with the server certificate:

  • Open the command prompt and cd to the Mideye Server installation directory
  • Execute the command:
 MideyeWebConfig configure client

This will create a client certificate in:

 Mideye Server\certificates\client.p12

It contains the client’s private key and certificate, signed by the server certificate.

The private key is protected by a random password generated during the creation of the certificate and displayed in the command prompt. After a restart of the “Apache TomEE” service, each browser that requests access to the Mideye Web Admin will need to import the client certificate.

Repeating the command generates a new client certificate, with a new password.

The service ‘Apache TomEE’ must be restarted for the changes to take effect.

Troubleshooting the Mideye Web Admin

If the Mideye Web Admin site cannot be reached, make sure that the service TomEE is running, or try a service restart.

If the problem persists, open Mideye Configuration Tool -> Database Connection, click “Save” and “Close” and restart Mideye services. Refresh your browser and try login again.

Verify that the server is listening to the expected port (i.e. 8443). In Windows, the command is:

netstat -aon | find /i "listening"

In Linux,  the corresponding command is

netstat -tnlp

If the server is not listening to the expected port after an upgrade of the Mideye Server, try to generate a new self-signed certificate.

LDAP server configuration

To integrate RADIUS clients with a LDAP-repositories such as Active Directory open “Configuration Tool” from Mideye Server. Navigate to “LDAP Servers” and select “New”. Mideye currently supports preconfigured settings for the following repositories:

  • Active Directory
  • eDirectory
  • Sun Directory Server
  • Lotus Domino
  • OpenLDAP

Complete the following steps to configure Mideye Server to read from a directory:

  1. Choose what kind of directory that should be integrated in the dropdown list. In this guide, Active Directory will be configured.
  2. Name: Give the LDAP-server a friendly name.
  3. Address: Enter the IP-address or hostname of the Domain Controller.
  4. Port: Default port for none encrypted bindings is tcp/389. If a Certificate Authority is installed on the Domain Controller, port tcp/636 can be used to encrypt the connection between the Mideye Server and the Domain Controller. Make sure to check the “LDAP over SSL” and import the certificate from the Certificate Authority when using an encrypted connection. This can be done by clicking the “Get Certificate” button.
    The default validity length of the certificate used for encrypted traffic between the Mideye Server and the Domain controller is one year. When this certificate expires, Mideye will have to fetch the new certificate by manually adding it using the “Get Certificate” button. Be advised that when the old certificate expires and the new certificate still hasn’t been manually added, all authentication using the LDAP server will fail. See section Extend certificate validation time for LDAPS on how to increase the time from 1 year.
  5. Distinguished Name & Password: Mideye Server needs a service account and password from the directory to be able to read LDAP-data. This account needs the “Domain User” permission. Enter the username as DN or UPN format. Add the password. Remember to check the flag “Password never expires”.
  6. Test Connection: Click the Test connection button to verify that it is properly setup.
Configure LDAP Server

Configure LDAP Server

Extend certificate validation time for LDAPS

This guide offers two different ways to extend the validation time of the Kerberos authentication certificate used to encrypt traffic.

Add the CA-certificate to Mideye Server keystore

From the Domain Controller, export the Domain CA by executing mmc.exe from the start menu. Click “Add/Remove snap-in” from the File menu and select a certificate followed by “Computer Account”. Select “Local Computer” (or where the CA is located) and click “OK”.

Open certificate snap-in

Open certificate snap-in

Expand Certificate –> Personal –> Certificate and right-click the CA-certificate and select All Tasks –> Export. Choose not to export the private key. 

Selet Base-64 encoded X.509 (.CER)

Selet Base-64 encoded X.509 (.CER)

Save the CA-certificate

Save the CA-certificate and complete the export.

Import certificate in Windows

Copy the exported certificate to C:\Program Files (x86)\Mideye Server\config on the Mideye Server.

Execute cmd.exe as an administrator and navigate to C:\Program Files (x86)\Mideye Server\jre\bin

Type keytool -import -trustcacerts -file ca.cer -keystore “c:\Program Files (x86)\Mideye Server\config\GipsKey.jceks” -storetype jceks -alias DomainCA

When asked for, enter the password that can be found in C:\Program Files (x86)\Mideye Server\config\DBconnection.properties. Click “Yes” to trust the certificate.

Linux: When asked for, enter the password that can be found in /opt/mideyeserver/config/DBconnection.properties. Click “Yes” to trust the certificate.

Import certificate in Linux

Copy the exported certificate to /opt/mideyeserver/config on the Mideye Server.

Navigate to /opt/mideyeserver/jre/bin

Type keytool -import -trustcacerts -file ca.cer -keystore /opt/mideyeserver/config/GipsKey.jceks -storetype jceks -alias DomainCA

When asked for, enter the password that can be found in /opt/mideyeserver/config/DBconnection.properties. Click “Yes” to trust the certificate.

Create new Kerberos authentication certificate with longer validation time

The first step is to allow the Certificate authority to create certificates with a longer validity period than 2 years. From the Certificate Authority server, open CMD.exe as an administrator. Type:

certutil -setreg ca\ValidityPeriodUnits X

where X is the desired length that should be allowed. Be advised that this number can not be longer than the validity length of the CA certificate

Type:

certutil -setreg ca\Validityperiod= Years

Restart the Certificate Authority with the commands:

net stop certsvc
Net start certsvc

From the Certificate Authority console, right-click “Certificate Template” and click “Manage”. Right-click Kerberos Authentication template and select “Duplicate Template”. Click the “General” tab and give the template a friendly name and change the Validity period to the desired length. Be advised that the certificate can not have a validity period longer than the CA-certificate.

Change the validity time of the new tempalate

Change the validity time of the new template

Select the “Security” tab and add the computer account of the Domain Controller.  Click “OK” and close the “Certificate Templates Console”.

Again, from the “Certificate Authority” console right-click “Certificate Template” and select “New” followed by “Certificate template to Issue”

Issue a new template

Issue a new template

Select the created template and click “OK”. Restart the Certificate Authority service.

From the Domain Controller, execute mmc.exe from the start menu. Click “Add/Remove snap-in” from the File menu and select a certificate followed by “Computer Account”. Select “Local Computer”  and click “OK”. Expand Certificate –> Personal and right-click “Certificates” –> “All tasks” –> “Request New Certificate”. Select the certificate template created above and click “Enroll”.

The last step is to update the certificate in the Mideye Server. Navigate to LDAP Servers and click modify on the LDAP server. Click “Get Certificate” and import the new certificate with a longer validity time.

Import the new kerberos authentication certificate

Import the new Kerberos authentication certificate

Restart Mideye Server services by clicking “OK” followed by “Save” and “Close”.

User settings

Search Base: When completing the configuration of the “Connection” tab, “Search Base” on the “User” tab will be automatically populated with the root-base of the domain. This can be customised to narrow down what OU:s that should be used to look for users and groups. The “Search Base” must be specified using DN-format.
Object Class: Default value for Active Directory is “person” and should not be changed.
User Identity: The attribute populated by default is sAMAccountName. More attributes can be added, for example, userPrincipalName. Separate each attribute with a semicolon.
Mobile Phone Number: Attribute used to find the user´s phone number. The default value is mobile, but this can be customised to any other attribute. Also, two or more attributes can be specified, meaning that Mideye Server will start searching for data in the first attribute, and continue with next if the field is empty. Separate each attribute with a comma. Example otherMobile,Mobile.
Token Number: Attribute used to find the user´s token-number. The default value is ipPhone, but this can be customised to any other attribute.
Auto-correction of mobile numbers: All phone numbers must be in international format e.g +4673508455 (Sweden) or +1123456789 (US). If not, auto-correction can be used to automatically add the prefix configured in the “Default International Prefix”.

Example of user configuration.

Example of user configuration.

Group Settings

To further control permissions, a group check can be configured that will control what users who should be able to access the resource protected with Mideye. This can be done by adding a group in Active Directory and add the DN of that group in the “Group(s):” field. Starting from Mideye Server release 4.2.5 distinguished names can also be used with wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.*

To add more than one group, separate each with a semicolon.

If the group specified contains groups inside, make sure to enable “Search nested groups” in the Active Directory tab.

Add a group containing users allowed to authenticate with Mideye Server.

Add a group containing users allowed to authenticate with Mideye Server.

NPS Configuration

Mideye Server users in Active Directory can change their expired passwords during the logon process in the RADIUS dialogue. A password can expire because the flag “User must change password” at the next logon is set to true, or its expiration date is before the actual login.

Requirements:

  • The authentication must use the MS-CHAP v2 protocol.
  • A configured Network Policy Server (NPS) pointing to the Active Directory repository.

Configure address, port and shared secret for the NPS. In order for the password change to work, it is important that:

  • The NPS points to the same LDAP server as configured for the Mideye Server.
  • The IP or hostname of Mideye Server is present among the NPS’s RADIUS clients (in order to be able to accept RADIUS requests).
  • The NPS policies are correctly configured.
Configure Network Policy Server to enable password change.

Configure Network Policy Server to enable password change.

For a detailed installation guide of the NPS role, see Windows Server – NPS

MS-CHAP-V2

In order to perform a password change, the RADIUS client (or aggregator, e.g. Citrix Netscaler or Cisco ASA) must initiate the authentication using the MS-CHAP v2 protocol. Mideye Server will automatically detect the authentication protocol. When MS-CHAP v2 is used, Mideye Server will use the configured NPS to validate the credentials.

Authentication

Default authentication type: Mideye Server comes predefined with authentication type 2 (Mobile). This can be customised to any of the authentication types 1-8 as specified here.

Default OTP Presentation: Default value is Popup, but can be changed to Inbox SMS.
Default Network: This field should never be changed from the value “Default”

Read optional attribute: If a group of users should have a different authentication type than the one specified as default, read optional attribute can be used. When this option is enabled an LDAP-attribute can be configured in the field “Authentication type attribute” Once enabled, that field in LDAP will control what authentication should be in use. For example, if attribute “pager” is set in the “Authentication type attribute” and the number 3 is set for the user, authentication type “Token” will be used based on the list above. See example below:

Configuration of authentication types

Configuration of authentication types

Example of read optional attribute

Example of read optional attribute.

OTP Presentation Attribute: OTP presentation can be customised using an LDAP-attribute.The number in that attribute will decide with OTP that should be used.

0 (Zero): Popup SMS
1: Inbox SMS

Department attribute: If the department of the user should be visible in accounting, the default value should be attribute “Department”

Password override: See document “Password Comparison” for detailed information and configuration example.

Activate LDAP user blocking: If enabled, the user will be temporarily locked out after defined failed attempts for x number of minutes. 0 is equal to permanently blocked. Users can be unblocked from Mideye Web Admin.

Active Directory

The following options will only function for LDAP users and will not work with database users.

Check remote flag: If checked, access is only granted if the “Dial in” properties is set to “Allow remote access”.
Allow password reset (PAP): If checked, access is granted if the password is correct but needs to be reset. This option is only used for PAP authentication when allowing a secondary authentication using LDAP.
Allow password expired (PAP): If checked, access is granted if the password is correct, but has expired. This option is only used for PAP authentication when allowing a secondary authentication using LDAP.
Search nested groups: If checked, Mideye Server will search for users in groups that are nested in the group specified.
Use Framed IP Addresses: If checked, Mideye Server will read the “Assign static IP Addresses” from LDAP and pass the IP address along as attribute 8 with a successful login.

Active Directory settings

Active Directory settings

LDAP-RADIUS

If LDAP-RADIUS Translation is checked, Mideye server will translate LDAP-attribute to RADIUS-attribute. Refer to section LDAP-RADIUS Translation (Anchor) for detailed instructions.

When all the tabs have been configured, save the configuration and click “Close” to restart the services.

Verify LDAP-server

Navigate to LDAP Servers and click “Modify” on the selected LDAP Server. Click “User Search” and search for a user that should be within the configured Search Base.

Troubleshoot LDAP-server

If a user can not be found, verify the following:

  • Make sure that the user have the correct format on the attribute configured for the phone number. It must be in international format e.g +46735084555, or auto-correction of mobile numbers must be enabled.
  • Make sure that the user is part of the search base configured in the “User” tab.
  • (Optional) Make sure that the user is a member of the group specified in the “Group” tab.
  • If a group check is enabled, and the user is part of a group inside the group specified, make sure that “Search nested groups” is enabled in the “Active Directory” tab.
  • Make sure that the format of the search is specified in the “User” tab. By default, only sAMAccountName is specified. Add ;userPrincipalName if user@domain.xx should be enabled.

RADIUS Clients Configuration

To create a new RADIUS Client, open “Configuration Tool” and navigate to RADIUS clients. Click “New”

Client properties

Give the RADIUS-client a friendly name and enter the IP address or the hostname of the RADIUS-client. Enter the shared secret twice. The shared secret must match the RADIUS client (VPN-concentrator, access-portal etc.)

RADIUS client configuration

RADIUS client configuration

LDAP Servers

Navigate to LDAP Servers and select the LDAP server that should be in use and move it to the “Assigned Servers”. Multiple LDAP servers can be assigned, and Mideye Server will start searching from top to bottom. If the user is found in the first LDAP server and two servers are populated in the Assigned Server, Mideye will not continue in the second LDAP server.

Select LDAP server

Select LDAP server

RADIUS client configuration

OTP Length: Default value of the OTP length is 6, but it can be customised to a minimum of 4 and a maximum of 12.
OTP Type: Default all OTP will be numeric, but can be customised to numeric, alphabetic and Alphanumeric.
RADIUS Server: Assign what RADIUS server that should be used by the client.
Encoding: Assign the appropriate encoding for the RADIUS client. Default value is UTF-8.

Check Static Password: Enabled by default, but can be disabled if Mideye should ignore the password sent by the enduser. If ignored, be advised that only the correct username is needed for a successful authentication.
Search Database: Except for LDAP, Mideye Server can perform a search from its own database. When enabled, Mideye Server will always start searching for users in the database before moving on to LDAP.
Allow user suffix: Enable if Mideye should enable user-selected authentication types.
Token-coupled Plus login: Enable to only accept login with token-coupled Mideye+ apps or token cards.

Client configuration

Client configuration

User name filtering

Mideye can filter part of the username sent from the RADIUS client. Choose filter method and add a filter separator. Username filtering will only function with authentication type PAP.

In this example, everything before \ will be removed by Mideye Server

In this example, everything before \ will be removed by Mideye Server

Verify RADIUS client

In order to verify that the created RADIUS client is working, perform a authentication attempt from the RADIUS-client using Mideye two-factor authentication.

Troubleshooting RADIUS client

RADIUS timeout

Mideye Server require a RADIUS timeout that is at least 35 seconds to function correctly. The timeout can be verified in two ways:

  1. Install and activate Mideye+ using Touch Accept. When logging in, wait with pressing the “Accept” button until it is only 1-2 seconds left. Make sure the login is successful.
  2. Create a test-user and add the phone number +46763361379 to the user. OTP deliveries are delayed for this number, and the OTP prompt should appear after approximately 28-30 seconds. If the OTP prompt is displayed, it is verified that the RADIUS timeout is sufficient to handle mobile network problems and compatibility with Mideye+. If no OTP prompt is displayed, troubleshoot the timeout of the RADIUS-client.

No respons from Mideye Server

Make sure that no firewall is blocking udp/1812 (default). If Mideye Server is installed on a windows plattform with the builtin firewall enabled, create a firewall rule allowing incoming RADIUS traffic.

Invalid user or password

If all authentication attempts results in a “Invalid user or password” the shared secret between the Mideye Server and the RADIUS client most likely differs. Make sure that the shared secret is exactly the same on both the RADIUS server and the RADIUS client.

Check radius-messages.log

The radius-messages.log file can be viewed from Mideye Web Admin or from the log directory of the Mideye installation. This file will log all authentication attempt to the Mideye Server.

RADIUS Servers

Mideye comes preinstalled with two RADIUS servers, StandardRadius and WebAdminRadius. More RADIUS Servers can be added that will listen on other UDP-ports.

StandardRadius: This RADIUS server will automatically be assign to all created RADIUS client. The default port is udp/1812, but can be changed if necessary.

WebAdminRadius: RADIUS Server used by Mideye Web Admin and should never be altered with.

Modify StandardRadius Server

Open Configuration Tool and navigate to RADIUS Servers. Select StandardRadius and click “Modify”.

Server Configuration

Server name: Friendly name of the RADIUS Server.
RADIUS Port: Default value is udp/1812 but can be changed if necessary.
Max failed user attempts: Failed authentication attempts before database user account will be locked. Default value is 5.
Max pending requests: Number of pending requests before Mideye Server drops all requests that reaches above the configured value. Once requests go below the value it will continue to handle all requests. Default value is 20.
Max user deliveries per minute: Maximum number of deliveries per minute from one unique user before Mideye Server drop the requests. Default value is 5.
Max user deliveries per hour: Maximum number of deliveries per hour from one unique user before Mideye Server drop the requests. Default value is 30.

Suppress multiple clicks: This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.

Modify StandardRadius Server

Modify StandardRadius Server

General Messages & Error Messages

By default, all messages sent from Mideye Server will be shown in English. In the drop down menu, Swedish, Norwegian and Finnish are also supported languages. To further customise the messages, click “Edit”.

Customise messages sent by Mideye Server

Customise messages sent by Mideye Server

Customise messages sent by Mideye Server

Customise messages sent by Mideye Server

LDAP RADIUS Translation

To further extend the functionality of RADIUS, LDAP-RADIUS Translation can be used to assign specific users or group permission from LDAP when logging in using a VPN-concentrator.

On Mideye Server, open Configuration tool and navigate to LDAP Servers and modify the selected LDAP Server. In the tab “LDAP-RADIUS” enable “LDAP-RADIUS Translation” and enter the LDAP attribute name that contains group memebership information. For Active Directory, the attribute name is memberOf.

Enable LDAP RADIUS Translation

Enable LDAP RADIUS Translation

Create LDAP-RADIUS Translation rules

In Configuration, navigate to the “LDAP-RADIUS Translation” tab. Press “New” and define a new rule corresponding to a specific group name attribute in the LDAP repository (see screenshot below). In the field “LDAP Attribute Value”, enter the full Distinguished Name of the group. Note that it is important that the exact group name is specified – the translation is both case and blank-space sensitive.

To make sure the correct DN is written, from ADUC, open the attribute editor of the group and simply copy the value and paste it into “LDAP Attribute Value” field in Mideye Server.

Starting from Mideye Server release 4.2.3 LDAP-RADIUS translation can also be used with wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.*

DN of the group

DN of the group

In the attribute list, select the desired attribute, and add a suitable string for the group and click “OK”. To know what attribute that should be used and how to configure it, consult the manufacturer of the VPN concentrator.

Adding a string to a class-attribute.

Adding a string to a class-attribute.

A complete guide for RADIUS Translation for Cisco ASA can be found here.

To save the configuration click “OK” followed by “Close” to restart the services.

Log Configuration

Mideye Server offers a variety of logging options. These options does not require any restart of the Mideye services when enabled.

Log File

The default location for RADIUS messages is \log\radius-messages.log. The logging level is set to info but can be customised.

Syslog

To enable syslog, check the “Enable” button and specify the IP address to the syslog server.

Event Viewer

If Mideye server is installed on a Windows plattform, Event Viewer can be enabled. This will log all error messages.

SNMP

To enable SNMP, check the “SNMP” button and specify the host, port and community of the SNMP server.

Start Trace

At the left bottom corner of the window a “Start Trace” button is available, and is used to troubleshoot various problems with the Mideye Server. When this button is clicked, all information will be sent to a file named trace.log until the trace is stopped. This log file is located in the log folder named RADIUSTrace.log.

The trace will not affect the production traffic, but be advised that these files quickly becomes big in size.

Starting a RADIUS trace

Starting a RADIUS trace