Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:radius2f [2019/08/04 14:24] (current)
maxbes created
Line 1: Line 1:
 +====== Radius as Second Factor ======
  
 +Some proprietary,​ OTP-based second factor implementations expose a Radius server that allow an authenticating application (such as LemonLDAP::​NG) to verify the validity of an OTP using the standard Radius protocol.
 +
 +<note tip>
 +This page is about using Radius to connect to an external 2FA system for the //second factor only//. If your 2FA system works by concatenating the user's password and their OTP (LinOTP), you should probably be using [[authradius|regular Radius authentication]] instead
 +</​note>​
 +
 +After choosing the Radius second factor type, the user is prompted with a code that will be checked against the Radius server.
 +
 +===== Prerequisites and dependencies =====
 +
 +This feature uses ''​Authen::​Radius''​. Before enable it, on Debian you must install it :
 +
 +For CentOS/​RHEL:​
 +<code shell>
 +yum install perl-Authen-Radius
 +</​code>​
 +
 +In Debian/​Ubuntu,​ install the library through apt-get command
 +<code shell>
 +apt-get install libauthen-radius-perl
 +</​code>​
 +
 +
 +===== Configuration =====
 +
 +==== Configuration ====
 +
 +All parameters are configured in "​General Parameters » Second factors » Mail second factor"​.
 +  * **Activation**: ​ Set to ''​On''​ to activate this module, or use a specific rule to select which users may use this type of second factor
 +  * **Server hostname**: The hostname of the Radius server
 +  * **Shared secret**: The secret key shared with the Radius server
 +  * **Session key containing login** (Optional): When verifying the OTP code against the Radius server, use this attribute as the login and the OTP code as password. By default, the attribute designated as ''​whatToTrace''​ is used.
 +  * **Authentication timeout** (Optional) : 
 +  * **Authentication level** (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5
 +  * **Logo** (Optional): logo file //(in static/<​skin>​ directory)//​
 +  * **Label** (Optional): label that should be displayed to the user on the choice screen