FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
103 stars 90 forks source link

FR: Override Access-challenge text #67

Open oculos opened 2 years ago

oculos commented 2 years ago

Hi,

I am using pam_radius to authenticate 2FA codes against NPS with Azure MFA extension. It works great, but two things could be better:

1 - The text I get back from Azure is "Enter your Microsoft validation code", with no space between the text and the code the user types (eg. "Enter your Microsoft validation code123456". It would therefore be nice to replace this text with something else and/or add a colon and/or a CR. 2 - In case of push notifications, no prompt is displayed, which is not so nice for the user. Could we get an option to display a prompt when an Access-request is sent? Or is there a more elegant way to deal with this? 3 - Could we get an option to display the "Reply-message"?

Best, Francis

alandekok commented 2 years ago
  1. You can edit the source to add a space. Or, the administrator of the RADIUS server can add a space or edit the text.

  2. I have no idea what you mean by "push notifications". RADIUS doesn't support that. There is no way in RADIUS to display a prompt without doing challenge / response.

  3. You can edit the source. Please supply a patch.

This is all open source, so ongoing development depends on patches from people who want features.

oculos commented 2 years ago

Hi. Thanks for your reply. mas for the number 2, by push notification I mean that the challenge is a notification on the phone, for example. I notified that with this behavior, there is no challenge sent to the client, but an Access-accept is not sent until the user approves the request on the phone.

alandekok commented 2 years ago

Unfortunately pushing the challenge to a phone is something completely outside of the scope of this PAM module.

oculos commented 2 years ago

Sorry, I guess I am not explaining myself correctly. the radius server may send a push notification instead of a token challenge. The usual procedure is that the radius server does not send an Access-Challenge, but rather stalls while the user approves the request. After that, so an Access-Accept is sent. But this is hard to antecipate by the client, so I see your point.