Allow athentication with single use passwords
doiiido opened this issue · 2 comments
Hi, I'm using your app as an alternative to ADDS Radius.
I set up freeradius autenticating an EAP-TTLS(PAP) Wi-Fi with the wrapper as the LDAP backend as a Proof-of-Concept and it works fine (Disabled MFA for the APP through Conditional Access).
The fact that I have the passwords going through unencrypted in my implementation is a major issue and I would need at least the ability to sign in with single use passwords or with an code from an authenticator app (Microsoft, Google, etc...) to make it a viable option.
I'm searching on the microsoft docs for a way to ask for a call, sms, popup or even the timed code instead of password to authenticate the users, so it would be a lot more secure.
Did you see any reference that may make this possible?
Best regards,
Lincoln.
Hi! If I understand your setup correct, it works like:
User auth via freeradius -> freeradius redirects credentials to the wrapper -> wrapper redirects credentials to Azure AD
To use Azure MFA, it would be necessary that:
Azure AD redirects MFA-request to the wrapper -> wrapper redirects MFA-request to freeradius -> freeradius redirects MFA-request to User
and then again
User enters MFA-token -> freeradius redirects MFA-token to the wrapper -> wrapper redirects MFA-token to Azure AD
Unfortunately I see no way to get that work. As far as I know, the MFA-token has to be entered directly on a Microsoft page and cannot be delivered subsequently via the API.
Some other ideas:
- Could you encrypt User <> freeradius and enable MFA on freeradius, so it could do the second factor validation?
- The wrapper (theoretically) supports LDAPS, so you could encrypt wrapper <> freeradius
- The wrapper could be installed directly on the freeradius server, so the connection is not seen in your network
Hi, I'm using your app as an alternative to ADDS Radius. I set up freeradius autenticating an EAP-TTLS(PAP) Wi-Fi with the wrapper as the LDAP backend as a Proof-of-Concept and it works fine (Disabled MFA for the APP through Conditional Access). The fact that I have the passwords going through unencrypted in my implementation is a major issue and I would need at least the ability to sign in with single use passwords or with an code from an authenticator app (Microsoft, Google, etc...) to make it a viable option. I'm searching on the microsoft docs for a way to ask for a call, sms, popup or even the timed code instead of password to authenticate the users, so it would be a lot more secure. Did you see any reference that may make this possible?
Best regards, Lincoln.
May I ask how you set up freeradius?