LDAP and Google-authentication in VPN with qr-code showing

Hello,

we would like our users to access a VPN with 2FA: LDAP and TOTP
(Google-authentication).
The VPN device will probably be a Cisco and I am only familiar myself with
the cisco-vpn desktop client.

I am trying to imagine how we can present to the user a form where he/she
can enter the LDAP-credentials (AD) and the qr-code for
google-authenticator.
Is there somewhere a step by step guide or demo to show how this
practically gets presented to the enduser ?

Currently I have privacyIdea and Freeradius installed, but I cannot find
doc that explians how the configure a Cisco-client for 2fa (challenge
response mode)?

kind regards,
Herman

Thanks for your info,

I see this note at
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#index-0,

"Note

The perl module is not thread safe, so you need to start FreeRADIUS with
the -t switch.

You can test the RADIUS setup using a command like this:
"

but I am afraid I do not understand the possible impact:
does this mean we are “limited” to a single thread and
what about a clustered setup for HA for example - is this possible with
privacyIdea and tokendb, FreeRadius on 2 node cluster, using this
perl_module ?

kind regards,
HermanOn Friday, June 19, 2015 at 3:58:44 PM UTC+2, Cornelius Kölbel wrote:

See this

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=radius

For how to test your radius setup.

Kind regards
cornelius

Cornelius Kölbel
Corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Herman Cuppens <cup...@gmail.com <javascript:>>
Datum: 19.06.2015 14:54 (GMT+01:00)
An: priva...@googlegroups.com <javascript:>
Betreff: LDAP and Google-authentication in VPN with qr-code showing

Hello,

we would like our users to access a VPN with 2FA: LDAP and TOTP
(Google-authentication).
The VPN device will probably be a Cisco and I am only familiar myself with
the cisco-vpn desktop client.

I am trying to imagine how we can present to the user a form where he/she
can enter the LDAP-credentials (AD) and the qr-code for
google-authenticator.
Is there somewhere a step by step guide or demo to show how this
practically gets presented to the enduser ?

Currently I have privacyIdea and Freeradius installed, but I cannot find
doc that explians how the configure a Cisco-client for 2fa (challenge
response mode)?

kind regards,
Herman


You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0d7d36fb-1b4f-4af7-b9e7-f49eefa64be8%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/0d7d36fb-1b4f-4af7-b9e7-f49eefa64be8%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hello Herman,

thanks for the hint to get this clean.
Indeed this was a problem due to a perl module, used. (Unfortunately at
the moment I do not remember which one).

This is not valid anymore for a system running ubuntu 14.04 or systems
“with similar module versions”.

I just ran a test with three parallel scripts issuing RADIUS requests
continously. I ended up with 5 requests per second on my local machine
and experienced no problems anymore.
So you may also omit the -t switch.

(I will have to adapt the documentation)

The HA setup will use a common database. Two privacyIDEA systems will
connect to the same database (or DB cluster). Each RADIUS server will
connect to a privacyIDEA server.
You RADIUS client can do a round robin on the two radius servers.

Kind regards
CorneliusAm Montag, den 22.06.2015, 01:39 -0700 schrieb Herman Cuppens:

Thanks for your info,

I see this note at
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#index-0,
"Note

The perl module is not thread safe, so you need to start FreeRADIUS
with the -t switch.

You can test the RADIUS setup using a command like this:

"

but I am afraid I do not understand the possible impact:
does this mean we are “limited” to a single thread and
what about a clustered setup for HA for example - is this possible
with privacyIdea and tokendb, FreeRadius on 2 node cluster, using
this perl_module ?

kind regards,
Herman

On Friday, June 19, 2015 at 3:58:44 PM UTC+2, Cornelius Kölbel wrote:
See this

    http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=radius
    
    
    For how to test your radius setup.
    
    
    Kind regards
    cornelius
    
    
    Cornelius Kölbel
    Corneliu...@netknights.it
    +49 151 2960 1417
    
    
    NetKnights GmbH
    http://netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    -------- Ursprüngliche Nachricht --------
    Von: Herman Cuppens <cup...@gmail.com> 
    Datum: 19.06.2015 14:54 (GMT+01:00) 
    An: priva...@googlegroups.com 
    Betreff: LDAP and Google-authentication in VPN with qr-code
    showing 
    
    Hello,
    
    we would like our users to access a VPN with 2FA: LDAP and
    TOTP (Google-authentication).
    The VPN device will probably be a Cisco and I am only familiar
    myself with the cisco-vpn desktop client.
    
    I am trying to imagine how we can present to the user a form
    where he/she can enter the LDAP-credentials (AD) and the
    qr-code for google-authenticator.
    Is there somewhere a  step by step guide or demo to show how
    this practically gets presented to the enduser ? 
    
    Currently I have privacyIdea and Freeradius installed, but I
    cannot find doc that explians how the configure a Cisco-client
    for 2fa (challenge response mode)?
    
    kind regards,
    Herman


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)