privacyIDEA 2.22 with a more flexible RADIUS integration


#1

Originally published at: https://www.privacyidea.org/privacyidea-2-22-with-a-more-flexible-radius-integration/

Today we are happy to release privacyIDEA 2.22. It is available in the Ubuntu repositories for Ubuntu 14.04 LTS and 16.04 LTS. You can also install privacyIDEA on any Linux distribution on a virtualenv via the Python Package Index. Read the detailed documentation on how to install or upgrade privacyIDEA.

You should always take a look at the Changelog, but starting with privacyIDEA we added a document READ_BEFORE_UPDATE, which contains important information to consider before upgrade.

[caption id=“attachment_1352” align=“aligncenter” width=“1280”] privacyIDEA 2.22 is improving the RADIUS functionality to be more flexible in combination with VPNs and firewalls.[/caption]

New Features: RADIUS integration, VASCO support, Offline Refill and more

With privacyIDEA 2.22 we added the possibility to pass more useful userinformation to a RADIUS client like a VPN. The administrator can add a policy to include the resolver and the realm of a user who authenticated successfully. This response data can then be used in the FreeRADIUS plugin and modified by regular expressions to add any arbitrary RADIUS attribute in the RADIUS response, which then would be sent to the VPN. This additional information can be used by Cisco ASA, Citrix Netscaler or any other enterprise grade VPN to put the user into certain subnets or to assign resource to the user.

VASCO token support

privacyIDEA is Open Source. We love Open Source and open standards. But sometimes you have to communicate with proprietary partners, so that they have the chance to become open. This is why privacyIDEA 2.22 comes with support for the proprietary VASCO Digipass tokens. This way it is easier to run VASCO tokens and open standards tokens like HOTP, TOTP or Yuibkeys in parallel and maybe even one day migrate all VASCO tokens - after the batteries have died - to other devices.

If you want to learn more about migrating your VASCO tokens, please contact NetKnights for professional sevices.

Offline Refill

We are improving the offline capability of privacyIDEA in conjunction with the PAM module and the privacyIDEA Credential Provider. The new offline refill will allow to automatically refill the hashed OTP values on the notebooks, which are available for authentication, if the notebook is offline. This way users or administrators will not have to worry anymore when taking the hardware on a business trip.

Send SMS via SMPP

SMPP (Short Message Peer-to-Peer) is a protocol used by carriers for sending SMS. privacyIDEA 2.22 comes with a new SMS Provider to send SMS via SMPP. This can be used for sending SMS in the SMS token during authentication but also for sending SMS in the notification event handler, to notify users or administrators on certain events.

Use Counter handler for monitoring and statistics

 

[caption id=“attachment_1355” align=“alignright” width=“283”] With the counter handler the administrator can count arbitrary events and use this data for statistics.[/caption]

We often see, that the event handler is a mighty tool to cope with many different requirements. In addition to the notification handler, token handler, script handler and federation handler privacyIDEA 2.22 now comes with a simply but very flexible counter handler. Just like every handler it can be attached to any event (API call) and will trigger under defined conditions. The counter handler simply increses a counter in the database for this very event.

These counters can now be used for statistics or monitoring, e.g. when increasing a certain counter on the event failed authentication with HOTP token. This way the administrator could monitor the number of failed authentications per time interval.

Each token has a tokenkind

Many installations use hardware tokens and software tokens at the same time. To be more flexible in distinguishing these tokens when it comes to deleting tokens or deciding giving access, we added an additional class attribute to tokens. The "tokenkind". In contrast to the tokentype, which is simply the mathematics of the token, the tokenkind defines if this very token object is hardware token, a software token or a virtual token.

Use arbitrary tokeninfo in authorization policies

Authorization policies are used to decide if an authenticated user should get access or not. As the arbitrary tokeninfo fields are getting used more in more in event handler definitions, the tokeninfo can now also be used in the authorization policies to grant or deny access.

This way event handlers could modify token information and this modified token information can be used for granting access. Event handling and authorization thus get connected more tightly.

Lots of enhancements

There are further enhancements of existing features in privacyIDEA. We improved the token export the PSKC files - we will also export PW token types and the counter values of HOTP and TOTP tokens. The export can now also be used to reencrypt a token database.

The SMS and Email token types can now either use the fixed mobile number or email address in the token data or read the mobile/email dynamically from the user store on each authentication event.

The administrator can define a policy so that the validity of the U2F attestation certificate will be ignored. Some U2F devices come with a attestation certificate with an invalid validity period.

We improved the speed of the LinOTP migration script, so that a database with tens of thousands of tokens can be easily migrated.

The pi-manage script can now generate API tokens with a freely chosen validity time.

The user can now set the description of HOTP and TOTP tokens during enrollment.

The administrator can add a timeout to the SMTP server configuration.

The email tokens can now use a complex html template for sending emails.

The LDAP resolver allows to define each attribute as a multivalue attribute.

The event handler condition can trigger on failed authentication.

For the complete changelog with also contains all the fixes, please take a look a the Github repository.

Enterprise Edition

If you are running large mission critical setups, privacyIDEA is also available as Enterprise Edition with support and warranty/liability.

privacyIDEA at Grazer Linuxtage and Linuxfest Northwest

At the end of April you can hear a talk about privacyIDEA in Austria at the Grazer Linuxtage. You will learn, how you can easily migrate an old, existing, proprietary 2FA system to privacyIDEA. Project member Friedrich Weber will also host a workshop at the Grazer Linuxtage, where you can participate in installing privacyIDEA and configuring to your needs.

At the same time Cornelius Kölbel will give a talk in Bellingham Technical Colleage, U.S.A. At the LinuxFest NorthWest 2018 you can learn about what makes privacyIDEA so unique in regards to workflow integrations using the privacyIDEA Event Handler system automating a lot of individual tasks.

Join the discussion

Join the discussion a community.privacyidea.org.