RADIUS TOTP Setup

Nemanja Simpraga nsimpraga at iolap.com
Wed Nov 11 10:47:44 CET 2020 

Hi again,

I was researching on the exact concept of the implementation of OTP+RADIUS, I would just like a confirmation if I got it right:
	1. Set up the OTP server which generates seeds for the TOTP tokens
	2. Bind a user in RADIUS with a token using a seed the OTP server generated
	3. Import the seed into BitWarden which will create the token/TOTP generator there

After that I am ready for authentication.
How I think it authentication works (correct me if I am wrong):
	1. Use the TOTP code BitWarden generates when authenticating against RADIUS together with the defined username of the user
	2. RADIUS checks the seed associated with that username
	3. RADIUS takes the TOTP code I input and forwards it to the OTP server together with the associated seed
	4. The OTP server checks if the code that was input matches what it has got in its own token with the appropriate seed
	5. Whether it's correct or not, it returns that result to RADIUS which then either says ACCESS_ACCEPT or ACCESS_REJECT depending on what the OTP server said

Basically, the OTP server has a token with an associated seed that is generating codes all the time. Using that seed you can create a sort of a duplicate of that token in any sort of authenticator generating the same TOTP codes as the original OTP token on the server. Whenever you are authenticating, what your TOTP generator generates has to match what the OTP server has got, if you want auth to succeed. 
Lastly, what the 3 components of the system (RADIUS, OTP server, TOTP generator(BitWarden in my case)) have in common is the seed which binds all of components together.

Have I got it right? The last part about the seed binding everything together is what I am wondering the most about. 
It's crucial for me to understand what is going on exactly, before I can start the actual engineering. Thank you in advance!

Best regards,
 


                       



NEMANJA ŠIMPRAGA
System Network Administrator
   nsimpraga at iolap.com
    +385 95 922 71 70

 







-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nsimpraga=iolap.com at lists.freeradius.org> On Behalf Of Cornelius Kölbel via Freeradius-Users
Sent: Friday, October 23, 2020 3:43 PM
To: freeradius-users at lists.freeradius.org
Cc: Cornelius Kölbel <cornelius.koelbel at netknights.it>
Subject: Re: RADIUS TOTP Setup

WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP 
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator 
> feature which can generate TOTP tokens which you can use for passing 
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a 
> BitWarden token generator in some way? We do the same thing for 
> accounts in our directory. The codes MSFT generates for their intended 
> MSFT Auth mobile app I put into the BitWarden token generator to bind 
> those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA 
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand how 
> they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup 
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png at 01D6A951.934B5080]
> [cid:image002.png at 01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png at 01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;
>  [cid:image005.png at 01D6A951.934B5080] <https://iolap.com/> NEMANJA 
> ŠIMPRAGA System Network Administrator
> [cid:image006.png at 01D6A951.934B5080]   nsimpraga at iolap.com<mailto:
> nsimpraga at iolap.com>
>     +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
cornelius.koelbel at netknights.it
Tel:+49-561-9979-1540

NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798

Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel

More information about the Freeradius-Users mailing list