Name Last Update
README.md Loading commit data...
privacyidea-checkotp Loading commit data...
privacyidea.freeradiusmodule Loading commit data...

README.md

privacyidea-checkotp

Shell script implementing the PrivacyIDEA OTP (One Time Password) check to integrate with FreeRadius in environments where the FreeRadius Perl plugin is not available to use the standard check script (e.g. on OS X 10.9).

Version 1.0, latest version, documentation and bugtracker available on my GitLab instance

Copyright (c) 2015 Frederik Lindenaar. free for distribution under the GNU License, see below

Introduction

When integrating PrivacyIDEA with the stock OS X Server FreeRadius server, I was blocked by the installation not including the rlm_perl module. This bash (shell) script was created to get around that as it is to be executed using the FreeRadius rlm_exec module. Please bear in mind that this module suits my needs and probably still has a few glitches, though it turned out to be a stable solution for my needs. In case you have any comments / questions or issues, please raise them through my GitLab instance so that all users benefit.

Setup

This script will be executed using the FreeRadius rtl_exec module, which is not the most efficient way to integrate but will suffice for low to medium volume use. The script depends on curl and sed being installed, which is the case in most environments.

The setup of this solution consists of the following steps:

  1. Setup PrivacyIDEA and make sure it is working on its own
  2. Install the privacyidea-checkotp on your FreeRadius server and make it executable
  3. Copy the provided privacyidea.freeradiusmodule into the FreeRadius raddb/modules directory as privacyidea
  4. Update raddb/modules/privacyidea so that [WRAPPERSCRIPT_PATH] points to the script as installed in step #1 and [PRIVACYIDEA_URL] is replaced with the base URL of your PrivacyIDEA instance.
  5. Check your configuration by running the command configured in raddb/modules/privacyidea followed by a username and valid password/OTP/PIN combination (depending on your configuration. To avoid the password being captured in your shell history, use `cat` instead of the password on the commandline and after entering the command, enter the password/OTP/PIN combination as PrivacyIDEA expects followed by an enter and CTRL-D.
  6. After successfully testing the base setup, add PrivacyIDEA as authorization and authentication provider with the following steps:

    1. Open the virtual host file you want to add PrivacyIDEA authentication to (typically in raddb/sites-available)
    2. In the section authorize {:

      • disable all authorization modules you do not want to succeed
      • add the following to the bottom of this section:
        # Use PrivacyIDEA
        if(! Service-Type == "Outbound-User") {
              update control {
                      Auth-Type := PrivacyIDEA
              }
        }
        else {
              # Service-Type == "Outbound-User"
              if(NAS-Port-Type == "Virtual" && NAS-Port > 0 ) {
                      update control {
                              Auth-Type := Accept
                      }
              }
        }
    3. In the section authenticate {:

      • Disable all authentication modules you do not want to succeed
      • add the following to the top of this section so that PrivacyIDEA authentication is tried first:
        Auth-Type PrivacyIDEA {
              privacyidea
        }
  7. Last step is to test the configuration, run FreeRadius as radiusd -X and check what happens with an authentication requests reaching the FreeRadius server. Specifc requirements on what needs to happen is dependant on your setup (e.g. I am normally not using any PIN codes for the OTP, but require the user's password followed by the OTP).

Please note that this setups works for plain-text (i.e. non-EAP) authentication with FreeRadius, which is what my setup needs. The configuration above does not work with EAP authentication, I am still working on that (any hints for that are welcome!)

License

This script, documentation and configration examples are free software: you can redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This script, documenatation and configuration examples are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, download it from http://www.gnu.org/licenses/.