Username, Password & OTP

Username, password and one-time password authentication.

RADIUS challenge response authentication.

The RADIUS client sends an Access Request which includes the username and password. The Fortified Integrity RADIUS server responds with an Access Challenge (if the credentials have authenticated successfully). The client then sends a second Access Request with the one-time password, and the server responds with either an Access Accept or Access Reject.

Configurable response messages can be used to further authorization on the client side.

Configuration

RADIUS Authenticator Type: UsernamePasswordOTP | RadiusUsernamePasswordOTP

Common authenticator properties can be found in the common configuration section.

Name

Description

Default value

Mandatory

{  
    "id": "auth01",  
    "type": "UsernamePasswordOTP",  
    "config": {    
        "selector": {      
            "host": ".*",      
            "attrs": [        
                {                    
                    "type": 44,          
                    "value": "sms"        
                }      
            ]    
        },    
        "accept_response_attrs": [      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "reject_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Sorry {{{request.User-Name}}}!"      
            }    
        ],    
        "challenge_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Please enter your one-time password!",        
                "operation": "CREATE"      
            },      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "pipe": "uidpwdpipe",
        "otp_pipe": "otppipe",
        "retry_challenge_message" : "Please enter your one-time password",
        "proceed_on_error": false,    
        "impersonation_check": true  
    }
}

Logging

Apart from system logging, event logging is done when an authentication is complete.

Event ids are:

RAD_000100, Authentication success using username and password
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000101, Authentication failure using username and password
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000103, Authentication failure using username, password & OTP
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)
RAD_000104, Authentication failure using username and password, safe mode enabled, sending Access Challenge
- IDENTIFIER (user trace id)
- DESTINATION_USER_NAME (username from incoming request)
- SOURCE_ADDRESS (ip address of device starting transaction)
- CUSTOMER_IDENTIFIER (if configured)
- TRANSPORT_PROTOCOL (RADIUS)

Data sent to PIPE

All RADIUS request data as strings with attribute name as key.

PreviousUsername & Password NextCEF logging