Sorry for the late reply and thanks for the answer! I will have to look a bit further into what you suggested, but I will probably be back with more questions as soon as I have a few concrete ones. Heard you guys like those over here 😊 Cheers! Best regards, NEMANJA ŠIMPRAGA System Network Administrator nsimpraga@iolap.com +385 95 922 71 70 -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+nsimpraga=iolap.com@lists.freeradius.org> On Behalf Of Cornelius Kölbel via Freeradius-Users Sent: Friday, October 23, 2020 3:43 PM To: freeradius-users@lists.freeradius.org Cc: Cornelius Kölbel <cornelius.koelbel@netknights.it> Subject: Re: RADIUS TOTP Setup WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Nemanja, all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS. See https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.ht... You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server. You then would configure FreeRADIUS s.th. like this: ~~~~ authenticate { Auth-Type Perl { perl # This would e.g. communicate to the OTP server } digest unix } ~~~~ The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE. Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP. If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system. Hope this helps. Kind regards Cornelius Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
Greetings,
I am working on a TOTP authentication method setup with FreeRADIUS. For starters, I'd just like to generate a static user which uses TOTP (Time-based One-Time Passwords) to authenticate against the server. My company uses BitWarden which has an integrated Authenticator feature which can generate TOTP tokens which you can use for passing MFA challenges and logging in. Is it possible to have a user defined in RADIUS which is bound to a BitWarden token generator in some way? We do the same thing for accounts in our directory. The codes MSFT generates for their intended MSFT Auth mobile app I put into the BitWarden token generator to bind those accounts to the generator. After that I can use the codes from BitWarden to pass the MFA challenge and sign in.
I've read about multiOTP and LinOTP but I can't seem to understand how they fit into this picture. Am I going in the right direction with this? Is this BitWarden setup possible?
I am still quite new to FreeRADIUS, so bear with me. Thank you!
Best regards,
[cid:image001.png@01D6A951.934B5080] [cid:image002.png@01D6A951.934B5080]< https://www.facebook.com/iOLAPInc/>; [cid:image003.png@01D6A951 .934B5080] <https://twitter.com/iolapinc>; [cid:image004.png@ 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>; [cid:image005.png@01D6A951.934B5080] <https://iolap.com/> NEMANJA ŠIMPRAGA System Network Administrator [cid:image006.png@01D6A951.934B5080] nsimpraga@iolap.com<mailto: nsimpraga@iolap.com> +385 95 922 71 70
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Cornelius Kölbel cornelius.koelbel@netknights.it Tel:+49-561-9979-1540
NetKnights GmbH https://www.netknights.it Ludwig-Erhard-Str. 12, 34131 Kassel, Germany Tel:+49-561-3166797 Fax:+49-561-3166798 Amtsgericht Kassel HRB 16405 Geschäftsführer: Cornelius Kölbel