Radius as Second Factor¶
Some proprietary, OTP-based second factor implementations expose a Radius server that allow an authenticating application (such as LemonLDAP::NG) to verify the validity of an OTP using the standard Radius protocol.
This page is about using Radius to connect to an external 2FA system for the second factor only. If your 2FA system works by concatenating the user’s password and their OTP (LinOTP), you should probably be using regular Radius authentication instead
After choosing the Radius second factor type, the user is prompted with a code that will be checked against the Radius server.
Prerequisites and dependencies¶
This feature uses
Authen::Radius. Before enable it, on Debian you
must install it :
yum install perl-Authen-Radius
In Debian/Ubuntu, install the library through apt-get command
apt-get install libauthen-radius-perl
All parameters are configured in “General Parameters » Second factors » Mail second factor”.
Activation: Set to
Onto activate this module, or use a specific rule to select which users may use this type of second factor
Server hostname: The hostname of the Radius server
Shared secret: The secret key shared with the Radius server
Session key containing login (Optional): When verifying the OTP code against the Radius server, use this attribute as the login and the OTP code as password. By default, the attribute designated as
Authentication timeout (Optional): Allowed time to perform authentication
Dictionary: radius dictionary file ex: /usr/share/freeradius/dictionary This is mandatory if you want to send extra request attributes.
Request attributes: a list of additional Radius attributes to send with the Access Request. Key is the radius attribute name in the provided dictionary, value is a perl expression used to populate the attribute value.
Add login validation call: If enabled, send an Access-Request to the Radius server with only the User-Name attribute and no User-Password before displaying the OTP form. This can be used by some Radius implementations to trigger the delivery of the OTP to the user.
Authentication level (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5
Label (Optional): label that should be displayed to the user on the choice screen
Logo (Optional): logo file (in static/<skin> directory)