AW: Re: Re: RADIUS integration question

cornelinux · January 13, 2017, 11:56pm

Indeed!
Who said you should use pasdthru.?Use otppin=userstore!
Kind regards Cornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: Mark Steyn marks7g@gmail.com Datum: 14.01.17 00:49 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Cc: marks7g@gmail.com Betreff: Re: [privacyidea] Re: RADIUS integration question
Thanks for prompt reply.

I have defined a policy and set passthru for authentication but my test still passes with using only OTP_PIN + OTP_value.
I must be missing something silly.

for example

$ echo “User-Name=otp1”, “Password=1111136975” | radclient -sx 127.0.0.1 auth testing123
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = “otp1”
Password = “1111136975”
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=48
Reply-Message = “privacyIDEA access granted”

On Friday, January 13, 2017 at 11:40:43 PM UTC, Cornelius Kölbel wrote:Hi Mark,
You need to define a policy.
http://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin
Where and how did you search?Maybe we can improve the docs.
Kind regards Cornelius
Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------Von: Mark Steyn mar...@gmail.com Datum: 14.01.17 00:23 (GMT+01:00) An: privacyidea priva...@googlegroups.com Betreff: [privacyidea] Re: RADIUS integration question
Hi,

Sorry dumb question but stuck on this for a while and can’t find solution in docs…

How do I change to behaviour -
LDAP-Password + OTP value

My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.

Now stuck at getting radius interface to use
LDAP-Password + OTP value

Help or suggestions gladly received.

Thanks
Mark

On Friday, December 30, 2016 at 7:13:35 AM UTC, Cornelius Kölbel wrote:Hi Brian,
the RADOIS module privacyidea_radius.pm is pretty dumb. It simply forwards the data the user entered and which was sent to the RADIUS server in User-Name and User-Password to the /validate/check endpoint.Everything else is determined by the privacyIDEA server.
The default behaviour is, that the user passes a
OTP-PIN + OTP value
This can be changed to
LDAP-Password + OTP value
Under certain conditions this can also be a challenge response. In most cases challenge response is not necessary. (Only for SMS and Email).In the challenge response case the /validate/check endpoint first takes the static password. If it is correct it then expects the OTP value.This is the case even without any RADIUS involved.
If the RADIUS is involved, it will return an Access-Challenge. Rougly speeking the privacyidea_radius.pm is just a protocol translator.
Kind regardsCornelius

Am Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:I am going through the privacyidea documentation trying to work out what the behaviour of FreeRADIUS + privacyidea is.
I have read:
http://privacyidea.readthedocs.io/en/latest/application_plugins/index.html#freeradius-plugin
http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response to an incoming RADIUS request.
Such a request will normally contain a User-Name and a User-Password. And let’s assume I have configured privacyidea with an existing username+password database, say in LDAP or SQL.
Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it respond with an Access-Challenge asking for the OTP? Or does it validate only the token response and not the password? Or something else?
I have looked in the code for privacyidea_radius.pm and it seems to call the /validate/check endpoint, which in turn is documented athttp://privacyidea.readthedocs.io/en/latest/modules/api/validate.html
and I think this REST endpoint takes a concatenation of the password plus OTP (although it talks about “OTP pin” rather than “password”)
But then looking in the module code, further on it seems to generate an Access-Challenge.
Hence I’m pretty confused. A simple description of the behaviour when responding to an incoming RADIUS request would be great. This in turn will help me understand if it can be used in certain RADIUS scenarios, e.g. EAP-TTLS + PAP/GTC.
Thanks,
Brian.

–

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–