PrivacyIdea and FreeRADIUS with vendor specific radius return code?

Hi there!
If have a running privacyidea server with a freeradius in front of. Our
ActiveDirectory is configured as a user resolver, authentication works fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten

Hi Thorsten,

great to hear this.
So what are you migrating from?
SAM or SAMx a.k.a. Safeword 2008?
…and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.
Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be
added to the freeradius module.
If you are interested in an enhancement just drop us a note.
https://netknights.it/unternehmen/kontakt/

Kind regards
CorneliusAm Freitag, 26. Februar 2016 08:56:54 UTC+1 schrieb Thorsten Steiner:

Hi there!
If have a running privacyidea server with a freeradius in front of. Our
ActiveDirectory is configured as a user resolver, authentication works fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten

Hint: LDAP, ulang, update-control

We could add such functionality to privacyIDEA rather straight forward.
PI returns such values in the authentication request. The privacyIDEA
freeradius plugin could add it to the RADIUS Response.

Kind regards
CorneliusAm Samstag, 27. Februar 2016 19:37:45 UTC+1 schrieb Thorsten Steiner:

Hi Cornelius,

we want to migrate from SAM. Since it is not Safeword2xxx and really
Active Directory integrated (PlugIn) anymore the Sofware is -in my eyes- a
piece of junk. And -thanks to your presentation at OpenRheinRuhr last year-
PrivacyIdea seems to be one candidate to migrate to. At the moment we use
etoken pass tokens, not the ng. But if PrivacyIdea will win the
competition, i think we will use other tokens, The Smartdisplayer-cards you
showed in Oberhausen looked really nice and some guys would love to use
their smartphones as token generator…

But back to topic: You wrote that freeradius could do this, so i think i
have to learn more about it! :wink: If you have a hint, you are always welcome!

Kind Regards,
Thorsten

Am Samstag, 27. Februar 2016 17:46:08 UTC+1 schrieb Cornelius Kölbel:

Hi Thorsten,

great to hear this.
So what are you migrating from?
SAM or SAMx a.k.a. Safeword 2008?
…and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.
Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be
added to the freeradius module.
If you are interested in an enhancement just drop us a note.
https://netknights.it/unternehmen/kontakt/

Kind regards
Cornelius

Am Freitag, 26. Februar 2016 08:56:54 UTC+1 schrieb Thorsten Steiner:

Hi there!
If have a running privacyidea server with a freeradius in front of. Our
ActiveDirectory is configured as a user resolver, authentication works fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten

Hi Cornelius,

we want to migrate from SAM. Since it is not Safeword2xxx and really Active
Directory integrated (PlugIn) anymore the Sofware is -in my eyes- a piece
of junk. And -thanks to your presentation at OpenRheinRuhr last year-
PrivacyIdea seems to be one candidate to migrate to. At the moment we use
etoken pass tokens, not the ng. But if PrivacyIdea will win the
competition, i think we will use other tokens, The Smartdisplayer-cards you
showed in Oberhausen looked really nice and some guys would love to use
their smartphones as token generator…

But back to topic: You wrote that freeradius could do this, so i think i
have to learn more about it! :wink: If you have a hint, you are always welcome!

Kind Regards,
ThorstenAm Samstag, 27. Februar 2016 17:46:08 UTC+1 schrieb Cornelius Kölbel:

Hi Thorsten,

great to hear this.
So what are you migrating from?
SAM or SAMx a.k.a. Safeword 2008?
…and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.
Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be
added to the freeradius module.
If you are interested in an enhancement just drop us a note.
https://netknights.it/unternehmen/kontakt/

Kind regards
Cornelius

Am Freitag, 26. Februar 2016 08:56:54 UTC+1 schrieb Thorsten Steiner:

Hi there!
If have a running privacyidea server with a freeradius in front of. Our
ActiveDirectory is configured as a user resolver, authentication works fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten

Thanks for the hints! I’m going down for weekend now! :wink: So will see how
far your hints will bring me next week…

Having the function, that if a user is member of a special LDAP group, the
group name should be returned in the RADIUS response of privacyIDEA would
be great. That would keep the configuration of the Radius-Server very
simple and the admin would have all the configuration in one place. It
doesn’t have to be the exact group name for me. A function “if user is
member of group XY, return radius vendor specific code nmopq with value
bla” would be good for me.

Kind Regards,
ThorstenAm Samstag, 27. Februar 2016 22:33:35 UTC+1 schrieb Cornelius Kölbel:

Hint: LDAP, ulang, update-control

We could add such functionality to privacyIDEA rather straight forward.
PI returns such values in the authentication request. The privacyIDEA
freeradius plugin could add it to the RADIUS Response.

Kind regards
Cornelius

Am Samstag, 27. Februar 2016 19:37:45 UTC+1 schrieb Thorsten Steiner:

Hi Cornelius,

we want to migrate from SAM. Since it is not Safeword2xxx and really
Active Directory integrated (PlugIn) anymore the Sofware is -in my eyes- a
piece of junk. And -thanks to your presentation at OpenRheinRuhr last year-
PrivacyIdea seems to be one candidate to migrate to. At the moment we use
etoken pass tokens, not the ng. But if PrivacyIdea will win the
competition, i think we will use other tokens, The Smartdisplayer-cards you
showed in Oberhausen looked really nice and some guys would love to use
their smartphones as token generator…

But back to topic: You wrote that freeradius could do this, so i think i
have to learn more about it! :wink: If you have a hint, you are always welcome!

Kind Regards,
Thorsten

Am Samstag, 27. Februar 2016 17:46:08 UTC+1 schrieb Cornelius Kölbel:

Hi Thorsten,

great to hear this.
So what are you migrating from?
SAM or SAMx a.k.a. Safeword 2008?
…and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.
Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be
added to the freeradius module.
If you are interested in an enhancement just drop us a note.
https://netknights.it/unternehmen/kontakt/

Kind regards
Cornelius

Am Freitag, 26. Februar 2016 08:56:54 UTC+1 schrieb Thorsten Steiner:

Hi there!
If have a running privacyidea server with a freeradius in front of. Our
ActiveDirectory is configured as a user resolver, authentication works fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten

Thanks for the hints! I’m going down for weekend now! :wink: So will see how
far your hints will bring me next week…

Having the function, that if a user is member of a special LDAP group, the
group name should be returned in the RADIUS response of privacyIDEA would
be great. That would keep the configuration of the Radius-Server very
simple and the admin would have all the configuration in one place. It
doesn’t have to be the exact group name for me. A function “if user is
member of group XY, return radius vendor specific code nmopq with value
bla” would be good for me.

Implementing such a function privacyIDEA and the privacyIDEA FreeRADIUS
plugin can be quite straightforward.
The resolver can specify additional attributes in the resolver attribute
mapping.
Then we need to add these attributes to the authentication response.
Finally the privacyIDEA FreeRADIUS plugin needs a mapping to map these
attributes to RADIUS response values.

If you drop me your companies address, you can get a quote for this.

Kind regards
CorneliusAm Samstag, 27. Februar 2016 22:48:22 UTC+1 schrieb Thorsten Steiner:

Kind Regards,
Thorsten

Am Samstag, 27. Februar 2016 22:33:35 UTC+1 schrieb Cornelius Kölbel:

Hint: LDAP, ulang, update-control

We could add such functionality to privacyIDEA rather straight forward.
PI returns such values in the authentication request. The privacyIDEA
freeradius plugin could add it to the RADIUS Response.

Kind regards
Cornelius

Am Samstag, 27. Februar 2016 19:37:45 UTC+1 schrieb Thorsten Steiner:

Hi Cornelius,

we want to migrate from SAM. Since it is not Safeword2xxx and really
Active Directory integrated (PlugIn) anymore the Sofware is -in my eyes- a
piece of junk. And -thanks to your presentation at OpenRheinRuhr last year-
PrivacyIdea seems to be one candidate to migrate to. At the moment we use
etoken pass tokens, not the ng. But if PrivacyIdea will win the
competition, i think we will use other tokens, The Smartdisplayer-cards you
showed in Oberhausen looked really nice and some guys would love to use
their smartphones as token generator…

But back to topic: You wrote that freeradius could do this, so i think i
have to learn more about it! :wink: If you have a hint, you are always welcome!

Kind Regards,
Thorsten

Am Samstag, 27. Februar 2016 17:46:08 UTC+1 schrieb Cornelius Kölbel:

Hi Thorsten,

great to hear this.
So what are you migrating from?
SAM or SAMx a.k.a. Safeword 2008?
…and which kind of tokens are you using - etoken pass or ng otp?

This kind of stuff is usually handled by the radius server itself.
Many customers are running a scenario with the freeradius server.

However, privacyIDEA can return additional attributes. So this could be
added to the freeradius module.
If you are interested in an enhancement just drop us a note.
https://netknights.it/unternehmen/kontakt/

Kind regards
Cornelius

Am Freitag, 26. Februar 2016 08:56:54 UTC+1 schrieb Thorsten Steiner:

Hi there!
If have a running privacyidea server with a freeradius in front of.
Our ActiveDirectory is configured as a user resolver, authentication works
fine.
But to use privacyidea as a replacement to our safenet/gemalto token
solution, i need a configuration that returns the groupname as a vendor
specific radius code if the user is a member of this group.
Has anyone an idea, how to do this?

Thorsten