Username, Password & OTP

RADIUS challenge response authentication.

The RADIUS client sends an Access Request which includes the username and password. The Fortified Integrity RADIUS server responds with an Access Challenge (if the credentials have authenticated successfully). The client then sends a second Access Request with the one-time password, and the server responds with either an Access Accept or Access Reject.

Configurable response messages can be used to further authorization on the client side.

Configuration

{  
    "id": "auth01",  
    "type": "UsernamePasswordOTP",  
    "config": {    
        "selector": {      
            "host": ".*",      
            "attrs": [        
                {                    
                    "type": 44,          
                    "value": "sms"        
                }      
            ]    
        },    
        "accept_response_attrs": [      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "reject_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Sorry {{{request.User-Name}}}!"      
            }    
        ],    
        "challenge_response_attrs": [      
            {        
                "type": 18,        
                "name": "Reply-Message",        
                "value": "Please enter your one-time password!",        
                "operation": "CREATE"      
            },      
            {        
                "type": 33,        
                "operation": "COPY"      
            }    
        ],    
        "pipe": "uidpwdpipe",
        "otp_pipe": "otppipe",
        "retry_challenge_message" : "Please enter your one-time password",
        "proceed_on_error": false,    
        "impersonation_check": true  
    }
}

Logging

Apart from system logging, event logging is done when an authentication is complete.

Event ids are:

• RAD_000100, Authentication success using username and passWord

  • IDENTIFIER (user trace id)

  • DESTINATION_USER_NAME (username from incoming request)

  • SOURCE_ADDRESS (ip address of device starting transaction)

  • CUSTOMER_IDENTIFIER (if configured)

  • TRANSPORT_PROTOCOL (RADIUS)

• RAD_000101, Authentication failure using username and passWord

  • IDENTIFIER (user trace id)

  • DESTINATION_USER_NAME (username from incoming request)

  • SOURCE_ADDRESS (ip address of device starting transaction)

  • CUSTOMER_IDENTIFIER (if configured)

  • TRANSPORT_PROTOCOL (RADIUS)

• RAD_000103, Authentication failure using username, passWord & OTP

  • IDENTIFIER (user trace id)

  • DESTINATION_USER_NAME (username from incoming request)

  • SOURCE_ADDRESS (ip address of device starting transaction)

  • CUSTOMER_IDENTIFIER (if configured)

  • TRANSPORT_PROTOCOL (RADIUS)

• RAD_000104, Authentication failure using username and passWord, safe mode enabled, sending Access Challenge

  • IDENTIFIER (user trace id)

  • DESTINATION_USER_NAME (username from incoming request)

  • SOURCE_ADDRESS (ip address of device starting transaction)

  • CUSTOMER_IDENTIFIER (if configured)

  • TRANSPORT_PROTOCOL (RADIUS)

Data sent to PIPE

All RADIUS request data as strings with attribute name as key.