RADIUS TOTP Setup
Cornelius Kölbel
cornelius.koelbel at netknights.it
Fri Oct 23 15:42:48 CEST 2020
Hello Nemanja,
all external OTP solutions like multiOTP or LinOTP (I would however
recommend privacyIDEA, since I am working on this ;-) come as a plugin
to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html
You could have all the logic in this plugin, but usually you have a
plugin that does the glue code and communicates to the OTP server.
You then would configure FreeRADIUS s.th. like this:
~~~~
authenticate {
Auth-Type Perl {
perl # This would e.g. communicate to the OTP server
}
digest
unix
}
~~~~
The OTP server then would verify the credentials, communicate back to
the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or
ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login
with a static password, which would cause an ACCESS_CHALLENGE and then
the user would have to provide his TOTP.
If Bitwarden simply generates TOTP codes, you can import the **seed**
of the token to your MFA management system.
Hope this helps.
Kind regards
Cornelius
Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator
> feature which can generate TOTP tokens which you can use for passing
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a
> BitWarden token generator in some way? We do the same thing for
> accounts in our directory. The codes MSFT generates for their
> intended MSFT Auth mobile app I put into the BitWarden token
> generator to bind those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand
> how they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png at 01D6A951.934B5080]
> [cid:image002.png at 01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>; [cid:image003.png at 01D6A951
> .934B5080] <https://twitter.com/iolapinc>; [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;
> [cid:image005.png at 01D6A951.934B5080] <https://iolap.com/>
> NEMANJA ŠIMPRAGA
> System Network Administrator
> [cid:image006.png at 01D6A951.934B5080] nsimpraga at iolap.com<mailto:
> nsimpraga at iolap.com>
> +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
cornelius.koelbel at netknights.it
Tel:+49-561-9979-1540
NetKnights GmbH https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797 Fax:+49-561-3166798
Amtsgericht Kassel HRB 16405
Geschäftsführer: Cornelius Kölbel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201023/2f084e59/attachment.sig>
More information about the Freeradius-Users
mailing list