On 4.1.2022 12.15, Sagar Malam wrote:
I am new to radiator and perl.I would like to implement 2FA using Authby
LDAP2 and Authby OTP but i am not able to find any examples for
implementing the same over the internet.
Please see goodies/duo.cfg together with goodies/otp.cfg
duo.cfg shows how to check password against a file, can be SQL, LDAP,
etc. too, and then pass the request, if successful so far, to the second
factor. In this case there's no Access-Challenge required, just one
Access-Request followed by access or reject, and it works with plain PAP
and EAP-TTLS/PAP.
If you'd like to use AuthBy OTP, something like this could work:
<AuthBy OTP>
Identifer otp-authby
# Add to Access-Challenge State attribute with value 'auth-otp'
# This is done in the ChallengeHook
</AutHBy>
<Handler State=auth-otp>
AuthBy otp-authby
</Handler>
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
ConsumePassword
</AuthBy>
AuthBy otp-authby
</Handler>
The user first logs in with their LDAP password. If successful, password
is cleared from the request and AuthBy OTP is called for the first time.
This triggers ChallengeHook. Within the ChallengeHook, add State
attribute so that the subsequent Access-Accept, that now contains the
one-time-password, caught by <Handler State=auth-otp>.
What the above requires is PAP and that the authentication client
software the user has understands Radius Access-Challenge.
Using EAP-TTLS/PAP could also work. In this case the correct use of
State attribute needs to be checked.
Note that the above is plain Radius where a RADIUS client sends requests
to Radiator. If you'd need to have an integration to web services, that
can be problematic as Dubravko wrote earlier.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
