PrivacyIdea and FreeRADIUS with vendor specific radius return code?

[Thorsten Steiner]

Hi there!

If have a running privacyidea server with a freeradius in front of. Our ActiveDirectory is configured as a user resolver, authentication works fine.

But to use privacyidea as a replacement to our safenet/gemalto token solution, i need a configuration that returns the groupname as a vendor specific radius code if the user is a member of this group.

Has anyone an idea, how to do this?

Thorsten 

[Cornelius Kölbel]

Hi Thorsten,

great to hear this.

So what are you migrating from?

SAM or SAMx a.k.a. Safeword 2008?

...and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.

Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be added to the freeradius module.

If you are interested in an enhancement just drop us a note.

https://netknights.it/unternehmen/kontakt/

Kind regards

Cornelius

[Thorsten Steiner]

Hi Cornelius,

we want to migrate from SAM. Since it is not Safeword2xxx and really Active Directory integrated (PlugIn) anymore the Sofware is -in my eyes- a piece of junk. And -thanks to your presentation at OpenRheinRuhr last year- PrivacyIdea seems to be one candidate to migrate to. At the moment we use etoken pass tokens, not the ng. But if PrivacyIdea will win the competition, i think we will use other tokens, The Smartdisplayer-cards you showed in Oberhausen looked really nice and some guys would love to use their smartphones as token generator...

But back to topic: You wrote that freeradius could do this, so i think i have to learn more about it!  ;) If you have a hint, you are always welcome!

Kind Regards,

Thorsten

[Cornelius Kölbel]

Hint: LDAP, ulang, update-control

We could add such functionality to privacyIDEA rather straight forward.

PI returns such values in the authentication request. The privacyIDEA freeradius plugin could add it to the RADIUS Response.

Kind regards

Cornelius

[Thorsten Steiner]

Thanks for the hints! I'm going down for weekend now! ;) So will see how far your hints will bring me next week...

Having the function, that if a user is member of a special LDAP group, the group name should be returned in the RADIUS response of privacyIDEA would be great. That would keep the configuration of the Radius-Server very simple and the admin would have all the configuration in one place. It doesn't have to be the exact group name for me. A function "if user is member of group XY, return radius vendor specific code nmopq with value bla" would be good for me.

Kind Regards,

Thorsten

[Cornelius Kölbel]

Am Samstag, 27. Februar 2016 22:48:22 UTC+1 schrieb Thorsten Steiner:

Thanks for the hints! I'm going down for weekend now! ;) So will see how far your hints will bring me next week...

Having the function, that if a user is member of a special LDAP group, the group name should be returned in the RADIUS response of privacyIDEA would be great. That would keep the configuration of the Radius-Server very simple and the admin would have all the configuration in one place. It doesn't have to be the exact group name for me. A function "if user is member of group XY, return radius vendor specific code nmopq with value bla" would be good for me.

Implementing such a function privacyIDEA and the privacyIDEA FreeRADIUS plugin can be quite straightforward.

The resolver can specify additional attributes in the resolver attribute mapping.

Then we need to add these attributes to the authentication response.

Finally the privacyIDEA FreeRADIUS plugin needs a mapping to map these attributes to RADIUS response values.

If you drop me your companies address, you can get a quote for this.

Kind regards

Cornelius