privacyidea-checkotp
====================

Shell script implementing the [PrivacyIDEA](http://www.privacyidea.org) OTP (One
Time Password) check to integrate with [FreeRadius](http://www.freeradius.org)
in environments where the FreeRadius Perl plugin is not available to use the
standard check script (e.g. on OS X 10.9).

**Version 1.0**, latest version, documentation and bugtracker available on my
[GitLab instance](https://gitlab.lindenaar.net/scripts/privacyidea-checkotp)

Copyright (c) 2015 Frederik Lindenaar. free for distribution under the GNU
License, see [below](#license)


Introduction
------------
When integrating PrivacyIDEA with the stock OS X Server FreeRadius server, I was
blocked by the installation not including the `rlm_perl` module. This bash
(shell) script was created to get around that as it is to be executed using the
FreeRadius `rlm_exec` module. Please bear in mind that this module suits my
needs and probably still has a few glitches, though it turned out to be a stable
solution for my needs. In case you have any comments / questions or issues,
please raise them through my [GitLab instance](https://gitlab.lindenaar.net/scripts/privacyidea-checkotp) so that all users benefit.

Setup
-----
This script will be executed using the FreeRadius `rtl_exec` module, which is
not the most efficient way to integrate but will suffice for low to medium
volume use. The script depends on `curl` and `sed` being installed, which is
the case in most environments.

The setup of this solution consists of the following steps:

  1. Setup PrivacyIDEA and make sure it is working on its own
  2. Install the `privacyidea-checkotp` on your FreeRadius server and make it
     executable
  3. Copy the provided `privacyidea.freeradiusmodule` into the FreeRadius
     `raddb/modules` directory as `privacyidea`
  4. Update `raddb/modules/privacyidea` so that `[WRAPPERSCRIPT_PATH]` points to
     the script as installed in step #1 and `[PRIVACYIDEA_URL]` is replaced with
     the base URL of your PrivacyIDEA instance.
  5. Check your configuration by running the command configured in
     `raddb/modules/privacyidea` followed by a username and valid
     password/OTP/PIN combination (depending on your configuration. To avoid the
     password being captured in your shell history, use `` `cat` `` instead of
     the password on the commandline and after entering the command, enter the
     password/OTP/PIN combination as PrivacyIDEA expects followed by an enter
     and `CTRL-D`.
  6. After successfully testing the base setup, add PrivacyIDEA as authorization
     and authentication provider with the following steps:
     1. Open the virtual host file you want to add PrivacyIDEA authentication to
     (typically in `raddb/sites-available`)
     2. In the section `authorize {`:
        * disable all authorization modules you do not want to succeed
        * add the following to the bottom of this section:

          ~~~
          # Use PrivacyIDEA
          if(! Service-Type == "Outbound-User") {
                update control {
                        Auth-Type := PrivacyIDEA
                }
          }
          else {
                # Service-Type == "Outbound-User"
                if(NAS-Port-Type == "Virtual" && NAS-Port > 0 ) {
                        update control {
                                Auth-Type := Accept
                        }
                }
          }
          ~~~

     3. In the section `authenticate {`:
        * Disable all authentication modules you do not want to succeed
        * add the following to the top of this section so that PrivacyIDEA
          authentication is tried first:

          ~~~
          Auth-Type PrivacyIDEA {
                privacyidea
          }
          ~~~

  7. Last step is to test the configuration, run FreeRadius as `radiusd -X` and
     check what happens with an authentication requests reaching the FreeRadius
     server. Specifc requirements on what needs to happen is dependant on your
     setup (e.g. I am normally not using any PIN codes for the OTP, but require
     the user's password followed by the OTP).

Please note that this setups works for plain-text (i.e. non-EAP) authentication
with FreeRadius, which is what my setup needs. The configuration above does not
work with EAP authentication, I am still working on that (any hints for that are
welcome!)

<a name="license">License</a>
-----------------------------
This script, documentation and configration examples are free software: you can
redistribute and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.

This script, documenatation and configuration examples are distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, download it from <http://www.gnu.org/licenses/>.