Possible to have 2 authentications in sequence?
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Mar 9 20:28:00 CET 2016
> On 9 Mar 2016, at 19:26, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>>
>> On 9 Mar 2016, at 18:18, Andy P. <pmaspec at gmail.com> wrote:
>>
>> 2016-03-09 16:05 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>>
>>> On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec at gmail.com> wrote:
>>>
>> ...
>>
>>>>
>>>> Is it simply a matter
>>>> of the the Authorization/Authentication sections definition, or requires
>>>> some development?
>>>
>>> A better question is: why do you need this?
>>>
>>>
>> Multi-factor authentication. The passwords for the 2 (or more)
>> authentications are different. Just like with the Duo authentication proxy,
>> but not linked to their service for the secondary authentication.
>
> The session-state list makes this much easier in v3.0.x.
>
> It handles creating a State attribute in the response, to tie together multiple
> rounds of authentication.
>
> You still need cooperation from the NAS though, to prompt the user multiple times
> when it receives an Access-Challenge.
>
> For EAP, multi-factor authentication is not possible, unless the two factors
> are presented in a single round e.g. otp + password.
Ah misunderstood, you want to submit the credentials to multiple services.
Yes you can do that. Just call the .authenticate method of the module you want
to use in the authorize {} section and then perform a proxy.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160309/1ebc462f/attachment.sig>
More information about the Freeradius-Users
mailing list