Username, Password & OTP

Username, password and one-time password authentication.

RADIUS challenge response authentication.

The RADIUS client sends an Access Request which includes the username and password. The Fortified Integrity RADIUS server responds with an Access Challenge (if the credentials have authenticated successfully). The client then sends a second Access Request with the one-time password, and the server responds with either an Access Accept or Access Reject.

Configurable response messages can be used to further authorization on the client side.

Configuration

RADIUS Authenticator Type: UsernamePasswordOTP | RadiusUsernamePasswordOTP

Common authenticator properties can be found in the common configuration section.

Name

Description

Default value

Mandatory

pipe

Username, password validation pipe id.

N/A

otp_pipe

One-time password validation pipe id.

N/A

retry_challenge_message

Retry challenge message, commonly used when OTP retry is configured.

proceed_on_error

Always send Access-Challenge to client. If username and password validation fails for the first request, a reject message will be sent for the second (OTP) request.

true

impersonation_check

Ensures that the username is the same for both username and password request and one-time password request.

true

{  
    "id": "auth01",  
    "type": "UsernamePasswordOTP",  
    "config": {    
        "selector": {      
            "host": ".*",      
            "attrs": [        
                {                    
                    "type": 44,          
                    "value": "sms"        
                }      
            ]    
        },    
        "accept_response_attrs": [      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "reject_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Sorry {{{request.User-Name}}}!"      
            }    
        ],    
        "challenge_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Please enter your one-time password!",        
                "operation": "CREATE"      
            },      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "pipe": "uidpwdpipe",
        "otp_pipe": "otppipe",
        "retry_challenge_message" : "Please enter your one-time password",
        "proceed_on_error": false,    
        "impersonation_check": true  
    }
}

Logging

Apart from system logging, event logging is done when an authentication is complete.

Event ids are:

RAD_000100, Authentication success using username and password
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000101, Authentication failure using username and password
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000103, Authentication failure using username, password & OTP
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000104, Authentication failure using username and password, safe mode enabled, sending Access Challenge
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)

Data sent to PIPE

All RADIUS request data as strings with attribute name as key.

PreviousUsername & Password NextCEF logging