Possible to have 2 authentications in sequence?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Mar 9 20:26:48 CET 2016


> On 9 Mar 2016, at 18:18, Andy P. <pmaspec at gmail.com> wrote:
> 
> 2016-03-09 16:05 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
> 
>> On Mar 9, 2016, at 4:09 AM, Andy P. <pmaspec at gmail.com> wrote:
>> 
> ...
> 
>>> 
>>> Is it simply a matter
>>> of the the Authorization/Authentication sections definition, or requires
>>> some development?
>> 
>>  A better question is: why do you need this?
>> 
>> 
> Multi-factor authentication. The passwords for the 2 (or more)
> authentications are different. Just like with the Duo authentication proxy,
> but not linked to their service for the secondary authentication.

The session-state list makes this much easier in v3.0.x.

It handles creating a State attribute in the response, to tie together multiple
rounds of authentication.

You still need cooperation from the NAS though, to prompt the user multiple times
when it receives an Access-Challenge.

For EAP, multi-factor authentication is not possible, unless the two factors
are presented in a single round e.g. otp + password.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160309/8a69dc07/attachment-0001.sig>


More information about the Freeradius-Users mailing list