FR: Override Access-challenge text

[oculos]

Hi,

I am using pam_radius to authenticate 2FA codes against NPS with Azure MFA extension. It works great, but two things could be better:

1 - The text I get back from Azure is "Enter your Microsoft validation code", with no space between the text and the code the user types (eg. "Enter your Microsoft validation code123456". It would therefore be nice to replace this text with something else and/or add a colon and/or a CR. 2 - In case of push notifications, no prompt is displayed, which is not so nice for the user. Could we get an option to display a prompt when an Access-request is sent? Or is there a more elegant way to deal with this? 3 - Could we get an option to display the "Reply-message"?

Best, Francis

[alandekok]

1. You can edit the source to add a space. Or, the administrator of the RADIUS server can add a space or edit the text.

2. I have no idea what you mean by "push notifications". RADIUS doesn't support that. There is no way in RADIUS to display a prompt without doing challenge / response.

3. You can edit the source. Please supply a patch.

This is all open source, so ongoing development depends on patches from people who want features.

[oculos]

Hi. Thanks for your reply. mas for the number 2, by push notification I mean that the challenge is a notification on the phone, for example. I notified that with this behavior, there is no challenge sent to the client, but an Access-accept is not sent until the user approves the request on the phone.

[alandekok]

Unfortunately pushing the challenge to a phone is something completely outside of the scope of this PAM module.

[oculos]

Sorry, I guess I am not explaining myself correctly. the radius server may send a push notification instead of a token challenge. The usual procedure is that the radius server does not send an Access-Challenge, but rather stalls while the user approves the request. After that, so an Access-Accept is sent. But this is hard to antecipate by the client, so I see your point.