I am working on a authentication setup for a system which I am still conceptually trying to grasp. I’d like to get a confirmation of my current understanding, that way I can go ahead and proceed with the implementation if I got the concept right.
So conceptually, if I wanted to start implementing a RADIUS TOTP authentication solution:
1. Set up the OTP server which generates seeds for the TOTP tokens/generators
2. Bind a user in RADIUS with a token using a seed the OTP server generated
3. Import the seed into BitWarden which will create the token/TOTP generator there
After that I should be ready for authentication.
How I think it authentication works (correct me if I am wrong):
1. Use the TOTP code BitWarden generates when authenticating against RADIUS together with the defined username of the user
2. RADIUS takes the TOTP code I input and forwards it to the OTP server together with the user’s associated seed
3. The OTP server checks if the code that was input matches what it has got in its own token with the appropriate seed
4. Whether it’s correct or not, it returns that result to RADIUS which then either says ACCESS_ACCEPT or ACCESS_REJECT depending on what the OTP server said
To summarize: the OTP server has a token with an associated seed that is generating codes. Using that seed you can create a sort of duplicate of that token in any authenticator (BitWarden in case) which generates TOTP codes which match the ones on the OTP server.
Whenever you are authenticating, what your TOTP generator generates has to match what the OTP server has got, if you want auth to succeed.
Lastly, what the 3 components of the system (RADIUS, OTP server, TOTP generator(BitWarden)) have in common is the seed which binds all of components together.
Have I got it right? The last part about the seed binding everything together is what I am wondering the most about.
It’s crucial for me to understand what is going on exactly, before I can start the actual engineering.
Thank you in advance!