Hi, On Fri, Dec 09, 2022 at 01:27:14PM +0100, Bogdan Rudas via Openvpn-users wrote: > I'm looking for some way to configure *asynchronous* RADIUS authentication > to properly handle RADIUS server unavailability and probably > challenge-response MFA which demands humans-backed confirmation via RADIUS. > As RADIUS support is not a part of OpenVPN and there are a lot of outdated > repos on the web, please recommend a working solution if there is one.
How to tackle this depends a bit on what you want to achieve with
RADIUS.
For "here's a username, please tell me if correct or not", the easiest
way might be to use OpenVPN's plugin-auth-pam together with pam_radius
as backend. This is what I do at one of my corporate customers - it
will do authentication only, and plugin-auth-pam can nicely run in
async/deferred mode, is well-maintained, etc. etc.
What this can not do is "hey, Radius, do you have client specific
attributes for me?" (IP address assignment, Routing, etc.) - this is
what the "radiusplugin" can do, but this is a bit ill-maintained - there
is a number of forks on github, with different patches added to it
(and I have no personal experience how well either works).
For MFA, this, again, depends on what your Radius server will do here,
and how MFA is implemented. We use it with 2FA, but the 2FA challenge
(TOTP) (plus PIN) is just entered in the OpenVPN password field, and
the radius backend says "yes or no" to it. We're not using any of
OpenVPN's CR mechanisms with it (mostly historic reasons).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
