RADIUS TOTP Setup

Nemanja Simpraga nsimpraga at iolap.com
Mon Oct 26 15:17:58 CET 2020


Sorry for the late reply and thanks for the answer! I will have to look a bit further into what you suggested, but I will probably be back with more questions as soon as I have a few concrete ones. Heard you guys like those over here ūüėä Cheers!

Best regards,
 


                       



NEMANJA ҆IMPRAGA
System Network Administrator
   nsimpraga at iolap.com
    +385 95 922 71 70

 







-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nsimpraga=iolap.com at lists.freeradius.org> On Behalf Of Cornelius Kölbel via Freeradius-Users
Sent: Friday, October 23, 2020 3:43 PM
To: freeradius-users at lists.freeradius.org
Cc: Cornelius Kölbel <cornelius.koelbel at netknights.it>
Subject: Re: RADIUS TOTP Setup

WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP 
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator 
> feature which can generate TOTP tokens which you can use for passing 
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a 
> BitWarden token generator in some way? We do the same thing for 
> accounts in our directory. The codes MSFT generates for their intended 
> MSFT Auth mobile app I put into the BitWarden token generator to bind 
> those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA 
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand how 
> they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup 
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png at 01D6A951.934B5080]
> [cid:image002.png at 01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png at 01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;
>  [cid:image005.png at 01D6A951.934B5080] <https://iolap.com/> NEMANJA 
> ҆IMPRAGA System Network Administrator
> [cid:image006.png at 01D6A951.934B5080]   nsimpraga at iolap.com<mailto:
> nsimpraga at iolap.com>
>     +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
cornelius.koelbel at netknights.it
Tel:+49-561-9979-1540

NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798

Amtsgericht Kassel      HRB 16405
Gesch√§ftsf√ľhrer: Cornelius K√∂lbel




More information about the Freeradius-Users mailing list