[prev in list] [next in list] [prev in thread] [next in thread]
List: openvpn-users
Subject: Re: [Openvpn-users] Need working way to authenticate in RADIUS.
From: Gert Doering <gert () greenie ! muc ! de>
Date: 2022-12-14 13:05:16
Message-ID: Y5nKDLZmT2K3ULKM () greenie ! muc ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi,
On Wed, Dec 14, 2022 at 01:58:11PM +0100, Bogdan Rudas wrote:
> We mind RADIUS for MFA and password checks. Having RADIUS just checking
> password+OTP via external MFA works, however any time spent in RADIUS
> communication for one client session means the traffic to other clients is
> stuck, that is why I was asking 'what plugin is good'. I wonder if the PAM
> plugin is really asynchronous by default.
plugin-auth-pam can run sync or async. Part of my test suite is "run this
with a non-responding radius server (15s timeout)" so I can attest "yes,
this is very well tested in async/deferred mode".
> Besides OTP, there are MFA mobile
> applications that require users to press a button on their smartphone for
> confirmation. In such cases RADIUS will reply when a user pressed the
> button and thus the entire OpenVPN instance will be stuck for an even
> longer time.
I understand. I've been there, which is why I added async/deferred handling
to plugin-auth-pam :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert@greenie.muc.de
["signature.asc" (application/pgp-signature)]
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic