RADIUS TOTP Setup

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

RADIUS TOTP Setup

Nemanja Simpraga
Greetings,

I am working on a TOTP authentication method setup with FreeRADIUS. For starters, I'd just like to generate a static user which uses TOTP (Time-based One-Time Passwords) to authenticate against the server.
My company uses BitWarden which has an integrated Authenticator feature which can generate TOTP tokens which you can use for passing MFA challenges and logging in.
Is it possible to have a user defined in RADIUS which is bound to a BitWarden token generator in some way? We do the same thing for accounts in our directory. The codes MSFT generates for their intended MSFT Auth mobile app I put into the BitWarden token generator to bind those accounts to the generator.
After that I can use the codes from BitWarden to pass the MFA challenge and sign in.

I've read about multiOTP and LinOTP but I can't seem to understand how they fit into this picture.
Am I going in the right direction with this? Is this BitWarden setup possible?

I am still quite new to FreeRADIUS, so bear with me. Thank you!

Best regards,


[cid:image001.png@01D6A951.934B5080]
[cid:image002.png@01D6A951.934B5080]<https://www.facebook.com/iOLAPInc/>       [cid:image003.png@01D6A951.934B5080] <https://twitter.com/iolapinc>         [cid:image004.png@01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>         [cid:image005.png@01D6A951.934B5080] <https://iolap.com/>
NEMANJA ŠIMPRAGA
System Network Administrator
[cid:image006.png@01D6A951.934B5080]   [hidden email]<mailto:[hidden email]>
    +385 95 922 71 70








-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image001.png (5K) Download Attachment
image002.png (374 bytes) Download Attachment
image003.png (596 bytes) Download Attachment
image004.png (522 bytes) Download Attachment
image005.png (846 bytes) Download Attachment
image006.png (382 bytes) Download Attachment
image007.png (396 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: RADIUS TOTP Setup

Users mailing list
Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however
recommend privacyIDEA, since I am working on this ;-) come as a plugin
to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a
plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to
the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or
ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login
with a static password, which would cause an ACCESS_CHALLENGE and then
the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed**
of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:

> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator
> feature which can generate TOTP tokens which you can use for passing
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a
> BitWarden token generator in some way? We do the same thing for
> accounts in our directory. The codes MSFT generates for their
> intended MSFT Auth mobile app I put into the BitWarden token
> generator to bind those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand
> how they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png@01D6A951.934B5080]
> [cid:image002.png@01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png@01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;        
>  [cid:image005.png@01D6A951.934B5080] <https://iolap.com/>
> NEMANJA ŠIMPRAGA
> System Network Administrator
> [cid:image006.png@01D6A951.934B5080]   [hidden email]<mailto:
> [hidden email]>
>     +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
[hidden email]
Tel:+49-561-9979-1540
 
NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798
 
Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

RE: RADIUS TOTP Setup

Nemanja Simpraga
Sorry for the late reply and thanks for the answer! I will have to look a bit further into what you suggested, but I will probably be back with more questions as soon as I have a few concrete ones. Heard you guys like those over here 😊 Cheers!

Best regards,
 


                       



NEMANJA ŠIMPRAGA
System Network Administrator
   [hidden email]
    +385 95 922 71 70

 







-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nsimpraga=[hidden email]> On Behalf Of Cornelius Kölbel via Freeradius-Users
Sent: Friday, October 23, 2020 3:43 PM
To: [hidden email]
Cc: Cornelius Kölbel <[hidden email]>
Subject: Re: RADIUS TOTP Setup

WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:

> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator
> feature which can generate TOTP tokens which you can use for passing
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a
> BitWarden token generator in some way? We do the same thing for
> accounts in our directory. The codes MSFT generates for their intended
> MSFT Auth mobile app I put into the BitWarden token generator to bind
> those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand how
> they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png@01D6A951.934B5080]
> [cid:image002.png@01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png@01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;
>  [cid:image005.png@01D6A951.934B5080] <https://iolap.com/> NEMANJA
> ŠIMPRAGA System Network Administrator
> [cid:image006.png@01D6A951.934B5080]   [hidden email]<mailto:
> [hidden email]>
>     +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
[hidden email]
Tel:+49-561-9979-1540

NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798

Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: RADIUS TOTP Setup

Nemanja Simpraga
In reply to this post by Users mailing list
Hi again,

I was researching on the exact concept of the implementation of OTP+RADIUS, I would just like a confirmation if I got it right:
        1. Set up the OTP server which generates seeds for the TOTP tokens
        2. Bind a user in RADIUS with a token using a seed the OTP server generated
        3. Import the seed into BitWarden which will create the token/TOTP generator there

After that I am ready for authentication.
How I think it authentication works (correct me if I am wrong):
        1. Use the TOTP code BitWarden generates when authenticating against RADIUS together with the defined username of the user
        2. RADIUS checks the seed associated with that username
        3. RADIUS takes the TOTP code I input and forwards it to the OTP server together with the associated seed
        4. The OTP server checks if the code that was input matches what it has got in its own token with the appropriate seed
        5. Whether it's correct or not, it returns that result to RADIUS which then either says ACCESS_ACCEPT or ACCESS_REJECT depending on what the OTP server said

Basically, the OTP server has a token with an associated seed that is generating codes all the time. Using that seed you can create a sort of a duplicate of that token in any sort of authenticator generating the same TOTP codes as the original OTP token on the server. Whenever you are authenticating, what your TOTP generator generates has to match what the OTP server has got, if you want auth to succeed.
Lastly, what the 3 components of the system (RADIUS, OTP server, TOTP generator(BitWarden in my case)) have in common is the seed which binds all of components together.

Have I got it right? The last part about the seed binding everything together is what I am wondering the most about.
It's crucial for me to understand what is going on exactly, before I can start the actual engineering. Thank you in advance!

Best regards,
 


                       



NEMANJA ŠIMPRAGA
System Network Administrator
   [hidden email]
    +385 95 922 71 70

 







-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nsimpraga=[hidden email]> On Behalf Of Cornelius Kölbel via Freeradius-Users
Sent: Friday, October 23, 2020 3:43 PM
To: [hidden email]
Cc: Cornelius Kölbel <[hidden email]>
Subject: Re: RADIUS TOTP Setup

WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hello Nemanja,

all external OTP solutions like multiOTP or LinOTP (I would however recommend privacyIDEA, since I am working on this ;-) come as a plugin to FreeRADIUS.
See
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html

You could have all the logic in this plugin, but usually you have a plugin that does the glue code and communicates to the OTP server.

You then would configure FreeRADIUS s.th. like this:

~~~~
authenticate {
     Auth-Type Perl {
        perl  # This would e.g. communicate to the OTP server
     }
     digest
     unix
}
~~~~

The OTP server then would verify the credentials, communicate back to the rlm which then would cause an ACCESS_ACCEPT, ACCESS_REJECT or ACCESS_CHALLENGE.
Yes, even ACCESS_CHALLENGE can be supported, this way a user can login with a static password, which would cause an ACCESS_CHALLENGE and then the user would have to provide his TOTP.

If Bitwarden simply generates TOTP codes, you can import the **seed** of the token to your MFA management system.

Hope this helps.

Kind regards
Cornelius


Am Freitag, den 23.10.2020, 13:31 +0000 schrieb Nemanja Simpraga:

> Greetings,
>
> I am working on a TOTP authentication method setup with FreeRADIUS.
> For starters, I'd just like to generate a static user which uses TOTP
> (Time-based One-Time Passwords) to authenticate against the server.
> My company uses BitWarden which has an integrated Authenticator
> feature which can generate TOTP tokens which you can use for passing
> MFA challenges and logging in.
> Is it possible to have a user defined in RADIUS which is bound to a
> BitWarden token generator in some way? We do the same thing for
> accounts in our directory. The codes MSFT generates for their intended
> MSFT Auth mobile app I put into the BitWarden token generator to bind
> those accounts to the generator.
> After that I can use the codes from BitWarden to pass the MFA
> challenge and sign in.
>
> I've read about multiOTP and LinOTP but I can't seem to understand how
> they fit into this picture.
> Am I going in the right direction with this? Is this BitWarden setup
> possible?
>
> I am still quite new to FreeRADIUS, so bear with me. Thank you!
>
> Best regards,
>
>
> [cid:image001.png@01D6A951.934B5080]
> [cid:image002.png@01D6A951.934B5080]<
> https://www.facebook.com/iOLAPInc/>;       [cid:image003.png@01D6A951
> .934B5080] <https://twitter.com/iolapinc>;         [cid:image004.png@
> 01D6A951.934B5080] <https://www.linkedin.com/company/iolap/>;
>  [cid:image005.png@01D6A951.934B5080] <https://iolap.com/> NEMANJA
> ŠIMPRAGA System Network Administrator
> [cid:image006.png@01D6A951.934B5080]   [hidden email]<mailto:
> [hidden email]>
>     +385 95 922 71 70
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
[hidden email]
Tel:+49-561-9979-1540

NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798

Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html