Radius as Second Factor ======================= Some proprietary, OTP-based second factor implementations expose a Radius server that allow an authenticating application (such as LemonLDAP::NG) to verify the validity of an OTP using the standard Radius protocol. .. tip:: This page is about using Radius to connect to an external 2FA system for the *second factor only*. If your 2FA system works by concatenating the user's password and their OTP (LinOTP), you should probably be using :doc:`regular Radius authentication` instead After choosing the Radius second factor type, the user is prompted with a code that will be checked against the Radius server. Prerequisites and dependencies ------------------------------ This feature uses ``Authen::Radius``. Before enable it, on Debian you must install it : For CentOS/RHEL: .. code-block:: shell yum install perl-Authen-Radius In Debian/Ubuntu, install the library through apt command .. code-block:: shell apt install libauthen-radius-perl Configuration ------------- .. _configuration-1: Configuration ~~~~~~~~~~~~~ All parameters are configured in "General Parameters » Second factors » Mail second factor". - **Activation**: Set to ``On`` to activate this module, or use a specific rule to select which users may use this type of second factor - **Server hostname**: The hostname of the Radius server. Since 2.17 you can specify multiple servers, separated by spaces, for failover. - **Shared secret**: The secret key shared with the Radius server - **Session key containing login** (Optional): When verifying the OTP code against the Radius server, use this attribute as the login and the OTP code as password. By default, the attribute designated as ``whatToTrace`` is used. - **Authentication timeout** (Optional): Allowed time to perform authentication - **Dictionary**: radius dictionary file ex: /usr/share/freeradius/dictionary This is mandatory if you want to send extra request attributes. - **Request attributes**: a list of additional Radius attributes to send with the Access Request. Key is the radius attribute name in the provided dictionary, value is a perl expression used to populate the attribute value. - **Add login validation call**: If enabled, send an Access-Request to the Radius server with only the User-Name attribute and no User-Password before displaying the OTP form. This can be used by some Radius implementations to trigger the delivery of the OTP to the user. - **Authentication level** (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5 - **Label** (Optional): label that should be displayed to the user on the choice screen - **Logo** (Optional): logo file *(in static/ directory)* Vendor specific ~~~~~~~~~~~~~~~ Some configuration examples for specific vendors: .. toctree:: :maxdepth: 1 radius2f-inwebo