Multi-stage PAM authentication
I am trying to authenticate users on a FortiGate firewall against a Radius server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server. I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued. For example (SSH client): login as: standard username Corporate ID: enterprise username Token: [time-round token] The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry. I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI. Any ideas would be appreciated. Regards to all, -JR
On May 18, 2018, at 10:20 AM, Rothstein, Joseph <joseph.rothstein@roche.com> wrote:
I am trying to authenticate users on a FortiGate firewall against a Radius server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server.
What exact piece does what? i.e. what packets get sent where? The above description isn't clear.
I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued.
The pam_auth_radius module from the FreeRADIUS project does challenge-response just fine.
The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry.
One solution then is to fix the Fortunate GUI... you can't really fix a third-party product by poking FreeRADIUS.
I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI.
Maybe... but this is all a vague description. Please describe the system in more detail. What people *normally* do with things like RSA is to have the user enter the password as the 6-digit OTP, followed by their own custom password. FreeRADIUS then splits the password into two fields. Then checks the RSA token against RSA, and the users password against the user database. Alan DeKok.
Thanks to all for responses. We have developed a token-based PAM library to perform authentication on stand-alone systems. Tokens are requested from a corporate portal, and are issued for a specific user, device, and time period. Each group os devices has their own key, and this key is then used to "de-crypt" the token and confirm validity period. We would like to adapt this PAM library to support FortiGate admin logon against a radius server with the PAM module installed. I have seen a couple of screenshots of Token challenges on the FortiGate (specifically from Centrify Howto), so I have to assume that this works. I can authenticate against FreeRadius with static usernames and passwords without issue. Thanks, Joe On Fri, May 18, 2018 at 4:35 PM, Alan DeKok <aland@deployingradius.com> wrote:
On May 18, 2018, at 10:20 AM, Rothstein, Joseph < joseph.rothstein@roche.com> wrote:
I am trying to authenticate users on a FortiGate firewall against a
Radius
server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server.
What exact piece does what? i.e. what packets get sent where? The above description isn't clear.
I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued.
The pam_auth_radius module from the FreeRADIUS project does challenge-response just fine.
The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry.
One solution then is to fix the Fortunate GUI... you can't really fix a third-party product by poking FreeRADIUS.
I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI.
Maybe... but this is all a vague description. Please describe the system in more detail.
What people *normally* do with things like RSA is to have the user enter the password as the 6-digit OTP, followed by their own custom password.
FreeRADIUS then splits the password into two fields. Then checks the RSA token against RSA, and the users password against the user database.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- *Joseph Rothstein* Senior Security Architect Roche Diagnostics International AG Forrenstrasse 2 CH-6343 Rotkreuz Switzerland Tel.: +41 41 792 5556 Mobile: + 41 79 900 2508 mailto: joseph.rothstein@roche.com www.roche.ch/rotkreuz
On Jun 12, 2018, at 12:07 PM, Rothstein, Joseph <joseph.rothstein@roche.com> wrote:
We have developed a token-based PAM library to perform authentication on stand-alone systems. Tokens are requested from a corporate portal, and are issued for a specific user, device, and time period. Each group os devices has their own key, and this key is then used to "de-crypt" the token and confirm validity period.
We would like to adapt this PAM library to support FortiGate admin logon against a radius server with the PAM module installed.
The FreeRADIUS PAM plugin (rlm_pam) doesn't support challenge-response. It's better to just have FreeRADIUS do the queries directly. The "rest" module supports querying REST interfaces. so that should work. If that isn't good enough, it should be simple to adapt your code to create a custom FreeRADIUS plugin. That will work *much* better than going through layers of PAM. Alan DeKok.
Hi, We are using similar authentication, using static password from pam and then two factor from google authenticator. Works fine and user uses password like this: staticpart+googleauthcode (like this static124748) Eero Eero On Fri, May 18, 2018 at 5:24 PM Rothstein, Joseph < joseph.rothstein@roche.com> wrote:
I am trying to authenticate users on a FortiGate firewall against a Radius server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server.
I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued. For example (SSH client):
login as: standard username
Corporate ID: enterprise username Token: [time-round token]
The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry.
I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI.
Any ideas would be appreciated.
Regards to all, -JR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Eero Volotinen -
Rothstein, Joseph