FreeRADIUS with custom multi-factor authentication
youngmojo at nd.edu
Thu Feb 14 21:13:12 CET 2019
We use duoproxy in front of freeradius. After the user enters username and
password, and they are validated and authenticated, the duoproxy will
execute the second factor validation.
On Wed, Feb 13, 2019 at 11:16 AM Clint Lord <clint at voodoocube.com> wrote:
> We are evaluating FreeRADIUS as a possible solution but we have a very
> specific authentication workflow and aren’t sure if FreeRADIUS will fit our
> needs. We’ve searched the documentation for insights into how we might
> accomplish our goals, but haven’t seen anything that quite matches up.
> Here is our workflow:
> 1. The user enters their username and password.
> 2. The system calls a web service to validate the username and password.
> 3. If the username and password are valid, and the user’s account has MFA
> a. The MFA method is executed (ex. OTP is sent via SMS message)
> b. The system sends the user a message asking them to enter the
> OTP and allows them to submit the value.
> c. The system validates their response by calling another web
> d. If the response is invalid the system sends another message
> informing them of the failure and allows them to respond again (a few
> All of the account data, username/password authentication and MFA
> processing is done behind web services, we just need FreeRADIUS to allow us
> to go through the multiple request and response steps as we call these web
> We thought we might be able to use rlm_python or rlm_perl to accomplish
> this, but we are only seeing simple “func_authenticate” implementations and
> can’t see how we can facilitate this back and forth communication with the
> All we are asking are some pointers or general guidance so we can continue
> our research and determine if FreeRADIUS will meet our needs.
> Thank you for any insights, guidance, links that might help.
> Clint Lord
> The Voodoo Cube
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users