AUTH.AS service API description via RADIUS protocol
To enable AUTH.AS two-factor authentication, we offer to use RADIUS protocol, in order to communicate with third-party services, systems and web applications. RADIUS packets are being processed at “console.auth.as”. Below are the set of parameters, to be passed to the RADIUS package.
There are 2 mandatory parameters for RADIUS package:
- User-Name: account username in AUTH.AS system, which allows to identify the user. Syntax: letters a-z, numbers 0-9, symbols - @ and .
- Password: there are 2 options to pass this parameter: include regular user password or not.
- (user-password + one-time password). Before one-time password check, the user account will be authenticated in the target system (local or Active Directory authentication using LDAP protocol), with username and user-password. In case of success, one-time password will be validated. One-time password should be typed just after the user-password.
- (one-time password only). System only validates one-time password, without target system authentication.
AUTH.AS API returns 2 standard responses, dependent on checks, mentioned above. In case the check was successful, API returns standard RADIUS response "Access-Accept".
In other cases, mentioned below, response will always be "Access-Reject".
- source IP address of incoming package not found in the system access white-list;
- mandatory parameters were not specified;
- wrong parameters data type;
- can’t find a user with specified username;
- the user don’t have any token assigned;
- the company/the domain/the user/the token (any of instances) is locked;
- user authentication in target system failed (if this option is enabled);
- wrong one-time password.
API test example using “radclient”
Enable the flag “RADIUS sends user-password” in the system console settings. Let’s try to check one-time password for the user “email@example.com”, specifying the wrong user-password and one-time password:
echo "User-Namefirstname.lastname@example.org,Password=password" | radclient -n1 -p 1 console.auth.as auth secret1 -x
Received Access-Reject packet from home server 22.214.171.124 port 1812 with invalid Response Authenticator! (Shared secret is incorrect.)
Now, we supply our package with correct passwords. API response:
Received response ID 153, code 2, length = 20