RADIUS integration question

I am going through the privacyidea documentation trying to work out what
the behaviour of FreeRADIUS + privacyidea is.

I have read:

http://privacyidea.readthedocs.io/en/latest/application_plugins/index.html#freeradius-plugin
http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response to
an incoming RADIUS request.

Such a request will normally contain a User-Name and a User-Password. And
let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.

Does privacyidea split the User-Password into and
parts, i.e. the user is supposed to concatenate them? Or does it respond
with an Access-Challenge asking for the OTP? Or does it validate only the
token response and not the password? Or something else?

I have looked in the code for privacyidea_radius.pm and it seems to call
the /validate/check endpoint, which in turn is documented at
http://privacyidea.readthedocs.io/en/latest/modules/api/validate.html
and I think this REST endpoint takes a concatenation of the password plus
OTP (although it talks about “OTP pin” rather than “password”)

But then looking in the module code, further on it seems to generate an
Access-Challenge.

Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.

Thanks,

Brian.

Hi Brian,

the RADOIS module privacyidea_radius.pm is pretty dumb. It simply forwards
the data the user entered and which was sent to the RADIUS server in
User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.

The default behaviour is, that the user passes a

OTP-PIN + OTP value

This can be changed to

LDAP-Password + OTP value

Under certain conditions this can also be a challenge response. In most
cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes the
static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.

If the RADIUS is involved, it will return an Access-Challenge. Rougly
speeking the privacyidea_radius.pm is just a protocol translator.

Kind regards
CorneliusAm Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:

I am going through the privacyidea documentation trying to work out what
the behaviour of FreeRADIUS + privacyidea is.

I have read:

14. Application Plugins — privacyIDEA 3.8 documentation
http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response to
an incoming RADIUS request.

Such a request will normally contain a User-Name and a User-Password. And
let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.

Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it
respond with an Access-Challenge asking for the OTP? Or does it validate
only the token response and not the password? Or something else?

I have looked in the code for privacyidea_radius.pm and it seems to call
the /validate/check endpoint, which in turn is documented at
15.1.1.3. Validate endpoints — privacyIDEA 3.8 documentation
and I think this REST endpoint takes a concatenation of the password
plus OTP (although it talks about “OTP pin” rather than “password”)

But then looking in the module code, further on it seems to generate an
Access-Challenge.

Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.

Thanks,

Brian.

Hi,

Sorry dumb question but stuck on this for a while and can’t find solution
in docs…

How do I change to behaviour -
LDAP-Password + OTP value

My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.

Now stuck at getting radius interface to use
LDAP-Password + OTP value

Help or suggestions gladly received.

Thanks
MarkOn Friday, December 30, 2016 at 7:13:35 AM UTC, Cornelius Kölbel wrote:

Hi Brian,

the RADOIS module privacyidea_radius.pm is pretty dumb. It simply
forwards the data the user entered and which was sent to the RADIUS server
in User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.

The default behaviour is, that the user passes a

OTP-PIN + OTP value

This can be changed to

LDAP-Password + OTP value

Under certain conditions this can also be a challenge response. In most
cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes
the static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.

If the RADIUS is involved, it will return an Access-Challenge. Rougly
speeking the privacyidea_radius.pm is just a protocol translator.

Kind regards
Cornelius

Am Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:

I am going through the privacyidea documentation trying to work out what
the behaviour of FreeRADIUS + privacyidea is.

I have read:

14. Application Plugins — privacyIDEA 3.8 documentation

http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response to
an incoming RADIUS request.

Such a request will normally contain a User-Name and a User-Password. And
let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.

Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it
respond with an Access-Challenge asking for the OTP? Or does it validate
only the token response and not the password? Or something else?

I have looked in the code for privacyidea_radius.pm and it seems to call
the /validate/check endpoint, which in turn is documented at
15.1.1.3. Validate endpoints — privacyIDEA 3.8 documentation
and I think this REST endpoint takes a concatenation of the password
plus OTP (although it talks about “OTP pin” rather than “password”)

But then looking in the module code, further on it seems to generate an
Access-Challenge.

Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.

Thanks,

Brian.

Thanks for prompt reply.

I have defined a policy and set passthru for authentication but my test
still passes with using only OTP_PIN + OTP_value.
I must be missing something silly.

for example

$ echo “User-Name=otp1”, “Password=1111136975” | radclient -sx 127.0.0.1
auth testing123
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = “otp1”
Password = “1111136975”
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211,
length=48
Reply-Message = "privacyIDEA access granted"On Friday, January 13, 2017 at 11:40:43 PM UTC, Cornelius Kölbel wrote:

Hi Mark,

You need to define a policy.

7.3. Authentication policies — privacyIDEA 3.8 documentation

Where and how did you search?
Maybe we can improve the docs.

Kind regards
Cornelius

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Mark Steyn <mar...@gmail.com <javascript:>>
Datum: 14.01.17 00:23 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: [privacyidea] Re: RADIUS integration question

Hi,

Sorry dumb question but stuck on this for a while and can’t find solution
in docs…

How do I change to behaviour -
LDAP-Password + OTP value

My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.

Now stuck at getting radius interface to use
LDAP-Password + OTP value

Help or suggestions gladly received.

Thanks
Mark

On Friday, December 30, 2016 at 7:13:35 AM UTC, Cornelius Kölbel wrote:

Hi Brian,

the RADOIS module privacyidea_radius.pm is pretty dumb. It simply
forwards the data the user entered and which was sent to the RADIUS server
in User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.

The default behaviour is, that the user passes a

OTP-PIN + OTP value

This can be changed to

LDAP-Password + OTP value

Under certain conditions this can also be a challenge response. In most
cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes
the static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.

If the RADIUS is involved, it will return an Access-Challenge. Rougly
speeking the privacyidea_radius.pm is just a protocol translator.

Kind regards
Cornelius

Am Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:

I am going through the privacyidea documentation trying to work out what
the behaviour of FreeRADIUS + privacyidea is.

I have read:

14. Application Plugins — privacyIDEA 3.8 documentation

http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response
to an incoming RADIUS request.

Such a request will normally contain a User-Name and a User-Password.
And let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.

Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it
respond with an Access-Challenge asking for the OTP? Or does it validate
only the token response and not the password? Or something else?

I have looked in the code for privacyidea_radius.pm and it seems to
call the /validate/check endpoint, which in turn is documented at
15.1.1.3. Validate endpoints — privacyIDEA 3.8 documentation
and I think this REST endpoint takes a concatenation of the password
plus OTP (although it talks about “OTP pin” rather than “password”)

But then looking in the module code, further on it seems to generate an
Access-Challenge.

Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.

Thanks,

Brian.

–
Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Doh. Thank you so much!!!

it works. Now to move past the baby steps.On Friday, January 13, 2017 at 11:56:32 PM UTC, Cornelius Kölbel wrote:

Indeed!

Who said you should use pasdthru.?
Use otppin=userstore!

Kind regards
Cornelius

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Mark Steyn <mar...@gmail.com <javascript:>>
Datum: 14.01.17 00:49 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Cc: mar...@gmail.com <javascript:>
Betreff: Re: [privacyidea] Re: RADIUS integration question

Thanks for prompt reply.

I have defined a policy and set passthru for authentication but my test
still passes with using only OTP_PIN + OTP_value.
I must be missing something silly.

for example

$ echo “User-Name=otp1”, “Password=1111136975” | radclient -sx 127.0.0.1
auth testing123
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = “otp1”
Password = “1111136975”
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211,
length=48
Reply-Message = “privacyIDEA access granted”

On Friday, January 13, 2017 at 11:40:43 PM UTC, Cornelius Kölbel wrote:

Hi Mark,

You need to define a policy.

7.3. Authentication policies — privacyIDEA 3.8 documentation

Where and how did you search?
Maybe we can improve the docs.

Kind regards
Cornelius

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Mark Steyn mar...@gmail.com
Datum: 14.01.17 00:23 (GMT+01:00)
An: privacyidea priva...@googlegroups.com
Betreff: [privacyidea] Re: RADIUS integration question

Hi,

Sorry dumb question but stuck on this for a while and can’t find solution
in docs…

How do I change to behaviour -
LDAP-Password + OTP value

My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.

Now stuck at getting radius interface to use
LDAP-Password + OTP value

Help or suggestions gladly received.

Thanks
Mark

On Friday, December 30, 2016 at 7:13:35 AM UTC, Cornelius Kölbel wrote:

Hi Brian,

the RADOIS module privacyidea_radius.pm is pretty dumb. It simply
forwards the data the user entered and which was sent to the RADIUS server
in User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.

The default behaviour is, that the user passes a

OTP-PIN + OTP value

This can be changed to

LDAP-Password + OTP value

Under certain conditions this can also be a challenge response. In most
cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes
the static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.

If the RADIUS is involved, it will return an Access-Challenge. Rougly
speeking the privacyidea_radius.pm is just a protocol translator.

Kind regards
Cornelius

Am Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:

I am going through the privacyidea documentation trying to work out
what the behaviour of FreeRADIUS + privacyidea is.

I have read:

14. Application Plugins — privacyIDEA 3.8 documentation

http://privacyidea.readthedocs.io/en/latest/application_plugins/radius.html

but neither of these says what privacyidea actually does in response
to an incoming RADIUS request.

Such a request will normally contain a User-Name and a User-Password.
And let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.

Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it
respond with an Access-Challenge asking for the OTP? Or does it validate
only the token response and not the password? Or something else?

I have looked in the code for privacyidea_radius.pm and it seems to
call the /validate/check endpoint, which in turn is documented at
15.1.1.3. Validate endpoints — privacyIDEA 3.8 documentation
and I think this REST endpoint takes a concatenation of the password
plus OTP (although it talks about “OTP pin” rather than “password”)

But then looking in the module code, further on it seems to generate an
Access-Challenge.

Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.

Thanks,

Brian.

–
Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/40e05be4-4543-442f-aea5-1ac798bc6dbd%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

–
Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/Mv4fcIzHwKM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b6ed34f1-85a8-4d9f-8eef-b4f3a99e82cf%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/b6ed34f1-85a8-4d9f-8eef-b4f3a99e82cf%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.