2 servers - frontend + backend: auth + attributes
Alan DeKok
alan.dekok at inkbridge.io
Tue Sep 30 16:10:58 UTC 2025
On Sep 30, 2025, at 1:09 AM, Andrei Katsuk <steep8 at gmail.com> wrote:
> It is PAP protocol - so Access-Request contains User-Name / User-Password
OK...
>> What do mean by MFA?
> It is under another investigation. For now it is password + otp . It
> may be one string password&otp or separate 2FA : password/otp
You'll have to decide which one it is before building a solution.
>> How does FreeRADIUS verify the MFA / password?
> I expect that rlm_rest module with backend server will check otp or
> even password + otp
Then you can do that today. Just have the REST module check the password in the authorize section. Then if it fails, reject the request.
After checking the password in REST, you can then tell the server to proxy the packet.
>> If you go through the documentation, it documents everything you need to put together a solution.
> For now I'm stuck a bit with Proxy, which activates in the authorize
> section and skips authenticate section.
You don't need to run the REST module in the authenticate section.
> It seems that verifying password&otp in other sections (except the
> authenticate section) does not allow us to follow the FreeRADIUS
> design flow.
You can run a module method from a different section by using the section name. This is documented.
authorize {
...
rest.authenticate # runs the "authenticate" method of the "rest" module
}
Alan DeKok.
More information about the Freeradius-Users
mailing list