-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Gyorgy Krajcsovits
committed
Apr 19, 2019
1 parent
e38ace6
commit e06da62
Showing
15 changed files
with
1,175 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
2.0.5 2019-04-19 | ||
|
||
Initial release on GitHub. | ||
|
||
2.0.0 2018-12-21 | ||
|
||
Initial version. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
name: SPS_RADIUS | ||
description: RADIUS (RSA) Multi-Factor Authentication plugin | ||
version: 2.0.5 | ||
type: aa | ||
api: 1.1 | ||
entry_point: main.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[packages] | ||
pyrad = "*" | ||
|
||
[dev-packages] | ||
pyrad = "*" | ||
|
||
[requires] | ||
python_version = "3.6" |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,30 @@ | ||
# safeguard-sessions-plugin-radius-mfa | ||
RADIUS Multi-Factor Authentication plugin for Safeguard for Privileged Sessions | ||
|
||
# Support | ||
- This plugin is officially supported for One Identity Safeguard for Privileged Sessions (SPS) customers with a valid maintenance contract. Feature requests and bug reports should be submitted via the regular support channel on the [One Identity Support page](https://support.oneidentity.com). Such requests are tracked and will be answered within the time frames set out in the support agreement. | ||
|
||
- We welcome feature requests, pull requests, and bug reports submitted via GitHub.com, but in this case there is no guaranteed response time. | ||
|
||
# About us | ||
|
||
One Identity solutions eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. Our solutions enhance business agility while addressing your IAM challenges with on-premises, cloud and hybrid environments. | ||
|
||
# Contacting us | ||
|
||
For sales or other inquiries, visit the [One Identity Contact page](https://www.oneidentity.com/company/contact-us.aspx) or call +1-800-306-9329. | ||
|
||
# Technical support resources | ||
|
||
Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at the [One Identity Support page](https://support.oneidentity.com/). | ||
|
||
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to: | ||
|
||
- Submit and manage a Service Request | ||
- View Knowledge Base articles | ||
- Sign up for product notifications | ||
- Download software and technical documentation | ||
- View how-to-videos at [YouTube](https://www.YouTube.com/OneIdentity) | ||
- Engage in community discussions | ||
- Chat with support engineers online | ||
- View services to assist you with your product |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,183 @@ | ||
[radius] | ||
# Required: enter the name of your server below, where the RADIUS interface is | ||
# available. | ||
; server=<radius-server-ip-or-hostname> | ||
|
||
# Port where the RADIUS server is listening for access requests. | ||
; port=1812 | ||
|
||
# Required: Specify your RADIUS shared secret below. To use a local | ||
# Credential Store to host this data, set the parameter to $ and read the | ||
# "Store sensitive plugin data securely" section in the documentation. | ||
; secret=<$-or-shared-secret-with-radius-server> | ||
|
||
# Specify the password encoding method 'pap' or 'chap'. | ||
; auth_type=pap | ||
|
||
# Number of times to retry sending a RADIUS request if the communication fails. | ||
; conn_retries=3 | ||
|
||
# Number of seconds to wait for an answer at each retry. | ||
; conn_timeout=5 | ||
|
||
###### Common plugin options ###### | ||
# To enable or change a parameter, uncomment its line by removing the ';' | ||
# character and replacing the right side of '=' with the desired value. | ||
# If the parameter has the following structure | ||
# ; name=<value> | ||
# then the related option is turned off until you replace '<value>'. | ||
# | ||
# If the parameter has the following structure | ||
# ; name=value | ||
# then the related option is is automatically turned on with the default value | ||
# of 'value'. | ||
# | ||
# To handle sensitive data, you can use a local Credential Store to retrieve | ||
# parameters from. | ||
# Enter the name of the local Credential Store (Policies > Credential Store) as | ||
# the value of the 'name' parameter in section [credential_store]. To retrieve a | ||
# parameter from this Credential Store, type the $ character as the value of | ||
# a parameter in this configuration file. To use the $ character as value, | ||
# type $$ instead. For more information, read the "Store sensitive plugin data | ||
# securely" section in the Tutorial document. | ||
|
||
[auth] | ||
# To override the prompt when using 2FA/MFA, enter the new prompt below. | ||
; prompt=Press Enter for push notification or type one-time password: | ||
|
||
# For better security, you can hide the characters (OTP or password) that the | ||
# user types after the prompt. | ||
# To hide the characters, set 'disable_echo' to 'yes'. | ||
; disable_echo=no | ||
|
||
[connection_limit by=client_ip_gateway_user] | ||
# To limit the number of parallel sessions the gateway user can start from a | ||
# given client IP address, configure 'limit'. For an unlimited number of | ||
# sessions, type '0'. | ||
; limit=0 | ||
|
||
[authentication_cache] | ||
# CAUTION: Do not configure this section unless you know exactly what you are | ||
# doing. For more information, read the "[authentication_cache]" section in the | ||
# Tutorial document. | ||
; hard_timeout=90 | ||
; soft_timeout=15 | ||
; reuse_limit=0 | ||
|
||
######[WHITELIST]###### | ||
# The [whitelist source=user_list] and [whitelist source=ldap_server_group] | ||
# sections allow configuring authentication whitelists based on a User List | ||
# policy or an LDAP Server policy. These two sections are independent, any of | ||
# the two can be configured and can allow the user to bypass 2FA/MFA | ||
# authentication. | ||
|
||
[whitelist source=user_list] | ||
# The [whitelist source=user_list] section allows whitelisting users based on a | ||
# User List policy configured in SPS (Policies > User Lists). To enable this | ||
# whitelist, configure one of the use cases below. | ||
# IMPORTANT: the user names are compared to the User List in a case-sensitive | ||
# manner. | ||
|
||
# Use case #1: To allow specific users to connect without providing 2FA/MFA | ||
# credentials, the User List policy should have the following settings: | ||
# Set 'Allow' to 'No user' and list the users in the 'Except' list. Then type | ||
# the name of this User List policy as the value of the 'name' parameter here. | ||
; name=<name-of-user-list-policy> | ||
|
||
# Use case #2: To enforce 2FA/MFA authentication for selected users, the User | ||
# List policy should have the following settings: Set 'Allow' to 'All users' and | ||
# list the users in the 'Except' list. Then type the name of this User List | ||
# policy as the value of the 'name' parameter here. | ||
; name=<name-of-user-list-policy> | ||
|
||
[whitelist source=ldap_server_group] | ||
# The [whitelist source=ldap_server_group] section allows whitelisting users | ||
# based on LDAP Server group membership, To enable this whitelist, configure one | ||
# of the use cases below. | ||
# IMPORTANT: the user names and groups are compared in LDAP in a | ||
# case-insensitive manner. | ||
|
||
# Use case #1: To allow members of specific LDAP/AD group(s) to connect without | ||
# providing 2FA/MFA credentials, type the names of these LDAP/AD groups as | ||
# values of the 'except' parameter and set the 'allow' parameter to 'no_user': | ||
; allow=no_user | ||
; except=<group-1>,<group-2>,... | ||
|
||
# Use case #2: To enforce 2FA/MFA authentication only on members of specific | ||
# LDAP/AD groups, type the names of these LDAP/AD groups as values of the | ||
# 'except' parameter and set the 'allow' parameter to 'all_users'. | ||
; allow=all_users | ||
; except=<group-1>,<group-2>,... | ||
|
||
######[USERMAPPING]###### | ||
# Usually the gateway user and the external 2FA/MFA identity are different. | ||
# Because the authentication is based on the 2FA/MFA identity, to be able to | ||
# authenticate with the gateway user, you will have to map these two to each | ||
# other. The following methods are possible: explicit and LDAP server. | ||
# | ||
# The explicit method has priority over the LDAP server method. | ||
# If there is no [USERMAPPING] and no [username_transform], then the 2FA/MFA | ||
# identity will be the same as the gateway user name. | ||
|
||
[usermapping source=explicit] | ||
# To map the gateway user name to an external 2FA/MFA identity, configure the | ||
# following name-value pairs. | ||
# NOTE: Type the user names in lowercase. | ||
; <user-name-1>=<id-1> | ||
; <user-name-2>=<id-2> | ||
|
||
[usermapping source=ldap_server] | ||
# To map the gateway user name (that is in LDAP/AD and has a non-empty UTF8 | ||
# attribute string) to an external 2FA/MFA identity, configure the | ||
# 'user_attribute' parameter the following way: | ||
# It must be an LDAP/AD user attribute that contains the external identity. | ||
# Example: description, cn, mail. For a complete list consult | ||
# https://docs.microsoft.com/en-gb/windows/desktop/ADSchema/c-user. | ||
# IMPORTANT: you must configure the name of the LDAP/AD server policy in | ||
# the [ldap_server] section. | ||
; user_attribute=description | ||
|
||
[username_transform] | ||
# If the 2FA/MFA service requires the use of domain name in the external | ||
# 2FA/MFA identity, configure the 'append_domain' parameter. This will append | ||
# the domain name after the external 2FA/MFA identity with a '@' character. | ||
# For example, if 'append_domain' is set to 'foobar.com', then '@foobar.com' | ||
# will be appended to the external identity. | ||
# If you have configured [USERMAPPING], the [username_transform] process will | ||
# run after the [usermapping] process. | ||
; append_domain=<domain-without-at-sign> | ||
|
||
[ldap_server] | ||
# Required if you have configured [whitelist source=ldap_server_group] or | ||
# [usermapping source=ldap_server]. | ||
# The name of the LDAP server policy (Policies > LDAP Servers). | ||
; name=<name-of-LDAP-server-policy> | ||
|
||
[credential_store] | ||
# Name of the local credential store configured in SPS for hosting sensitive | ||
# configuration data. For more information, read the "Store sensitive | ||
# plugin data securely" section in the Tutorial document. | ||
; name=<name-of-credential-store-policy-that-hosts-sensitive-data> | ||
|
||
[logging] | ||
# To configure the log level, enter one of the following values: | ||
# 'debug', 'info', 'warning', 'error', 'critical' | ||
; log_level=info | ||
|
||
[https_proxy] | ||
# To set the HTTPS proxy environment for the plugin, configure the following. | ||
; server=<proxy-server-name-or-ip> | ||
; port=3128 | ||
|
||
[question_1] | ||
# IMPORTANT: To configure this optional section, contact our Support Team. | ||
# To request additional information from the user (for example, ticket number) | ||
# define one or more [question_] section (for example, [question_1], | ||
# [question_2]). The user input will be stored under the value of 'key' in the | ||
# 'questions' section of the session cookie. | ||
; prompt=<prompt-to-show-to-the-user> | ||
; key=<target-key-for-the-answer> | ||
|
||
# For better security, you can hide the characters that the user types after the | ||
# prompt. To hide the characters, set 'disable_echo' to 'yes'. | ||
; disable_echo=yes |
Empty file.
Oops, something went wrong.