README.md
privacyidea-checkotp
Shell script implementing the PrivacyIDEA OTP (One Time Password) check to integrate with FreeRadius in environments where the FreeRadius Perl plugin is not available to use the standard check script (e.g. on OS X).
Version 1.0a, latest version, documentation and bugtracker available on my GitLab instance
Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under the GNU License, see below
Introduction
When integrating PrivacyIDEA with the stock OS X Server FreeRadius server, I was
blocked by the installation not including the rlm_perl module. This bash
(shell) script was created to get around that as it is to be executed using the
FreeRadius rlm_exec module. Please bear in mind that this module suits my
needs and probably still has a few glitches, though it turned out to be a stable
solution for my needs. In case you have any comments / questions or issues,
please raise them through my GitLab instance so that all users benefit.
Setup
This script will be executed using the FreeRadius rtl_exec module, which is
not the most efficient way to integrate but will suffice for low to medium
volume use. The script depends on curl and sed being installed, which is
the case in most environments.
The setup of this solution consists of the following steps:
- Setup PrivacyIDEA and make sure it is working on its own
- Install the
privacyidea-checkotpon your FreeRadius server and make it executable - Copy the provided
privacyidea.freeradiusmoduleinto the FreeRadiusraddb/modulesdirectory asprivacyidea - Update
raddb/modules/privacyideaso that[WRAPPERSCRIPT_PATH]points to the script as installed in step #1 and[PRIVACYIDEA_URL]is replaced with the base URL of your PrivacyIDEA instance. - Check your configuration by running the command configured in
raddb/modules/privacyideafollowed by a username and valid password/OTP/PIN combination (depending on your configuration. To avoid the password being captured in your shell history, use`cat`instead of the password on the commandline and after entering the command, enter the password/OTP/PIN combination as PrivacyIDEA expects followed by an enter andCTRL-D. -
After successfully testing the base setup, add PrivacyIDEA as authorization and authentication provider with the following steps:
- Open the virtual host file you want to add PrivacyIDEA authentication to
(typically in
raddb/sites-available) -
In the section
authorize {:- disable all authorization modules you do not want to succeed
- add the following to the bottom of this section:
# Use PrivacyIDEA if(! Service-Type == "Outbound-User") { update control { Auth-Type := PrivacyIDEA } } else { # Service-Type == "Outbound-User" if(NAS-Port-Type == "Virtual" && NAS-Port > 0 ) { update control { Auth-Type := Accept } } } -
In the section
authenticate {:- Disable all authentication modules you do not want to succeed
- add the following to the top of this section so that PrivacyIDEA authentication is tried first:
Auth-Type PrivacyIDEA { privacyidea }
- Open the virtual host file you want to add PrivacyIDEA authentication to
(typically in
Last step is to test the configuration, run FreeRadius as
radiusd -Xand check what happens with an authentication requests reaching the FreeRadius server. Specifc requirements on what needs to happen is dependant on your setup (e.g. I am normally not using any PIN codes for the OTP, but require the user's password followed by the OTP).
Please note that this setups works for plain-text (i.e. non-EAP) authentication with FreeRadius, which is what my setup needs. The configuration above does not work with EAP authentication, I am still working on that (any hints for that are welcome!)
License
This script, documentation and configration examples are free software: you can redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This script, documenatation and configuration examples are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, download it from http://www.gnu.org/licenses/.