Multi-stage PAM authentication
joseph.rothstein at roche.com
Tue Jun 12 18:07:04 CEST 2018
Thanks to all for responses.
We have developed a token-based PAM library to perform authentication on
stand-alone systems. Tokens are requested from a corporate portal, and are
issued for a specific user, device, and time period. Each group os devices
has their own key, and this key is then used to "de-crypt" the token and
confirm validity period.
We would like to adapt this PAM library to support FortiGate admin
logon against a radius server with the PAM module installed.
I have seen a couple of screenshots of Token challenges on the FortiGate
(specifically from Centrify Howto), so I have to assume that this works.
I can authenticate against FreeRadius with static usernames and passwords
On Fri, May 18, 2018 at 4:35 PM, Alan DeKok <aland at deployingradius.com>
> On May 18, 2018, at 10:20 AM, Rothstein, Joseph <
> joseph.rothstein at roche.com> wrote:
> > I am trying to authenticate users on a FortiGate firewall against a
> > server with a custom PAM library. This PAM library is based on
> > enterprise username and a time-bound token which is validated by a key
> > installed on the server.
> What exact piece does what? i.e. what packets get sent where? The
> above description isn't clear.
> > I have verified the library works for SSH authentication, however, this
> > generally done in two stages. First by entering a fixed username, and
> > the system re-prompts the user for his personal enterprise username for
> > which the token was issued.
> The pam_auth_radius module from the FreeRADIUS project does
> challenge-response just fine.
> > The problem I have, is that the FortiGate GUI does not allow this
> > username/token entry.
> One solution then is to fix the Fortunate GUI... you can't really fix a
> third-party product by poking FreeRADIUS.
> > I was wondering if there is a way of configuring this "standard username"
> > in the "users" config file under the "Auth-type = PAM", and then passing
> > the corporate credentials and token through to PAM, as this is all I
> > can enter in the FortiGate login GUI.
> Maybe... but this is all a vague description. Please describe the
> system in more detail.
> What people *normally* do with things like RSA is to have the user enter
> the password as the 6-digit OTP, followed by their own custom password.
> FreeRADIUS then splits the password into two fields. Then checks the
> RSA token against RSA, and the users password against the user database.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
Senior Security Architect
Roche Diagnostics International AG
Tel.: +41 41 792 5556
Mobile: + 41 79 900 2508
mailto: joseph.rothstein at roche.com
More information about the Freeradius-Users