Multi-stage PAM authentication
Rothstein, Joseph
joseph.rothstein at roche.com
Tue Jun 12 18:07:04 CEST 2018
Thanks to all for responses.
We have developed a token-based PAM library to perform authentication on
stand-alone systems. Tokens are requested from a corporate portal, and are
issued for a specific user, device, and time period. Each group os devices
has their own key, and this key is then used to "de-crypt" the token and
confirm validity period.
We would like to adapt this PAM library to support FortiGate admin
logon against a radius server with the PAM module installed.
I have seen a couple of screenshots of Token challenges on the FortiGate
(specifically from Centrify Howto), so I have to assume that this works.
I can authenticate against FreeRadius with static usernames and passwords
without issue.
Thanks, Joe
On Fri, May 18, 2018 at 4:35 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On May 18, 2018, at 10:20 AM, Rothstein, Joseph <
> joseph.rothstein at roche.com> wrote:
> >
> > I am trying to authenticate users on a FortiGate firewall against a
> Radius
> > server with a custom PAM library. This PAM library is based on
> individuals
> > enterprise username and a time-bound token which is validated by a key
> file
> > installed on the server.
>
> What exact piece does what? i.e. what packets get sent where? The
> above description isn't clear.
>
> > I have verified the library works for SSH authentication, however, this
> is
> > generally done in two stages. First by entering a fixed username, and
> then
> > the system re-prompts the user for his personal enterprise username for
> > which the token was issued.
>
> The pam_auth_radius module from the FreeRADIUS project does
> challenge-response just fine.
>
> > The problem I have, is that the FortiGate GUI does not allow this
> secondary
> > username/token entry.
>
> One solution then is to fix the Fortunate GUI... you can't really fix a
> third-party product by poking FreeRADIUS.
>
> > I was wondering if there is a way of configuring this "standard username"
> > in the "users" config file under the "Auth-type = PAM", and then passing
> > the corporate credentials and token through to PAM, as this is all I
> really
> > can enter in the FortiGate login GUI.
>
> Maybe... but this is all a vague description. Please describe the
> system in more detail.
>
> What people *normally* do with things like RSA is to have the user enter
> the password as the 6-digit OTP, followed by their own custom password.
>
> FreeRADIUS then splits the password into two fields. Then checks the
> RSA token against RSA, and the users password against the user database.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
--
*Joseph Rothstein*
Senior Security Architect
Roche Diagnostics International AG
Forrenstrasse 2
CH-6343 Rotkreuz
Switzerland
Tel.: +41 41 792 5556
Mobile: + 41 79 900 2508
mailto: joseph.rothstein at roche.com
www.roche.ch/rotkreuz
More information about the Freeradius-Users
mailing list