radius support and 2FA

[mikoday]

Hello, this project looks interesting, will you plan to add radius support and 2FA?

[h44z]

Hi, 2FA is on my TODO list but I cannot give you concrete date right now. And at the moment I have no plans to integrate radius, but contributions are very welcome.

[mikoday]

Hello, sounds very promising, I keep my fingers crossed then. One more question, can you explain how the authentication based on ldap works?

[h44z]

What exactly do you want to know? Its a simple ldap bind operation to check the user credentials. See here: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Bind_(authenticate)

Maybe you are confusing the authentication to the management portal with the WireGuard authentication? LDAP is just used to fill the userdatabase in the management portal. If enabled, a WireGuard tunnel configuration (keypair) is created for each LDAP user automatically. The user can then download his configuration from the portal by logging in with his LDAP credentials. Does that answer your question?

[mikoday]

Yes, that's what I meant, thank you very much for the explanation. :basecampy:

[PandemiK911]

You could delegate the 2FA process to a OpenID Connect backend. We're currently using WG Gen Web with OIDC connector to a Keycloak instance. The whole code is already written inside Wg gen web, you could simply integrate it (be gentle, mention the other project) and let the OIDC part deal with the 2FA.

That means the LDAP auth will never have a 2FA but ... it's LDAP huh ?

[gandalfmagic]

@h44z if you are interested, I made the PR #85 to enable Oauth2 and OIDC login

[PandemiK911]

Great ! Thanks for your work. I can test OIDC integration with Keycloak.

[CantBelieveThisWorks]

For 2FA, there is also this project to look at and potentially incorporate: https://github.com/NHAS/wag

[teadur]

One option how to achieve 2FA would be to support Radius, then 2FA could be handled by the Radius server.

https://www.oreilly.com/library/view/radius/0596003226/re04.html