RADIUS integration question
90 views
Skip to first unread message
Brian Candler
Dec 29, 2016, 1:10:31 PM12/29/16
to privacyidea
I am going through the privacyidea documentation trying to work out what the behaviour of FreeRADIUS + privacyidea is.
I have read:
but neither of these says what privacyidea actually *does* in response to an incoming RADIUS request.
Such a request will normally contain a User-Name and a User-Password. And let's assume I have configured privacyidea with an existing username+password database, say in LDAP or SQL.
Does privacyidea split the User-Password into <password> and <otp response> parts, i.e. the user is supposed to concatenate them? Or does it respond with an Access-Challenge asking for the OTP? Or does it validate only the token response and not the password? Or something else?
I have looked in the code for privacyidea_radius.pm and it seems to call the /validate/check endpoint, which in turn is documented at
and I *think* this REST endpoint takes a concatenation of the password plus OTP (although it talks about "OTP pin" rather than "password")
But then looking in the module code, further on it seems to generate an Access-Challenge.
Hence I'm pretty confused. A simple description of the behaviour when responding to an incoming RADIUS request would be great. This in turn will help me understand if it can be used in certain RADIUS scenarios, e.g. EAP-TTLS + PAP/GTC.
Thanks,
Brian.
Cornelius Kölbel
Dec 30, 2016, 2:13:35 AM12/30/16
to privacyidea
Hi Brian,
the RADOIS module privacyidea_radius.pm is pretty dumb. It simply forwards the data the user entered and which was sent to the RADIUS server in User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.
The default behaviour is, that the user passes a
OTP-PIN + OTP value
This can be changed to
LDAP-Password + OTP value
Under certain conditions this can also be a challenge response. In most cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes the static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.
If the RADIUS is involved, it will return an Access-Challenge. Rougly speeking the privacyidea_radius.pm is just a protocol translator.
Kind regards
Cornelius
Mark Steyn
Jan 13, 2017, 6:23:11 PM1/13/17
to privacyidea
Hi,
Sorry dumb question but stuck on this for a while and can't find solution in docs....
How do I change to behaviour -
LDAP-Password + OTP value
My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.
Now stuck at getting radius interface to use
LDAP-Password + OTP value
Help or suggestions gladly received.
Thanks
Mark
Sorry dumb question but stuck on this for a while and can't find solution in docs....
How do I change to behaviour -
LDAP-Password + OTP value
My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.
Now stuck at getting radius interface to use
LDAP-Password + OTP value
Help or suggestions gladly received.
Thanks
Mark
cornelius.koelbel
Jan 13, 2017, 6:40:43 PM1/13/17
to Mark Steyn, privacyidea
Hi Mark,
You need to define a policy.
Where and how did you search?
Maybe we can improve the docs.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Mark Steyn <mar...@gmail.com>
Datum: 14.01.17 00:23 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: [privacyidea] Re: RADIUS integration question
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mark Steyn
Jan 13, 2017, 6:49:37 PM1/13/17
to privacyidea, mar...@gmail.com
Thanks for prompt reply.
I have defined a policy and set passthru for authentication but my test still passes with using only OTP_PIN + OTP_value.
I must be missing something silly.
for example
$ echo "User-Name=otp1", "Password=1111136975" | radclient -sx 127.0.0.1 auth testing123
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = "otp1"
Password = "1111136975"
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=48
Reply-Message = "privacyIDEA access granted"
I have defined a policy and set passthru for authentication but my test still passes with using only OTP_PIN + OTP_value.
I must be missing something silly.
for example
$ echo "User-Name=otp1", "Password=1111136975" | radclient -sx 127.0.0.1 auth testing123
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = "otp1"
Password = "1111136975"
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=48
Reply-Message = "privacyIDEA access granted"
cornelius.koelbel
Jan 13, 2017, 6:56:32 PM1/13/17
to Mark Steyn, privacyidea
Indeed!
Who said you should use pasdthru.?
Use otppin=userstore!
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Mark Steyn <mar...@gmail.com>
Datum: 14.01.17 00:49 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Cc: mar...@gmail.com
Betreff: Re: [privacyidea] Re: RADIUS integration question
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/b6ed34f1-85a8-4d9f-8eef-b4f3a99e82cf%40googlegroups.com.
Mark Steyn
Jan 13, 2017, 7:00:24 PM1/13/17
to privacyidea, mar...@gmail.com
Doh. Thank you so much!!!
it works. Now to move past the baby steps.
it works. Now to move past the baby steps.
Reply all
Reply to author
Forward
0 new messages