RADIUS TOTP Setup

Cornelius Kölbel cornelius.koelbel at netknights.it
Fri Oct 23 15:42:48 CEST 2020


Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however
recommend privacyIDEA, since I am working on this ;-) come as a plugin
to FreeRADIUS.
See 
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a
plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to
the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or
ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login
with a static password, which would cause an ACCESS_CHALLENGE and then
the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed**
of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:
> Greetings,
> 
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator
> feature which can generate TOTP tokens which you can use for passing
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a
> BitWarden token generator in some way? We do the same thing for
> accounts in our directory. The codes MSFT generates for their
> intended MSFT Auth mobile app I put into the BitWarden token
> generator to bind those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA
> challenge and sign in.
> 
> I've read about multiOTP and LinOTP but I can't seem to understand
> how they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup
> possible?
> 
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
> 
> Best regards,
> 
> 
> [cid:image001.png at 01D6A951.934B5080]
> [cid:image002.png at 01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png at 01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;        
>  [cid:image005.png at 01D6A951.934B5080] <https://iolap.com/>
> NEMANJA ŠIMPRAGA
> System Network Administrator
> [cid:image006.png at 01D6A951.934B5080]   nsimpraga at iolap.com<mailto:
> nsimpraga at iolap.com>
>     +385 95 922 71 70
> 
> 
> 
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
-- 
Cornelius Kölbel 
cornelius.koelbel at netknights.it
Tel:+49-561-9979-1540
 
NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798
 
Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201023/2f084e59/attachment.sig>


More information about the Freeradius-Users mailing list