FreeRADIUS with custom multi-factor authentication

Eero Volotinen eero.volotinen at
Wed Feb 13 17:37:33 CET 2019


Check this out:


On Wed, Feb 13, 2019 at 6:16 PM Clint Lord <clint at> wrote:

> We are evaluating FreeRADIUS as a possible solution but we have a very
> specific authentication workflow and aren’t sure if FreeRADIUS will fit our
> needs.  We’ve searched the documentation for insights into how we might
> accomplish our goals, but haven’t seen anything that quite matches up.
> Here is our workflow:
> 1. The user enters their username and password.
> 2. The system calls a web service to validate the username and password.
> 3. If the username and password are valid, and the user’s account has MFA
> enabled:
>         a. The MFA method is executed (ex. OTP is sent via SMS message)
>         b. The system sends the user a message asking them to enter the
> OTP and allows them to submit the value.
>         c. The system validates their response by calling another web
> service.
>         d. If the response is invalid the system sends another message
> informing them of the failure and allows them to respond again (a few
> times).
> All of the account data, username/password authentication and MFA
> processing is done behind web services, we just need FreeRADIUS to allow us
> to go through the multiple request and response steps as we call these web
> services.
> We thought we might be able to use rlm_python or rlm_perl to accomplish
> this, but we are only seeing simple “func_authenticate” implementations and
> can’t see how we can facilitate this back and forth communication with the
> user.
> All we are asking are some pointers or general guidance so we can continue
> our research and determine if FreeRADIUS will meet our needs.
> Thank you for any insights, guidance, links that might help.
> Clint Lord
> The Voodoo Cube
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list