Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Jun 2 22:57:57 CEST 2016


> On Jun 2, 2016, at 4:53 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
> 
>> On Jun 2, 2016, at 4:33 PM, Cornelius K├Âlbel <cornelius.koelbel at netknights.it> wrote:
>> 
>> Am Donnerstag, den 02.06.2016, 15:58 -0400 schrieb Arran Cudbard-Bell:
>> 
>>>> We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP.  However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.
>>> 
>>> Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.
>> 
>> The OTP server could return the plain text OTP password. But this is
>> only the 2nd factor. It will not return the LDAP user password, which is
>> the 1st factor.
> 
> Yeah, if you're using an LDAP server that doesn't give you access to the plaintext password, and if you're set on using passwords.
> 
> Certificates do the job just as well.  Especially if they're encrypted.

3FA FTW!

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160602/9a669592/attachment.sig>


More information about the Freeradius-Users mailing list