token2 / totpradius Goto Github PK

Trying to integrate TOTPRadius with WatchGuard Firewall fails for me. From the TOTPRadiums logs point of view everything seems fine (user successfully authenticated), but in total authentication fails. WatchGuard Firewall logs state "was rejected, user isn't in the right group". But I'm pretty sure the user is in the right group as when I switch TOTPRadius for another solution this works fine. Any idea?

Edit this file /etc/dhcp/dhclient.conf and set timeout to a reasonable value, like

timeout 15

Currently only allowed in API, allow in web interface as well

Allow LDAP login to the web admin panel.
Specify users by list of usernames or AD groups

This is due to hardcoded jquery library name, to be solved by adding a separate jquery.min file

Netscaler 12 has "hardcoded" order of authentication sources in XenApp configuration wizard and it is OTP first and AD second. And there is no way to change it.
So when users log in, they should put OTP in the first password field and AD password in the second field.
The problem here is that the Netscaler does not allow the empty value of Password, so the users without 2FA active will have to put "something" there, which makes the overall user experience cumbersome.

See screenshots confirming this (Radius is now called RSA)

Allow SSO with Azure AD (Office365) for VPN connection

Current (Centos 5.7) is EOS and does not support Hyper-V thus time drifts

1. Any appliance can be configured in master of slave mode
2. Appliances in slave mode:
   2.1 - will only contain a read-only database
   2.2 - will periodically synchronize with the their master appliance via HTTPS REST (Hostname and API name to be configured on both nodes) - 1 minute minimum (cron's limitation)
   2.3 - will have the same web interface, but user management (adding/editing/deleting) will be disabled
   2.4 - will have no self-enrollment features
   2.5 - will require no additional user licenses (user licenses are only needed for adding users, which is disabled as per 2.3 and 2.4)
3. Any appliance in slave mode can be switched back to master mode, so the master/slave feature can be considered a cold spare (manual re-licensing will need to be requested)

Reported by 5446

• jquery
• LDAP UI self-service tabs
• Sign out button location

Reported by t2

• New LDAP Self-service portal (Internet-facing): fix enable/disable feature
• New LDAP Self-service portal (Internet-facing): fix UI translation (provide de.php for German)

In some systems the appliance is allowed to register in DNS, which makes it complicated if multiple appliances are used (i.e. in slave/master mode). A hostname setting is to be added to admin gui

Validate certificate (with Root CA pem)
LDAP_OPT_X_TLS_CACERTFILE

Advanced config button fix

Radius-Secret: should be also generated random

• Move to Ubuntu 20 LTS
• LDAP proxy to move to Version 3 (allow non ASCII chars)
• Check LDAP + proxy order (OTP first) when group restrictions are used
• Make OTP on user profile without spaces and with copy and paste
• (potential) Hardware tokens management/import/assignment tool (possibly by reusing the CSV import tool - add token serial number field / groupid)
• Optional : remove domain suffix and prefix from the username

Enhance the appliance with Web AUTH Api, so in addition to Radius appliance, the server will provide REST API for verifying OTPs via HTTP/HTTPS

Include FIDO2 registration data in the backup and restore script
fido2/.users , fido2/.sessions

Logging/Audit-Features (who did an Authentication from where) ->
this data is already in the radius log, only GUI missing

Assign hardware token to user in LDAP Self-service interface

Request to introduce restrictions based on AD group

• Alpha done
• Self-enrollment - pending

When adding a token without setting time drift - shows an error. Make the drift field 0 by default

Implement adding extra attribute
Add editing feature of the extra attribute
include in the backup/restore script
(location /etc/freeradius/3.0/extra)

If Local Password mode is enabled, empty password or "ldap" as a password will attempt LDAP authentication

doesn’t make sense, that I see all Users (users_list.php) without have to login.

A test page to see if OTP is correct for a particular seed

Citrix Storefront - Show the number of MFA-less logins left on the Web Interface

disable by running
chmod 0755 /usr/bin/pkexec

Currently the minimum is 4 chars. To be changed to 1 char

Citrix Netscaler + Storefront. Allow second factor via

• Email
• SMS

How can I reset Users Logons. If I want to re-issue a new token to a user trough storefront ?
Currently done by removing the user, but this deletes all logs

Allow new web interface to be uploaded as a zip package (something like firmware upgrade) via admin panel.

Implement user export+import to allow migrating data between versions

ldapsearch -x -h adserver.domain.int -D "[email protected]" -W

ldapsearch -x -h addc01 -D "[email protected]" -W AD-Password

Add timezone modification on the Admin settings

Adding a possibility to use FIDO security keys instead of TOTP authentication

Implement allowing single factor login to work both with OTP-only and with LDAP-only login

Fails with "username too short"

Reported by 5346

• Restriction setting / Enable disable assigning the same token to more than one user
• Show which token is assigned to whom
• Implement restriction in self-service HW tokens

Leverage Resource Owner Password Credentials API of Azure AD to implement primary authentication against Azure AD (as a replacement of LDAP onPrem)

Show if license limit has reached and do not allow new user creation

Put a note to specify the format if more than one LDAP server is used

As multiple servers can have different protocols, the default protocol (ldap) is only assumed when a single server is used to connect.

For 2 and more servers the simple format (just the hostname) will not work and full URI must be specified.

For example for MS AD, the value should look like:

ldap://192.168.200.208 ldap://192.168.200.209
So, still space separated, but with the protocol (ldap://) specified

Redesign Export&Import feature to include an all-in-one file that includes:

• All users records
• Hardware tokens
• Config
• Certificate files
• NTP Settings

MySQL-Username/Password should also be changeable.

Allow time drift sync