RADIUS Challenge/Response for Password Portal

[gcsdroo]

The current implementation of RADIUS only allows the use of tokens/passwords that do not require a challenge/response.  Currently, if a RADIUS Challenge message is sent to the portal, a Password Incorrect message is instead shown.

 

Example Scenario [RADIUS server setup to use SMS tokencodes]:

1.  User enters their PIN and clicks Next
2. PIN is sent to RADIUS server
3. RADIUS server responds with Access-Challenge message
4. Password portal prompts user for next token code (or whatever message is sent back with the Access-Challenge)
5. User enters tokencode they received and clicks Next
6. RADIUS server respondss with Access-Granted and authentication succeed

 

This is also useful in scenarios when using hardware/software tokens via RADIUS and a PIN rotation is enabled.  The portal would need to be able chain Access-Challenge responses as there may be more than one.

[Ulf]

+1

[Steveh]

This would be helpful for us as well.

[John Horton]

I think we're after something similar, our RADIUS server is configured to send the user a PIN via SMS. We pointed Passwordstate to our RADIUS server and I received the PIN code on my phone, but Passwordstate didn't challenge me to enter the code to gain access.