FreeRADIUS with custom multi-factor authentication
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs. We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up. Here is our workflow: 1. The user enters their username and password. 2. The system calls a web service to validate the username and password. 3. If the username and password are valid, and the user’s account has MFA enabled: a. The MFA method is executed (ex. OTP is sent via SMS message) b. The system sends the user a message asking them to enter the OTP and allows them to submit the value. c. The system validates their response by calling another web service. d. If the response is invalid the system sends another message informing them of the failure and allows them to respond again (a few times). All of the account data, username/password authentication and MFA processing is done behind web services, we just need FreeRADIUS to allow us to go through the multiple request and response steps as we call these web services. We thought we might be able to use rlm_python or rlm_perl to accomplish this, but we are only seeing simple “func_authenticate” implementations and can’t see how we can facilitate this back and forth communication with the user. All we are asking are some pointers or general guidance so we can continue our research and determine if FreeRADIUS will meet our needs. Thank you for any insights, guidance, links that might help. Clint Lord The Voodoo Cube
Hi, Check this out: https://wiki.freeradius.org/modules/Rlm_smsotp Eero On Wed, Feb 13, 2019 at 6:16 PM Clint Lord <clint@voodoocube.com> wrote:
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs. We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.
Here is our workflow:
1. The user enters their username and password. 2. The system calls a web service to validate the username and password. 3. If the username and password are valid, and the user’s account has MFA enabled: a. The MFA method is executed (ex. OTP is sent via SMS message) b. The system sends the user a message asking them to enter the OTP and allows them to submit the value. c. The system validates their response by calling another web service. d. If the response is invalid the system sends another message informing them of the failure and allows them to respond again (a few times).
All of the account data, username/password authentication and MFA processing is done behind web services, we just need FreeRADIUS to allow us to go through the multiple request and response steps as we call these web services.
We thought we might be able to use rlm_python or rlm_perl to accomplish this, but we are only seeing simple “func_authenticate” implementations and can’t see how we can facilitate this back and forth communication with the user.
All we are asking are some pointers or general guidance so we can continue our research and determine if FreeRADIUS will meet our needs.
Thank you for any insights, guidance, links that might help.
Clint Lord The Voodoo Cube - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 13, 2019, at 11:15 AM, Clint Lord <clint@voodoocube.com> wrote:
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs.
If the RADIUS protocol supports it, FreeRADIUS can do it.
We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.
Here is our workflow:
1. The user enters their username and password. 2. The system calls a web service to validate the username and password. 3. If the username and password are valid, and the user’s account has MFA enabled: a. The MFA method is executed (ex. OTP is sent via SMS message) b. The system sends the user a message asking them to enter the OTP and allows them to submit the value. c. The system validates their response by calling another web service. d. If the response is invalid the system sends another message informing them of the failure and allows them to respond again (a few times).
All of the account data, username/password authentication and MFA processing is done behind web services, we just need FreeRADIUS to allow us to go through the multiple request and response steps as we call these web services.
Which means... what? The requirements above need to be more specific. What part is a web service? What part is FreeRADIUS? What packets go back and forth?
We thought we might be able to use rlm_python or rlm_perl to accomplish this, but we are only seeing simple “func_authenticate” implementations and can’t see how we can facilitate this back and forth communication with the user.
See Access-Challenge packets. They're intended for this kind of situation.
All we are asking are some pointers or general guidance so we can continue our research and determine if FreeRADIUS will meet our needs.
The typical process for challenge-response authentication is like this: * user enters name / password (PPP, VPN, whatever) * the NAS sends name / password to the RADIUS server * the RADIUS server determines that it should challenge the user * it sends Access-Challenge * With a Reply-Message like "Please enter token" * with a State attribute that ties the challenge/response together * the NAS shows the message to the user, who then enters a token * the NAS sends a new Access-Request with * same User-Name * user's token as User-Password * State attribute from Access-Challenge * the server sees that it's the same State as before, and continues authentication... * all *session* data needs be stored in the "session-state" list, which is automatically saved / restored. e.g. authorize { ... if (!State) { update reply { Reply-Message := "enter token" } update session-state { Cleartext-Password := "1234" } challenge return } if (User-Password != &session-state:Cleartext-Password) { reject } } That's the basics. Alan DeKok.
Thank you for your guidance, that provided us the high level direction we were looking for. The complexity of the web services we are using for username/password validation and MFA processing leads us to believe we need to use rlm_python to write the authorize method. However we're not finding any documentation that tells us how to create access challenges or manage state from within our python code. We are basically looking for the list of the objects and APIs that are available to us when we are writing the authorize method in python. Any help knowing where to look would be appreciated. Clint Lord The Voodoo Cube
The typical process for challenge-response authentication is like this:
* user enters name / password (PPP, VPN, whatever) * the NAS sends name / password to the RADIUS server * the RADIUS server determines that it should challenge the user * it sends Access-Challenge * With a Reply-Message like "Please enter token" * with a State attribute that ties the challenge/response together * the NAS shows the message to the user, who then enters a token * the NAS sends a new Access-Request with * same User-Name * user's token as User-Password * State attribute from Access-Challenge * the server sees that it's the same State as before, and continues authentication... * all *session* data needs be stored in the "session-state" list, which is automatically saved / restored.
e.g.
authorize { ...
if (!State) { update reply { Reply-Message := "enter token" }
update session-state { Cleartext-Password := "1234" }
challenge return }
if (User-Password != &session-state:Cleartext-Password) { reject } }
That's the basics.
Alan DeKok.
On Feb 14, 2019, at 11:33 AM, Clint Lord <clint@voodoocube.com> wrote:
Thank you for your guidance, that provided us the high level direction we were looking for.
That's good.
The complexity of the web services we are using for username/password validation and MFA processing leads us to believe we need to use rlm_python to write the authorize method. However we're not finding any documentation that tells us how to create access challenges or manage state from within our python code. We are basically looking for the list of the objects and APIs that are available to us when we are writing the authorize method in python.
You can return different values from python, and then key off of that: python if (user ock) { challenge return } As of 3.0.17 (I think) all of the lists are available to the Python module. So you can do whatever you want, keep state in "session-state", and it should all just work. Alan DeKok.
El 14/2/19 a las 18:46, Alan DeKok escribió:
On Feb 14, 2019, at 11:33 AM, Clint Lord <clint@voodoocube.com> wrote:
Thank you for your guidance, that provided us the high level direction we were looking for. That's good.
The complexity of the web services we are using for username/password validation and MFA processing leads us to believe we need to use rlm_python to write the authorize method. However we're not finding any documentation that tells us how to create access challenges or manage state from within our python code. We are basically looking for the list of the objects and APIs that are available to us when we are writing the authorize method in python. You can return different values from python, and then key off of that:
python if (user ock) { challenge return }
As of 3.0.17 (I think) all of the lists are available to the Python module. So you can do whatever you want, keep state in "session-state", and it should all just work.
As of 3.0.17 all of the lists are available to the Python module as an input (you need to explicitly activate it using the "pass_all_vps" option). That will pass a tuple of (request, reply, config, state, proxy_req, proxy_reply) instead of just request. However, for 3.0.17 you can only make updates to the "reply" and "config" lists. As of 3.0.18 (soon to be released) we've included a dict-based in/out interface (using the "pass_all_vps_dict" option that) should make things simpler, as well as provide access to read and update all the lists. Please, refer to https://github.com/alejandro-perez/freeradius-server/blob/v3.0.x/src/modules... for a more detailed example. Best, -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Please, refer to https://github.com/alejandro-perez/freeradius-server/blob/v3.0.x/src/modules... for a more detailed example.
Although identical, I meant to link upstream repo, not my personal fork :) https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_... -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
We use duoproxy in front of freeradius. After the user enters username and password, and they are validated and authenticated, the duoproxy will execute the second factor validation. https://duo.com/docs/radius On Wed, Feb 13, 2019 at 11:16 AM Clint Lord <clint@voodoocube.com> wrote:
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs. We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.
Here is our workflow:
1. The user enters their username and password. 2. The system calls a web service to validate the username and password. 3. If the username and password are valid, and the user’s account has MFA enabled: a. The MFA method is executed (ex. OTP is sent via SMS message) b. The system sends the user a message asking them to enter the OTP and allows them to submit the value. c. The system validates their response by calling another web service. d. If the response is invalid the system sends another message informing them of the failure and allows them to respond again (a few times).
All of the account data, username/password authentication and MFA processing is done behind web services, we just need FreeRADIUS to allow us to go through the multiple request and response steps as we call these web services.
We thought we might be able to use rlm_python or rlm_perl to accomplish this, but we are only seeing simple “func_authenticate” implementations and can’t see how we can facilitate this back and forth communication with the user.
All we are asking are some pointers or general guidance so we can continue our research and determine if FreeRADIUS will meet our needs.
Thank you for any insights, guidance, links that might help.
Clint Lord The Voodoo Cube - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clint Lord <clint@voodoocube.com> wrote:
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs. We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.
Here is our workflow:
1. The user enters their username and password.
...on what? What you are trying to authenticate to matters a lot as to which solutions are viable. Is this for a VPN, if so, what technology suite? To a Wifi Supplicant? Just to a web service? Something else?
We are using this for VPN authentication. We are using Cisco ISE. Clint Lord The Voodoo Cube
On Feb 14, 2019, at 1:27 PM, Brian Julin <BJulin@clarku.edu> wrote:
Clint Lord <clint@voodoocube.com> wrote:
We are evaluating FreeRADIUS as a possible solution but we have a very specific authentication workflow and aren’t sure if FreeRADIUS will fit our needs. We’ve searched the documentation for insights into how we might accomplish our goals, but haven’t seen anything that quite matches up.
Here is our workflow:
1. The user enters their username and password.
...on what?
What you are trying to authenticate to matters a lot as to which solutions are viable. Is this for a VPN, if so, what technology suite? To a Wifi Supplicant? Just to a web service? Something else?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clint Lord <clint@voodoocube.com> wrote:
We are using this for VPN authentication. We are using Cisco ISE.
Next question is: IKEv1, IKEv2, or OpenVPN? And, are your users using only systems on which you control the client software, or do you expect this to work with any old VPN client?
Cisco ISE is using OpenVPN. We exclusively use Cisco AnyConnect for the VPN client and don’t have any requirements to support any other VPN clients. Clint Lord The Voodoo Cube
On Feb 14, 2019, at 2:27 PM, Brian Julin <BJulin@clarku.edu> wrote:
Clint Lord <clint@voodoocube.com> wrote:
We are using this for VPN authentication. We are using Cisco ISE.
Next question is: IKEv1, IKEv2, or OpenVPN?
And, are your users using only systems on which you control the client software, or do you expect this to work with any old VPN client?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clint Lord <clint@voodoocube.com> wrote:
Cisco ISE is using OpenVPN. We exclusively use Cisco AnyConnect for the VPN client and don’t have any requirements to support any other VPN clients.
That may be a good thing. IPSec MFA is... challenging. Unfortunately I can't help with OpenVPN so maybe someone here has OpenVPN/AnyConnect experience and can speak to how to crank back the OTP dialogue to the user.
participants (6)
-
Alan DeKok -
Alex Perez-Mendez -
Brian Julin -
Clint Lord -
Eero Volotinen -
jon Yu