Radius proxy request to other radius for OTP auth

Satish Patel satish.txt at gmail.com
Fri Oct 27 18:05:24 CEST 2017 

In short this is what i am planning to do with FreeRadius instead of
IAS windows http://www.dasblinkenlichten.com/using-radius-attributes-during-webvpn-logon/

We have Multi Factor authentication (password+OTP) for VPN login, and
MFA (multi factor auth) provided by onelogin company, in my Cisco ASA
i tell my RADIUS server is onlogin in cloud and my asa authenticate
users from there, but that company doesn't support Attribute Class 25
which i posted in link, so i was thinking to build Freeradius in-house
and do whatever i want there for grouping and then proxy request to
onlogin for OTP stuff.  In short my local radius will act like Proxy
and forward request to onelogin in cloud for OTP.

I am not sure it's possible or not so just trying to see what people
think about it or any other way out.

On Fri, Oct 27, 2017 at 8:43 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Oct 26, 2017, at 10:58 PM, Satish Patel <satish.txt at gmail.com> wrote:
>> Recently we decided to create multiple Group Policy for VPN and every
>> group will have own permission to access application, like Sales,
>> Finance and contractor etc, In short contractor can't access Finance
>> related application etc.
>
>   I'm not sure that's possible in RADIUS.  You can send policies to the VPN (maybe), but the VPN may ignore them.
>
>> After reading found ASA support RADIUS attribute Class 25 where i can
>> create OU=sales and implement policy base on whatever LDAP memberOf
>> list users.
>
>   That's vague... what, exactly are you doing?  What piece of the network is doing what?
>
>> But unfortunately onelogin doesn't support that kind of attributes
>> mapping and now we stuck here so only solution is to deploy on radius
>> server and integrate with google authenticator.
>
>   How does deploying a RADIUS server help with controlling access to applications?
>
>> So i have question is there anyway i can use FreeRadius locally and
>> use attributes Class 25 and then proxy authentication to onlelogin
>> RADIUS?
>
>   FreeRADIUS can use Class.  So?  What does it *do* with it?
>
>> What should i do and what you guys suggest here?
>
>   First, you have to describe what you're doing.  Which network machines are involved?  What are they doing?  What information do they exchange?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list