scripts / PrivacyID3A-CheckOTP

privacyidea-checkotp
====================

Scripts implementing the [PrivacyIDEA](http://www.privacyidea.org) OTP (One
Time Password) check, one implemented as a shell script and the other in python,
to integrate with [FreeRadius](http://www.freeradius.org) in environments where
the FreeRadius Perl plugin is not available to use the standard check script
(e.g. on OS X).

**Version 2.0**, latest version, documentation and bugtracker available on my
[GitLab instance](https://gitlab.lindenaar.net/privacyidea/checkotp)

Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under the
GNU License, see [below](#license)

Introduction
------------

When integrating PrivacyIDEA with the stock OS X Server FreeRadius server, I got
stuck as the OS X Server not including the FreeRadius `rlm_perl` module. At that
time I created the shell-script `privacyidea-checkotp` to get around this using
the available FreeRadius `rlm_exec` module. This solution suited my needs and
may have glitches, though so far it turned out to be a stable solution.

Recently I have reimplemented this script in Python as starting point for my
[privacyidea-freeradiusmodule](https://gitlab.lindenaar.net/privacyidea/freeradiusmodule),
a FreeRadius `rlm_python` module (which is available on OS X Server). The Python
script is intended as a drop-in replacement for the shell script with better
error handling and logging / debugging capabilities. The way to integrate it is
the same as the shell script version, the only change needed is the script name.

In case you have any comments / questions or issues, please raise them through
my [GitLab instance](https://gitlab.lindenaar.net/privacyidea/checkotp) so that
others can benefit.

Setup
-----

Both scripts will be executed using the FreeRadius `rtl_exec` module, which is

not the most efficient way to integrate but will suffice for low to medium
volume use. The script depends on `curl` and `sed` being installed, which is
the case in most environments.

The setup of this solution consists of the following steps:

  1. Setup PrivacyIDEA and make sure it is working on its own

  2. Install the shell or python version of the script as `privacyidea-checkotp`
     on your FreeRadius server and make it executable

  3. Copy the provided `privacyidea.freeradiusmodule` into the FreeRadius
     `raddb/modules` directory as `privacyidea`
  4. Update `raddb/modules/privacyidea` so that `[WRAPPERSCRIPT_PATH]` points to
     the script as installed in step #1 and `[PRIVACYIDEA_URL]` is replaced with
     the base URL of your PrivacyIDEA instance.
  5. Check your configuration by running the command configured in
     `raddb/modules/privacyidea` followed by a username and valid

     password/OTP/PIN combination (depending on your configuration.
     To avoid the password being captured in your shell history, use `` `cat` ``
     instead of the password on the commandline and after entering the command,
     enter the password/OTP/PIN combination as PrivacyIDEA expects followed by
     an enter and `CTRL-D`,
     eg.: ```./privacyidea-checkotp https://server.tld/path username `cat -` ```

  6. After successfully testing the base setup, add PrivacyIDEA as authorization
     and authentication provider with the following steps:
     1. Open the virtual host file you want to add PrivacyIDEA authentication to
     (typically in `raddb/sites-available`)
     2. In the section `authorize {`:
        * disable all authorization modules you do not want to succeed
        * add the following to the bottom of this section:

          ~~~
          # Use PrivacyIDEA
          if(! Service-Type == "Outbound-User") {
                update control {
                        Auth-Type := PrivacyIDEA
                }
          }
          else {
                # Service-Type == "Outbound-User"
                if(NAS-Port-Type == "Virtual" && NAS-Port > 0 ) {
                        update control {
                                Auth-Type := Accept
                        }
                }
          }
          ~~~

     3. In the section `authenticate {`:
        * Disable all authentication modules you do not want to succeed
        * add the following to the top of this section so that PrivacyIDEA
          authentication is tried first:

          ~~~
          Auth-Type PrivacyIDEA {
                privacyidea
          }
          ~~~

  7. Last step is to test the configuration, run FreeRadius as `radiusd -X` and
     check what happens with an authentication requests reaching the FreeRadius

     server. Specific requirements on what needs to happen is dependent on your

     setup (e.g. I am normally not using any PIN codes for the OTP, but require
     the user's password followed by the OTP).

Please note that this setups works for plain-text (i.e. non-EAP) authentication
with FreeRadius, which is what my setup needs. The configuration above does not
work with EAP authentication, I am still working on that (any hints for that are
welcome!)

<a name="license">License</a>
-----------------------------

This script, documentation and configuration examples are free software: you can

redistribute and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.

This script, documentation and configuration examples are distributed in the

hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, download it from <http://www.gnu.org/licenses/>.