Hello Nemanja, all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS. See https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.ht... You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server. You then would configure FreeRADIUS s.th. like this: ~~~~ authenticate { Auth-Type Perl { perl # This would e.g. communicate to the OTP server } digest unix } ~~~~ The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE. Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP. If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system. Hope this helps. Kind regards Cornelius Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
Greetings,
I am working on a TOTP authentication method setup with FreeRADIUS. For starters, I'd just like to generate a static user which uses TOTP (Time-based One-Time Passwords) to authenticate against the server. My company uses BitWarden which has an integrated Authenticator feature which can generate TOTP tokens which you can use for passing MFA challenges and logging in. Is it possible to have a user defined in RADIUS which is bound to a BitWarden token generator in some way? We do the same thing for accounts in our directory. The codes MSFT generates for their intended MSFT Auth mobile app I put into the BitWarden token generator to bind those accounts to the generator. After that I can use the codes from BitWarden to pass the MFA challenge and sign in.
I've read about multiOTP and LinOTP but I can't seem to understand how they fit into this picture. Am I going in the right direction with this? Is this BitWarden setup possible?
I am still quite new to FreeRADIUS, so bear with me. Thank you!
Best regards,
[cid:image001.png@01D6A951.934B5080] [cid:image002.png@01D6A951.934B5080]< https://www.facebook.com/iOLAPInc/>; [cid:image003.png@01D6A951 .934B5080] <https://twitter.com/iolapinc>; [cid:image004.png@ 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>; [cid:image005.png@01D6A951.934B5080] <https://iolap.com/> NEMANJA ŠIMPRAGA System Network Administrator [cid:image006.png@01D6A951.934B5080] nsimpraga@iolap.com<mailto: nsimpraga@iolap.com> +385 95 922 71 70
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Cornelius Kölbel cornelius.koelbel@netknights.it Tel:+49-561-9979-1540
NetKnights GmbH https://www.netknights.it Ludwig-Erhard-Str. 12, 34131 Kassel, Germany Tel:+49-561-3166797 Fax:+49-561-3166798 Amtsgericht Kassel HRB 16405 Geschäftsführer: Cornelius Kölbel