Using RADIUS with AD FS MFA

Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.

In certain circumstances, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve developed a quick RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.

RADIUS Authentication Adapter

The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.

Download

I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.

Download Sourcecode (C#, 4.5)
Download Binaries (Version 1.0).

Installation

The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.

  1. Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
  2. Ammend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
  3. From an elevated PowerShell prompt, run install.ps1
  4. Restart the AD FS service to complete registration
  5. If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when promtped to register the authentication adapter

OpenSource PHP Class for working with Hikvision cameras

Earlier today I released an open-source (GPL 2) PHP class for interacting with Hikvision IP Cameras, you can find the code on GitHub.

The PHP Class works with Hikvisions IP Camera index files which get created whenever video footage is stored on SD, SMB/CIFS or NFS. It’s needed since Hikvision stores multiple recordings (known as segments) inside a number of MP4 (H.264 – MPEG4-AVC) files.

This will allow you to read the index file (usually named “index00.bin”) and extract information about the files that have been created along with the recording segments they contain. You can then extract the video and thumbnails you’re interested in.

A sample application is included that allows you to search recordings and extract footage.

Cisco Device Info now open source

Cisco Device Info, my popular SNMP application for getting information from Cisco network devices has now been released as free software. It is now free to use at home, and in commercial environments. Further to that change I have licensed the software under the LGPL 2.1, allowing developers to contribute to the code and make changes of their own.

The sourcecode has been hosted at Github and is available from its public repository.