free radius + google authenticator
Hi there, I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions? thanks. yayali
This is probably outside of freeradius But we have a script that reads a shared folder. If it finds a file it recreates the GA secrets and sends them an email with the URL that links to the QR code. On Tue, Apr 16, 2019 at 2:47 PM yaya li <yayali2003@hotmail.com> wrote:
Hi there,
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions? thanks.
yayali - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi there,
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions? thanks.
yayali - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks Dave for the tip. will you be able to share the script or where i can find it. ________________________________ From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Dave Macias <davama@gmail.com> Sent: April 16, 2019 14:51 To: FreeRadius users mailing list Subject: Re: free radius + google authenticator This is probably outside of freeradius But we have a script that reads a shared folder. If it finds a file it recreates the GA secrets and sends them an email with the URL that links to the QR code. On Tue, Apr 16, 2019 at 2:47 PM yaya li <yayali2003@hotmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I dont have it with me but it’s not that difficult. Using whichever scripting language run a cron to access the shared folder verify the file then process the GA request. Im assuming you using the google authenticator pam module from github which spits out your QR code on the terminal. It also prints a clickable URL. You can send that in an email so that the user can open on a browser. Hope that helps Dave On Apr 16, 2019, 3:05 PM -0400, yaya li <yayali2003@hotmail.com>, wrote: > thanks Dave for the tip. will you be able to share the script or where i can find it. > > ________________________________ > From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Dave Macias <davama@gmail.com> > Sent: April 16, 2019 14:51 > To: FreeRadius users mailing list > Subject: Re: free radius + google authenticator > > This is probably outside of freeradius > > But we have a script that reads a shared folder. > If it finds a file it recreates the GA secrets and sends them an email with > the URL that links to the QR code. > > On Tue, Apr 16, 2019 at 2:47 PM yaya li <yayali2003@hotmail.com> wrote: > > > Hi there, > > > > I configured to use FreeRadius + MS Active Directory + Google > > Authenticator to authenticate the VPN users. My question is, is there a > > good way to let user to generate the QR code themselves? or admin had > > manually to generate the QR codes and code links, so they can be sent to > > users. Any suggestions? thanks. > > > > yayali > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks Dave. ________________________________ From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Dave Macias <davama@gmail.com> Sent: April 16, 2019 16:07 To: FreeRadius users mailing list Subject: Re: free radius + google authenticator I dont have it with me but it’s not that difficult. Using whichever scripting language run a cron to access the shared folder verify the file then process the GA request. Im assuming you using the google authenticator pam module from github which spits out your QR code on the terminal. It also prints a clickable URL. You can send that in an email so that the user can open on a browser. Hope that helps Dave On Apr 16, 2019, 3:05 PM -0400, yaya li <yayali2003@hotmail.com>, wrote: > thanks Dave for the tip. will you be able to share the script or where i can find it. > > ________________________________ > From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Dave Macias <davama@gmail.com> > Sent: April 16, 2019 14:51 > To: FreeRadius users mailing list > Subject: Re: free radius + google authenticator > > This is probably outside of freeradius > > But we have a script that reads a shared folder. > If it finds a file it recreates the GA secrets and sends them an email with > the URL that links to the QR code. > > On Tue, Apr 16, 2019 at 2:47 PM yaya li <yayali2003@hotmail.com> wrote: > > > Hi there, > > > > I configured to use FreeRadius + MS Active Directory + Google > > Authenticator to authenticate the VPN users. My question is, is there a > > good way to let user to generate the QR code themselves? or admin had > > manually to generate the QR codes and code links, so they can be sent to > > users. Any suggestions? thanks. > > > > yayali > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions?
Where do you store the TOTP secret? Somewhere in an AD attribute? -Martin
On 16 Apr 2019, at 15:07, Martin Gignac <martin.gignac@gmail.com> wrote:
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions?
Where do you store the TOTP secret? Somewhere in an AD attribute?
Also depends what you're using this to protect. If it's logins to CLI interfaces and the client allows text to be displayed to the user, there are a few libraries that'll generate QR codes using ascii characters. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
thanks Arran. currently, I have to switch to each user on radius server, type googleauthenticator to generate the QR code for them and send them the screen shot. Ideally, I would like to send them a link and have the users to generate the code themselves or the worst case I have to generate them manually but at least I have a finished QR code link to send to the users. I'm fairly new to this area so any advice would be really appreciated. Yayali ________________________________ From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Arran Cudbard-Bell <a.cudbardb@freeradius.org> Sent: April 16, 2019 15:53 To: FreeRadius users mailing list Subject: Re: free radius + google authenticator
On 16 Apr 2019, at 15:07, Martin Gignac <martin.gignac@gmail.com> wrote:
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions?
Where do you store the TOTP secret? Somewhere in an AD attribute?
Also depends what you're using this to protect. If it's logins to CLI interfaces and the client allows text to be displayed to the user, there are a few libraries that'll generate QR codes using ascii characters. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Marthin, it stores in the user's home folder on radius server. ________________________________ From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Martin Gignac <martin.gignac@gmail.com> Sent: April 16, 2019 15:07 To: FreeRadius users mailing list Subject: Re: free radius + google authenticator
I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? or admin had manually to generate the QR codes and code links, so they can be sent to users. Any suggestions?
Where do you store the TOTP secret? Somewhere in an AD attribute? -Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Marthin, it stores in the user's home folder on radius server.
OK. You're doing it differently than I am. I thought perhaps you might be storing the TOTP secret in Active Directory. I have a setup where I store the TOTP secret as a string inside an unused LDAP attribute on our IDM (Red Hat LDAP server) for each user. I built a web page that authenticates each user with their LDAP credentials, and if authenticated, then gives them the option of generating a new random TOTP secret whose equivalent QR code is displayed on the webpage (so they can provision Google Authenticator/Authy/FreeOTP on their phone) and which gets stored inside that unused LDAP attribute. I also have a custom REST web app that performs the authentication of the user with username and password+TOTP via LDAP and is called via FreeRADIUS's rlm_rest. Since you seem that have a much different setup from mine I don't think what I'm doing would help you. -Martin
thanks Martin. ________________________________ From: Freeradius-Users <freeradius-users-bounces+yayali2003=hotmail.com@lists.freeradius.org> on behalf of Martin Gignac <martin.gignac@gmail.com> Sent: April 16, 2019 22:33 To: FreeRadius users mailing list Subject: Re: free radius + google authenticator
Hi Marthin, it stores in the user's home folder on radius server.
OK. You're doing it differently than I am. I thought perhaps you might be storing the TOTP secret in Active Directory. I have a setup where I store the TOTP secret as a string inside an unused LDAP attribute on our IDM (Red Hat LDAP server) for each user. I built a web page that authenticates each user with their LDAP credentials, and if authenticated, then gives them the option of generating a new random TOTP secret whose equivalent QR code is displayed on the webpage (so they can provision Google Authenticator/Authy/FreeOTP on their phone) and which gets stored inside that unused LDAP attribute. I also have a custom REST web app that performs the authentication of the user with username and password+TOTP via LDAP and is called via FreeRADIUS's rlm_rest. Since you seem that have a much different setup from mine I don't think what I'm doing would help you. -Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Arran Cudbard-Bell -
Dave Macias -
Martin Gignac -
yaya li