FreeRADIUS with custom multi-factor authentication

[Clint Lord]

We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs.  We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.

Here is our workflow:

1. The user enters their username and password.
2. The system calls a web service to validate the username and password.
3. If the username and password are valid, and the user’s account has MFA enabled:
	a. The MFA method is executed (ex. OTP is sent via SMS message)
	b. The system sends the user a message asking them to enter the OTP and allows them to submit the value.
	c. The system validates their response by calling another web service.
	d. If the response is invalid the system sends another message informing them of the failure and allows them to respond again (a few times).

All of the account data, username/password authentication and MFA processing is done behind web services, we just need FreeRADIUS to allow us to go through the multiple request and response steps as we call these web services.

We thought we might be able to use rlm_python or rlm_perl to accomplish this, but we are only seeing simple “func_authenticate” implementations and can’t see how we can facilitate this back and forth communication with the user.

All we are asking are some pointers or general guidance so we can continue our research and determine if FreeRADIUS will meet our needs.

Thank you for any insights, guidance, links that might help.


Clint Lord
The Voodoo Cube