Which authentication flow is being used?

[ffried]

I've set up this plugin in our Keycloak instance, but I can't figure out which Authentication Flow is being used.

Background is, that our users are required to have an OTP setup, but the OTP is only necessary for the certain flows (mainly the Browser flow). Other flows still allow usage of the OTP but do not require it, since logins with these flows is restricted to certain clients and users. With this radius plugin, I'm able to log in using the password plus OTP, but am not able to log in using only the password.

Is there a way to tell this plugin to use a separate authentication flow which only requires the password and optionally takes the OTP?

[vzakharchenko]

Hi @ffried , Radius at self does not support any flow. Radius is a networking protocol that provides centralized authentication, authorization, and accounting (AAA): Keycloak-Radius-plugin map RADIUS protocol to Keycloak Client Protocol : (A)uthentication - Keycloak authentication including federated users and OTP (A)uthorization - Keycloak Role/Group/Resources (A)ccounting - Keycloak session.

The Otp password is required for Radius only in two cases:

1. if the user is assigned "Configure OTP"
2. The user has already configured OTP

For authentication without OTP for a specific user or users, simply remove "Configure OTP" from the required actions.

[vzakharchenko]

If you enable the "Default Action" for "Configure OTP", then all new users will be assigned the required "Configure OTP" action.

[ffried]

That's exactly the issue. I'd like to allow users to login without otp when using RADIUS. In Keycloak I can configure this using the authentication flows.

For example, we'd like to use this as our RADIUS backend for the internal WiFi. We'd like our users to login with their credentials (similar to our other services) but not have to provide their OTP.

[vzakharchenko]

I think for your use case you can use another solution:

You have WiFi radius hotspot with html page.

Instead of using direct authentication using radius credential you can use authentication in two steps.

1. Authenticate user on your hotspot page using openid protocol. Here you can use keycloak browser flow to authenticate as you want, for example if your organization use identity provider like Google, Okta etc.. then you can configure it for this page. Result of this authentication you will receive signed JWT token with temporally(or onetime) radius password.
2. authenticate to radius server using credentials from the JWT token

How add credentials to JWT : https://github.com/vzakharchenko/mikrotik-hotspot-oauth#setup-build-and-configure--hotspot-page-for-social-login

Here two type of temporally radius password "Onetime Radius Password" and "Session Radius Password":

Onetime Radius Password - you can use password only once during user session. For a new password, you need to issue a new JWT. Session Radius Password - you can use multiple time the same password until session is alive

examples: https://github.com/vzakharchenko/keycloak-radius-plugin/wiki/WebAuthnRadius#get-radius-password-from-code https://github.com/vzakharchenko/keycloak-radius-plugin/wiki/WebAuthnRadius#nodejs-example-for-getting-temporary-radius-password

[ffried]

I'm afraid that won't work. WiFi is only one use case. The other one is our VPN. Also, we will provide the WiFi (and VPN) configuration via MDM (only password is missing). So our users should only input their password and then connect.

[vzakharchenko]

@ffried, https://github.com/vzakharchenko/keycloak-radius-plugin/wiki/RadiusOTP

[ffried]

@vzakharchenko Thank you for adding this!!!

However, I'm unable to get this switch to show up... We're deploying Keycloak using docker-compose. I've recreated the container after I've updated the (docker) scripts with those from master. I see that the script now downloads version 1.3.14 of the artifacts. Next, I've verified that inside the container the zip in /opt/jboss/keycloak/modules/keycloak/plugins/radius/theme/main matches the one I've downloaded directly (md5 of the zips match: a66d507ce521b7a7927c72e3dcfee436).

I've switched from and to the radius theme (including logouts in between and even restarting the keycloak container in between) but this new toggle doesn't show up. We're using a separate realm (not Master). I've tried using the theme in both realms and even tried to create a radius client in Master. No luck.

There is a weird glitch if I enable the radius theme in our realm but not in the master realm. Then after a logout and a login the client edit page looks like this:

Do you have an idea what might go wrong here? How can I get the toggle to show up?

[vzakharchenko]

@ffried , Looks like deployment issue.

I redeployed docker images, please clear local docker cache.

The simplest way is to change the admin theme for the "master" realm, because master realm has cross-realm access.

But If you want to use radius theme for the specific realm then you need:

1. create admin user and assign to him all admins roles from realm-managment client:
2. open admin console page for your realm: http://localhost:8090/auth/realms/<RADIUS_REALM>/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http://localhost:8090/auth/admin/<RADIUS_REALM>/console&response_mode=fragment&response_type=code&scope=openid where RADIUS_REALM - your realm name.
3. To login use credentials from step 1.

[ffried]

Still couldn't get the toggle to show up. But I've used the kcadm.sh script inside the container now to set the radius.OTP attribute of the client to false. Works great now!

This is proof that the deployment worked. Seems like something is weird with the theme, but I have no idea what this could be. Even tried turning off theme caching in keycloak.