Freeradius and 2 Factor Authentication
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jun 2 22:57:57 CEST 2016
> On Jun 2, 2016, at 4:53 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On Jun 2, 2016, at 4:33 PM, Cornelius Kölbel <cornelius.koelbel at netknights.it> wrote:
>>
>> Am Donnerstag, den 02.06.2016, 15:58 -0400 schrieb Arran Cudbard-Bell:
>>
>>>> We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP. However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.
>>>
>>> Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.
>>
>> The OTP server could return the plain text OTP password. But this is
>> only the 2nd factor. It will not return the LDAP user password, which is
>> the 1st factor.
>
> Yeah, if you're using an LDAP server that doesn't give you access to the plaintext password, and if you're set on using passwords.
>
> Certificates do the job just as well. Especially if they're encrypted.
3FA FTW!
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160602/9a669592/attachment.sig>
More information about the Freeradius-Users
mailing list