FreeRADIUS icon indicating copy to clipboard operation
FreeRADIUS copied to clipboard

Published 20 hours ago verified publisher icon privacyidea

WebAuthn support

Open hex-m opened this issue 2 years ago • 4 comments

Is it possible to support WebAuthn via RADIUS?

From my understanding this may be hard - similar to push tokens where @cornelinux mentioned:

The problem is that the out of band auth with push can not work well with a protocol like RADIUS.

hex-m avatar Dec 01 '22 15:12 hex-m

If that is the thing, how is that YubiKey is supported in FreeRADIUS using PAM as backend?

https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_via_PAM.html

Would not be possible to use FreeRADIUS PAM authentication and implementing privacyIDEA support through its PAM plugin to bring FreeRAIUS with WebAuthn support?

EchedelleLR avatar Sep 12 '24 11:09 EchedelleLR

From your link:

Two-factor legacy Username + password + YubiKey OTP authentication for RADIUS server

YubiKey-Devices support other protocols than FIDO2/WebAuthn.

hex-m avatar Sep 12 '24 12:09 hex-m

In my case, I am only interested in WebAuthn since I use SoloKeys.

Edit: okay now I see what you say.

But if PI already supports PAM with FIDO and FreeRADIUS supports using PAM module, would not be possible?

EchedelleLR avatar Sep 12 '24 12:09 EchedelleLR

hi, our pam does currently not support fido2. however, it can easily be implemented, it is just a matter of having the time. if freeradius could use the pam module, that would be great and maybe a reason to implement fido2 sooner. Do you know of any pam module or combination that makes fido2 work with freeradius?

nilsbehlen avatar Sep 12 '24 19:09 nilsbehlen