Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OTP-only mode also supported for PAP #619

Open
elkman opened this issue Jul 7, 2022 · 2 comments
Open

OTP-only mode also supported for PAP #619

elkman opened this issue Jul 7, 2022 · 2 comments

Comments

@elkman
Copy link
Contributor

elkman commented Jul 7, 2022

Is your feature request related to a problem? Please describe.

I am trying to use keycloak-radius-plugin for OTP token verification configured as a secondary RADIUS service with the Cisco AnyConnect VPN stuff. The primary RADIUS service is AD/Windows and performs all the usual authentication and authorization for VPN login.

Cisco just sends the username and OTP token to the secondary RADIUS service and prefers to use PAP. The switch to MSCHAPv2 comes with some other drawbacks and it does not seem to be possible to force the VPN to send password and OTP token to the secondary RADIUS service. Since the password is already checked, it also makes sense not to send it to other services without a need to do so .

I have not found any reference to why OTP-only mode is limited to CHAP/MSCHAPv2 and does not work with PAP. Only the code shows me that someone did a very good job by explicitly excluding PAP from the OTP configuration flag. This is so well done that there must be a very good reason for this, which I am very curious to know.

Describe the solution you'd like

A) Let PAP behave like CHAP/MSCHAPv2. Would be most consistent.

Describe alternatives you've considered

B) Add an additional configuration flag for PAP or change the otp flag to a list of PAP, CHAP, MSCHAPv2. (true means CHAP, MSCHAPv2 for compatibillity).

C) Discard the otp flag in the configuration, move it to the client configuration with the possibility to change the behavior for all or PAP, CHAP, MSCHAPv2 separately.
(I'm not sure if this will work, since the client seems to provide at best a realm, but no client ID. Therefore a configuration in the realm would also be thinkable).

Additional context

I think I could create a PR for it (if it doesn't get too deep into Keycloak internals), but I'd like to know beforehand if this is a completely stupid idea respectively which variant would be preferred.

And many thanks to @vzakharchenko for his great work on this plugin.

@dickpepperfield
Copy link

I've ran into almost the exact same issue with Cisco ASAv's, and would like to say I don't think it's a completely stupid idea to apply your alternative recommendations, I'm completely inexperienced with Java development so unfortunately only a comment/bump is all I can offer

A massive thanks to vzakharchenko for their work on this plugin thus far, it has ticked all my boxes and I appreciate the work done.

@elkman
Copy link
Contributor Author

elkman commented Feb 12, 2024

Hi @vzakharchenko, hi all

I hope I have solved this issue with PR elkman#84 in my fork of this repo.
Since a lot of changes/updates have already been made, it makes no sense to submit it as a PR here without the history since the fork.

I'll keep this open as a reminder for a later code reunion and as a hint for people who have the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants