LDAP and Google-authentication in VPN with qr-code showing
412 views
Skip to first unread message
Herman Cuppens
Jun 19, 2015, 8:54:08 AM6/19/15
to priva...@googlegroups.com
Hello,
we would like our users to access a VPN with 2FA: LDAP and TOTP (Google-authentication).
The VPN device will probably be a Cisco and I am only familiar myself with the cisco-vpn desktop client.
I am trying to imagine how we can present to the user a form where he/she can enter the LDAP-credentials (AD) and the qr-code for google-authenticator.
Is there somewhere a step by step guide or demo to show how this practically gets presented to the enduser ?
Currently I have privacyIdea and Freeradius installed, but I cannot find doc that explians how the configure a Cisco-client for 2fa (challenge response mode)?
kind regards,
Herman
we would like our users to access a VPN with 2FA: LDAP and TOTP (Google-authentication).
The VPN device will probably be a Cisco and I am only familiar myself with the cisco-vpn desktop client.
I am trying to imagine how we can present to the user a form where he/she can enter the LDAP-credentials (AD) and the qr-code for google-authenticator.
Is there somewhere a step by step guide or demo to show how this practically gets presented to the enduser ?
Currently I have privacyIdea and Freeradius installed, but I cannot find doc that explians how the configure a Cisco-client for 2fa (challenge response mode)?
kind regards,
Herman
Cornelius Kölbel
Jun 19, 2015, 9:58:44 AM6/19/15
to Herman Cuppens, priva...@googlegroups.com
See this
For how to test your radius setup.
Kind regards
cornelius
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Herman Cuppens <cup...@gmail.com>
Datum: 19.06.2015 14:54 (GMT+01:00)
An: priva...@googlegroups.com
Betreff: LDAP and Google-authentication in VPN with qr-code showing
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/0d7d36fb-1b4f-4af7-b9e7-f49eefa64be8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/0d7d36fb-1b4f-4af7-b9e7-f49eefa64be8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cornelius Kölbel
Jun 19, 2015, 9:59:17 AM6/19/15
to privacyidea
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Cornelius Kölbel <corneliu...@netknights.it>
Datum: 19.06.2015 15:56 (GMT+01:00)
An: Herman Cuppens <cup...@gmail.com>
Betreff: AW: LDAP and Google-authentication in VPN with qr-code showing
Datum: 19.06.2015 15:56 (GMT+01:00)
An: Herman Cuppens <cup...@gmail.com>
Betreff: AW: LDAP and Google-authentication in VPN with qr-code showing
Hello Herman,
you only need the QR code when initializing the Google authenticator.
When it is enrolled the Google authenticator generates a one time password just by bottom press.
Then the user needs to enter <username> and <password+otp>.
I.e. the vpn client sends these credentials to the backend - usually via the radius protocol.
So you "just" need to configure radius PAP.
Kind regards
Cornelius
Herman Cuppens
Jun 22, 2015, 4:39:54 AM6/22/15
to priva...@googlegroups.com, cup...@gmail.com
Thanks for your info,
I see this note at http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#index-0,
but I am afraid I do not understand the possible impact:
does this mean we are "limited" to a single thread and
what about a clustered setup for HA for example - is this possible with privacyIdea and tokendb, FreeRadius on 2 node cluster, using this perl_module ?
kind regards,
Herman
I see this note at http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#index-0,
"Note
The perl module is not thread safe, so you need to start FreeRADIUS with the -t switch.
You can test the RADIUS setup using a command like this:
"but I am afraid I do not understand the possible impact:
does this mean we are "limited" to a single thread and
what about a clustered setup for HA for example - is this possible with privacyIdea and tokendb, FreeRadius on 2 node cluster, using this perl_module ?
kind regards,
Herman
Cornelius Kölbel
Jun 22, 2015, 5:48:53 AM6/22/15
to priva...@googlegroups.com
Hello Herman,
thanks for the hint to get this clean.
Indeed this was a problem due to a perl module, used. (Unfortunately at
the moment I do not remember which one).
This is not valid anymore for a system running ubuntu 14.04 or systems
"with similar module versions".
I just ran a test with three parallel scripts issuing RADIUS requests
continously. I ended up with 5 requests per second on my local machine
and experienced no problems anymore.
So you may also omit the -t switch.
(I will have to adapt the documentation)
The HA setup will use a common database. Two privacyIDEA systems will
connect to the same database (or DB cluster). Each RADIUS server will
connect to a privacyIDEA server.
You RADIUS client can do a round robin on the two radius servers.
Kind regards
Cornelius
Cornelius Kölbel
corneliu...@netknights.it
thanks for the hint to get this clean.
Indeed this was a problem due to a perl module, used. (Unfortunately at
the moment I do not remember which one).
This is not valid anymore for a system running ubuntu 14.04 or systems
"with similar module versions".
I just ran a test with three parallel scripts issuing RADIUS requests
continously. I ended up with 5 requests per second on my local machine
and experienced no problems anymore.
So you may also omit the -t switch.
(I will have to adapt the documentation)
The HA setup will use a common database. Two privacyIDEA systems will
connect to the same database (or DB cluster). Each RADIUS server will
connect to a privacyIDEA server.
You RADIUS client can do a round robin on the two radius servers.
Kind regards
Cornelius
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
NetKnights GmbH
Reply all
Reply to author
Forward
0 new messages