Separating AD Authentication and OTP Prompt in SSH/FreeRADIUS/PrivacyIDEA Setup

Hello PrivacyIDEA community,

I’m setting up a two-factor authentication system for SSH access to a lab environment. Here’s my current setup and the issue I’m facing:

Environment:

  • 2 proxy servers for lab access
  • FreeRADIUS server
  • PrivacyIDEA server
  • Active Directory for user management

Desired Authentication Flow:

  1. User initiates SSH connection to a proxy server
  2. User enters AD username and password
  3. AD credentials are verified
  4. If AD auth succeeds, user is prompted for OTP within the SSH session
  5. OTP is verified by PrivacyIDEA
  6. If OTP is correct, access is granted

Current Issue:
The system seems to be expecting both the AD password and OTP simultaneously. When a user enters only their AD password, the FreeRADIUS log shows:

“Wed Sep 18 20:45:36 2024 : rlm_perl: Content {“detail”: {“message”: “wrong otp pin”, …}}”

This suggests that the OTP check is happening at the same time as the AD password check, which is not the desired behavior.

  1. How can I configure PrivacyIDEA, FreeRADIUS, and PAM to separate the AD authentication from the OTP prompt?
  2. Is there a recommended setup or specific module in PrivacyIDEA for handling this two-step authentication process with SSH?
  3. Are there any specific settings in FreeRADIUS or PrivacyIDEA that I should check or modify to achieve this flow?

Any guidance or pointers to relevant documentation would be greatly appreciated. Thank you in advance for your help!

Hi,
i suppose you are using hotp/totp token. I think you need to add two policies to get your desired behavior:

  1. otppin=userstore
  2. challenge_response=[token types you are using]

@McN For deeper dive read:

https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#challenge-response

https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin

For a general understanding you should study:

https://privacyidea.readthedocs.io/en/latest/tokens/authentication_modes.html
https://privacyidea.readthedocs.io/en/latest/tokens/authentication_modes.html#challenge-mode