FreeRADIUS with custom multi-factor authentication

Clint Lord clint at voodoocube.com
Thu Feb 14 17:33:58 CET 2019


Thank you for your guidance, that provided us the high level direction we were looking for.

The complexity of the web services we are using for username/password validation and MFA processing leads us to believe we need to use rlm_python to write the authorize method.  However we're not finding any documentation that tells us how to create access challenges or manage state from within our python code.  We are basically looking for the list of the objects and APIs that are available to us when we are writing the authorize method in python.

Any help knowing where to look would be appreciated.

Clint Lord
The Voodoo Cube

> 
>  The typical process for challenge-response authentication is like this:
> 
> * user enters name / password (PPP, VPN, whatever)
> * the NAS sends name / password to the RADIUS server
> * the RADIUS server determines that it should challenge the user
> * it sends Access-Challenge
>  * With a Reply-Message like "Please enter token"
>  * with a State attribute that ties the challenge/response together
> * the NAS shows the message to the user, who then enters a token
> * the NAS sends a new Access-Request with
>  * same User-Name
>  * user's token as User-Password
>  * State attribute from Access-Challenge
> * the server sees that it's the same State as before, and continues authentication...
>   * all *session* data needs be stored in the "session-state" list, which is automatically saved / restored.
> 
> e.g.
> 
> authorize {
> 	...
> 
> 	if (!State) {
>  	  update reply {
> 		Reply-Message := "enter token"
> 	   }
> 
>           update session-state {
> 		Cleartext-Password := "1234"
> 	  }
> 
> 	  challenge
> 	  return
> 	}
> 
> 	if (User-Password != &session-state:Cleartext-Password) {
> 		reject
> 	}
> }
> 
>  That's the basics.
> 
> 
>  Alan DeKok.
> 




More information about the Freeradius-Users mailing list