Multi-stage PAM authentication
Eero Volotinen
eero.volotinen at iki.fi
Fri May 18 17:44:30 CEST 2018
Hi,
We are using similar authentication, using static password from pam and
then two factor from google authenticator.
Works fine and user uses password like this: staticpart+googleauthcode
(like this static124748)
Eero
Eero
On Fri, May 18, 2018 at 5:24 PM Rothstein, Joseph <
joseph.rothstein at roche.com> wrote:
> I am trying to authenticate users on a FortiGate firewall against a Radius
> server with a custom PAM library. This PAM library is based on individuals
> enterprise username and a time-bound token which is validated by a key file
> installed on the server.
>
> I have verified the library works for SSH authentication, however, this is
> generally done in two stages. First by entering a fixed username, and then
> the system re-prompts the user for his personal enterprise username for
> which the token was issued. For example (SSH client):
>
> login as: standard username
>
> Corporate ID: enterprise username
> Token: [time-round token]
>
> The problem I have, is that the FortiGate GUI does not allow this secondary
> username/token entry.
>
> I was wondering if there is a way of configuring this "standard username"
> in the "users" config file under the "Auth-type = PAM", and then passing
> the corporate credentials and token through to PAM, as this is all I really
> can enter in the FortiGate login GUI.
>
> Any ideas would be appreciated.
>
> Regards to all, -JR
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list