Possible to have 2 authentications in sequence?
Hello, Can someone tell if it is possible to have FreeRADIUS perform (as a proxy) 2 authentications in sequence on a user, such as the 1st - against an AD and if that succeeds - against another RADIUS server? Is it simply a matter of the the Authorization/Authentication sections definition, or requires some development? Thank you! BR
On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec@gmail.com> wrote:
Can someone tell if it is possible to have FreeRADIUS perform (as a proxy) 2 authentications in sequence on a user, such as the 1st - against an AD and if that succeeds - against another RADIUS server?
In general, no. But you're free to run ntlm_auth as a shell script in the "authorize" section. This will only work if the packets contain MS-CHAP or PAP authentication.
Is it simply a matter of the the Authorization/Authentication sections definition, or requires some development?
A better question is: why do you need this? Alan DeKok.
2016-03-09 16:05 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec@gmail.com> wrote:
...
Is it simply a matter of the the Authorization/Authentication sections definition, or requires some development?
A better question is: why do you need this?
Multi-factor authentication. The passwords for the 2 (or more) authentications are different. Just like with the Duo authentication proxy, but not linked to their service for the secondary authentication. Alan DeKok.
On 9 Mar 2016, at 18:18, Andy P. <pmaspec@gmail.com> wrote:
2016-03-09 16:05 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec@gmail.com> wrote:
...
Is it simply a matter of the the Authorization/Authentication sections definition, or requires some development?
A better question is: why do you need this?
Multi-factor authentication. The passwords for the 2 (or more) authentications are different. Just like with the Duo authentication proxy, but not linked to their service for the secondary authentication.
The session-state list makes this much easier in v3.0.x. It handles creating a State attribute in the response, to tie together multiple rounds of authentication. You still need cooperation from the NAS though, to prompt the user multiple times when it receives an Access-Challenge. For EAP, multi-factor authentication is not possible, unless the two factors are presented in a single round e.g. otp + password. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Mar 2016, at 19:26, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Mar 2016, at 18:18, Andy P. <pmaspec@gmail.com> wrote:
2016-03-09 16:05 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec@gmail.com> wrote:
...
Is it simply a matter of the the Authorization/Authentication sections definition, or requires some development?
A better question is: why do you need this?
Multi-factor authentication. The passwords for the 2 (or more) authentications are different. Just like with the Duo authentication proxy, but not linked to their service for the secondary authentication.
The session-state list makes this much easier in v3.0.x.
It handles creating a State attribute in the response, to tie together multiple rounds of authentication.
You still need cooperation from the NAS though, to prompt the user multiple times when it receives an Access-Challenge.
For EAP, multi-factor authentication is not possible, unless the two factors are presented in a single round e.g. otp + password.
Ah misunderstood, you want to submit the credentials to multiple services. Yes you can do that. Just call the .authenticate method of the module you want to use in the authorize {} section and then perform a proxy. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
2016-03-09 20:26 GMT+01:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>: ...
The session-state list makes this much easier in v3.0.x.
It handles creating a State attribute in the response, to tie together multiple rounds of authentication.
You still need cooperation from the NAS though, to prompt the user multiple times when it receives an Access-Challenge.
For EAP, multi-factor authentication is not possible, unless the two factors
are presented in a single round e.g. otp + password.
The two factors will be presented in a single round, indeed.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 9, 2016, at 1:18 PM, Andy P. <pmaspec@gmail.com> wrote:
Multi-factor authentication. The passwords for the 2 (or more) authentications are different. Just like with the Duo authentication proxy, but not linked to their service for the secondary authentication.
Except that RADIUS packets don't have two passwords. So... again, what *exactly* do you want to do? I already gave a suggestion about using ntlm_auth. Did you try it? Alan DeKok.
2016-03-09 22:08 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Mar 9, 2016, at 1:18 PM, Andy P. <pmaspec@gmail.com> wrote:
Multi-factor authentication. The passwords for the 2 (or more) authentications are different. Just like with the Duo authentication proxy, but not linked to their service for the secondary authentication.
Except that RADIUS packets don't have two passwords.
Right, and I'm not going to use the challenge-response. The following is planned: submit an auth. request containing the userid and the password which is the concatenation of the AD password and of the OTP (with a separator character in-between); then FreeRADIUS would split the request and authenticate the (userid, AD password) against the AD (via ntlm or LDAP) and the (userid, OTP) against that other RADIUS server.
So... again, what *exactly* do you want to do?
I already gave a suggestion about using ntlm_auth. Did you try it?
No, I don't have the entire environment available yet. At this time I'm looking to validate -on paper - the feasibility. Thank you!
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Andy P. -
Arran Cudbard-Bell