[RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

[Heikki Vatiainen]

On 4.1.2022 12.15, Sagar Malam wrote:

> I am new to radiator and perl.I would like to implement 2FA using Authby 
> LDAP2 and Authby OTP but i am not able to find any examples for 
> implementing the same over the internet.

Please see goodies/duo.cfg together with goodies/otp.cfg

duo.cfg shows how to check password against a file, can be SQL, LDAP, 
etc. too, and then pass the request, if successful so far, to the second 
factor. In this case there's no Access-Challenge required, just one 
Access-Request followed by access or reject, and it works with plain PAP 
and EAP-TTLS/PAP.

If you'd like to use AuthBy OTP, something like this could work:

<AuthBy OTP>
     Identifer otp-authby
     # Add to Access-Challenge State attribute with value 'auth-otp'
     # This is done in the ChallengeHook
</AutHBy>

<Handler State=auth-otp>
     AuthBy otp-authby
</Handler>

<Handler>
     AuthByPolicy ContinueWhileAccept
     <AuthBy LDAP2>
         ConsumePassword
     </AuthBy>
     AuthBy otp-authby
</Handler>


The user first logs in with their LDAP password. If successful, password 
is cleared from the request and AuthBy OTP is called for the first time. 
This triggers ChallengeHook. Within the ChallengeHook, add State 
attribute so that the subsequent Access-Accept, that now contains the 
one-time-password, caught by <Handler State=auth-otp>.

What the above requires is PAP and that the authentication client 
software the user has understands Radius Access-Challenge.

Using EAP-TTLS/PAP could also work. In this case the correct use of 
State attribute needs to be checked.

Note that the above is plain Radius where a RADIUS client sends requests 
to Radiator. If you'd need to have an integration to web services, that 
can be problematic as Dubravko wrote earlier.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software