Proxy a RADIUS request with privacyidea
89 views
Skip to first unread message
George D.
Nov 25, 2015, 1:58:13 AM11/25/15
to privacyidea
Hi Cornelius,
I was looking for a solution that could proxy a RADIUS authentication request coming from a VPN user and display it on a web page.
In order for a human operator to be able to view the request and deny/permit the VPN connection based on some information displayed on that page (username, date, etc).
This would be a implementation of "4 eyes principle" different from the one that exists in privacyidea.
Can privacyidea accommodate such request ?
Thanks a lot,
George
I was looking for a solution that could proxy a RADIUS authentication request coming from a VPN user and display it on a web page.
In order for a human operator to be able to view the request and deny/permit the VPN connection based on some information displayed on that page (username, date, etc).
This would be a implementation of "4 eyes principle" different from the one that exists in privacyidea.
Can privacyidea accommodate such request ?
Thanks a lot,
George
Cornelius Kölbel
Nov 25, 2015, 3:59:21 AM11/25/15
to priva...@googlegroups.com
Hello George,
so let me see if I get this right:
A "user A" tries to login to a VPN. The VPN is connected to a RADIUS
server, so the VPN sends a RADIUS Access-Request to the RADIUS server.
Instead of processing the Access-Request the RADIUS server should put
this request on the Web Page, where an "operator B" may decide if the
user is allowed to login?
You realize that the Radius Access-Request will run into a timeout,
since the operator will not decide within seconds?!
So the "user A" will fail to login anyway.
What are you trying to achieve?
Don't you think it might make more sense to define rules?
If you are involving a human being for decision making, you will always
have a timeout problem.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/41238f3d-9627-4b3c-84c5-3284ff0aea5d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
so let me see if I get this right:
A "user A" tries to login to a VPN. The VPN is connected to a RADIUS
server, so the VPN sends a RADIUS Access-Request to the RADIUS server.
Instead of processing the Access-Request the RADIUS server should put
this request on the Web Page, where an "operator B" may decide if the
user is allowed to login?
You realize that the Radius Access-Request will run into a timeout,
since the operator will not decide within seconds?!
So the "user A" will fail to login anyway.
What are you trying to achieve?
Don't you think it might make more sense to define rules?
If you are involving a human being for decision making, you will always
have a timeout problem.
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/41238f3d-9627-4b3c-84c5-3284ff0aea5d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
George D.
Nov 25, 2015, 4:37:17 AM11/25/15
to privacyidea
Hi,
You described the process correctly. You can set the time-out to 60-120 seconds or more.
Let's say that "user A" calls in before and informs "operator B" that he will initiate a VPN connection.
"Operator B" will open the screen and allow the connection.
If "user A" wants to connect to the VPN without informing "operator B" then his request will be timed-out, which is why we need to confirm manually (Allow) the connection.
Maybe "operator B" could also get an email with a link for approval ... just an idea.
So the idea is that no VPN connection will be established without human intervention by "operator B".
I'm afraid you can't automate this as "operator B" needs to be part of the process.
Hope this explains better the process.
Can privacyidea accommodate this scenario ?
Thanks,
George
You described the process correctly. You can set the time-out to 60-120 seconds or more.
Let's say that "user A" calls in before and informs "operator B" that he will initiate a VPN connection.
"Operator B" will open the screen and allow the connection.
If "user A" wants to connect to the VPN without informing "operator B" then his request will be timed-out, which is why we need to confirm manually (Allow) the connection.
Maybe "operator B" could also get an email with a link for approval ... just an idea.
So the idea is that no VPN connection will be established without human intervention by "operator B".
I'm afraid you can't automate this as "operator B" needs to be part of the process.
Hope this explains better the process.
Can privacyidea accommodate this scenario ?
Thanks,
George
Cornelius Kölbel
Nov 25, 2015, 5:06:37 AM11/25/15
to priva...@googlegroups.com
Hi George,
At the moment it does not do this out of the box.
But this could be very well/easily implemented with pending requests and
add a view to display these pending requests and let the "operator B"
approve these.
Need to look into pending HTTP requests and timeouts, but this can work.
But instead of using all the timeout stuff, we could also see if this
would work with challenge response. Today you can use challenge
response, i.e. you give an OTP PIN and then the server sends a challenge
and expects the response. This also works with the RADIUS protocol, but
the RADIUS Client (in this case the VPN) must support the RADIUS
Access-Challenge package.
Using Challenge Response, the operator could approve the Challenge and
this way we would not run into this timeout stuff!
So you should check if your VPN supports Access-Challenge.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/d4aa9d90-e88e-47f9-9103-136728ce0456%40googlegroups.com.
At the moment it does not do this out of the box.
But this could be very well/easily implemented with pending requests and
add a view to display these pending requests and let the "operator B"
approve these.
Need to look into pending HTTP requests and timeouts, but this can work.
But instead of using all the timeout stuff, we could also see if this
would work with challenge response. Today you can use challenge
response, i.e. you give an OTP PIN and then the server sends a challenge
and expects the response. This also works with the RADIUS protocol, but
the RADIUS Client (in this case the VPN) must support the RADIUS
Access-Challenge package.
Using Challenge Response, the operator could approve the Challenge and
this way we would not run into this timeout stuff!
So you should check if your VPN supports Access-Challenge.
Kind regards
Cornelius
George D.
Nov 25, 2015, 7:06:30 AM11/25/15
to privacyidea
Hi,
The VPN client used in this case is Cisco AnyConnect.
I'm sorry but I couldn't find clear documentation regarding the support for Access-Challenge in AnyConnect.
There are some references which makes me think it's supported. Maybe you know better.
Anyway at the moment for authentication I wanted to use user&password.
Thanks,
George
The VPN client used in this case is Cisco AnyConnect.
I'm sorry but I couldn't find clear documentation regarding the support for Access-Challenge in AnyConnect.
There are some references which makes me think it's supported. Maybe you know better.
Anyway at the moment for authentication I wanted to use user&password.
Thanks,
George
Cornelius Kölbel
Nov 25, 2015, 7:21:28 AM11/25/15
to priva...@googlegroups.com
Hi George,
it looks like anyConnect basically supports RADIUS chal resp.
But there also seem to be problems every now and then.
Nevertheless I would recommend to test this.
If you do not want to use a 2nd factor like OTP but only
* username
* password
* operator interaction,
then you could do it like this:
1. user enters username
2. user enters 1st part of password.
3. A challenge is triggered
4. ...and the user is presented with the second login
5. the operator needs to approve the challenge
6. The use may enter the 2nd part of the password.
If the user performs 6 before 5, he will not be able to login.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/636a8380-0415-494f-88bb-8d89a33c26c9%40googlegroups.com.
it looks like anyConnect basically supports RADIUS chal resp.
But there also seem to be problems every now and then.
Nevertheless I would recommend to test this.
If you do not want to use a 2nd factor like OTP but only
* username
* password
* operator interaction,
then you could do it like this:
1. user enters username
2. user enters 1st part of password.
3. A challenge is triggered
4. ...and the user is presented with the second login
5. the operator needs to approve the challenge
6. The use may enter the 2nd part of the password.
If the user performs 6 before 5, he will not be able to login.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages