worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11325 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: da2ca7fdea
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'da2ca7fdea'
${ noResults }
lemonldap-ng/doc/sources/admin/radius2f.rst

75 lines
2.2 KiB
Raw Blame History

Radius as Second Factor
=======================
Some proprietary, OTP-based second factor implementations expose a
Radius server that allow an authenticating application (such as
LemonLDAP::NG) to verify the validity of an OTP using the standard
Radius protocol.
.. tip::
This page is about using Radius to connect to an external 2FA
system for the *second factor only*. If your 2FA system works by
concatenating the user's password and their OTP (LinOTP), you should
probably be using :doc:`regular Radius authentication<authradius>`
instead
After choosing the Radius second factor type, the user is prompted with
a code that will be checked against the Radius server.
Prerequisites and dependencies
------------------------------
This feature uses ``Authen::Radius``. Before enable it, on Debian you
must install it :
For CentOS/RHEL:
.. code-block:: shell
yum install perl-Authen-Radius
In Debian/Ubuntu, install the library through apt-get command
.. code-block:: shell
apt-get install libauthen-radius-perl
Configuration
-------------
.. _configuration-1:
Configuration
~~~~~~~~~~~~~
All parameters are configured in "General Parameters » Second factors »
Mail second factor".
- **Activation**: Set to ``On`` to activate this module, or use a
specific rule to select which users may use this type of second
factor
- **Server hostname**: The hostname of the Radius server
- **Shared secret**: The secret key shared with the Radius server
- **Session key containing login** (Optional): When verifying the OTP
code against the Radius server, use this attribute as the login and
the OTP code as password. By default, the attribute designated as
``whatToTrace`` is used.
- **Authentication timeout** (Optional) :
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
Vendor specific
~~~~~~~~~~~~~~~
Some configuration examples for specific vendors:
.. toctree::
:maxdepth: 1
radius2f-inwebo