• auth.as / Support / AUTH.AS service API description via RADIUS protocol

    AUTH.AS service API description via RADIUS protocol

    To enable AUTH.AS two-factor authentication, we offer to use RADIUS protocol, in order to communicate with third-party services, systems and web applications. RADIUS packets are being processed at “console.auth.as”. Below are the set of parameters, to be passed to the RADIUS package.

     

    Technical description

    There are 2 mandatory parameters for RADIUS package:

    • User-Name: account username in AUTH.AS system, which allows to identify the user. Syntax: letters a-z, numbers 0-9, symbols - @ and .
    • Password: there are 2 options to pass this parameter: include regular user password or not.
    1. (user-password + one-time password). Before one-time password check, the user account will be authenticated in the target system (local or Active Directory authentication using LDAP protocol), with username and user-password. In case of success, one-time password will be validated. One-time password should be typed just after the user-password.
    2. (one-time password only). System only validates one-time password, without target system authentication.
     

    API responses

    AUTH.AS API returns 2 standard responses, dependent on checks, mentioned above. In case the check was successful, API returns standard RADIUS response "Access-Accept".

    In other cases, mentioned below, response will always be "Access-Reject".

    • source IP address of incoming package not found in the system access white-list;
    • mandatory parameters were not specified;
    • wrong parameters data type;
    • can’t find a user with specified username;
    • the user don’t have any token assigned;
    • the company/the domain/the user/the token (any of instances) is locked;
    • user authentication in target system failed (if this option is enabled);
    • wrong one-time password.
     

    API test example using “radclient”

    Enable the flag “RADIUS sends user-password” in the system console settings. Let’s try to check one-time password for the user “firstname.lastname@domain.tld”, specifying the wrong user-password and one-time password:

    echo "User-Name=firstname.lastname@domain.tld,Password=password" | radclient -n1 -p 1 console.auth.as auth secret1 -x
     

    API response:

    Received Access-Reject packet from home server 31.40.96.50 port 1812 with invalid Response Authenticator!  (Shared secret is incorrect.)

    Now, we supply our package with correct passwords. API response:

    Received response ID 153, code 2, length = 20