Multi-stage PAM authentication
Alan DeKok
aland at deployingradius.com
Fri May 18 16:35:37 CEST 2018
On May 18, 2018, at 10:20 AM, Rothstein, Joseph <joseph.rothstein at roche.com> wrote:
>
> I am trying to authenticate users on a FortiGate firewall against a Radius
> server with a custom PAM library. This PAM library is based on individuals
> enterprise username and a time-bound token which is validated by a key file
> installed on the server.
What exact piece does what? i.e. what packets get sent where? The above description isn't clear.
> I have verified the library works for SSH authentication, however, this is
> generally done in two stages. First by entering a fixed username, and then
> the system re-prompts the user for his personal enterprise username for
> which the token was issued.
The pam_auth_radius module from the FreeRADIUS project does challenge-response just fine.
> The problem I have, is that the FortiGate GUI does not allow this secondary
> username/token entry.
One solution then is to fix the Fortunate GUI... you can't really fix a third-party product by poking FreeRADIUS.
> I was wondering if there is a way of configuring this "standard username"
> in the "users" config file under the "Auth-type = PAM", and then passing
> the corporate credentials and token through to PAM, as this is all I really
> can enter in the FortiGate login GUI.
Maybe... but this is all a vague description. Please describe the system in more detail.
What people *normally* do with things like RSA is to have the user enter the password as the 6-digit OTP, followed by their own custom password.
FreeRADIUS then splits the password into two fields. Then checks the RSA token against RSA, and the users password against the user database.
Alan DeKok.
More information about the Freeradius-Users
mailing list