keycloak-radius-plugin icon indicating copy to clipboard operation
keycloak-radius-plugin copied to clipboard

Published 20 hours ago verified publisher icon vzakharchenko

Generation of strong RADIUS passwords

Open candlerb opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe. Keycloak-radius-plugin manages a separate RADIUS password, which is essential for CHAP/MSCHAPv2. It is a good idea anyway to allow RADIUS access without risk of exposing the primary Keycloak password. This would be especially useful for wifi, where the RADIUS password is stored on the client device and not suitable for TOTP or frequent updates. Also, users may misconfigure certificate validation which makes it easy to steal the password via a rogue access point.

However, there are a couple of practical problems at the moment:

  1. As far as I can see, users cannot decide when to set or change their RADIUS password. It has to be triggered by an administrator applying the "Update Radius Password" action to their account, either as a required action on next login, or via a credential reset E-mail.
  2. The RADIUS password is not subject to Password Policies, so there is a strong incentive to set a stupidly simple one - or to re-use the main Keycloak password (which leads to risk of account takeover if the RADIUS password is captured).

Describe the solution you'd like Part 1: add a button to the /account/ page where users can reset their RADIUS password. I think this is needed anyway.

Part 2: I would like to configure the RADIUS password to be set completely at random. This could occur by an administrator action as today (e.g. "Generate Radius Password"). It would be displayed to the user once, and when they click "OK" they'd never see it again.

A suitable strong password would be a sequence of 16 letters, as Google use for their app specific passwords (this has 75.2 bits of entropy), although you might want this to be configurable:

image

Describe alternatives you've considered It would be possible to apply Keycloak password policies to RADIUS passwords. However, this still encourages people to try to pick "memorable" passwords instead of a proper strong one.

I also have a problem that I want to disable passwords entirely for Keycloak logins, forcing users to use IDP links instead: and at the moment the only way I can see to do this is to set an impossible password policy like regex .{400}. I don't want that to prevent setting a RADIUS password, so in that case I'd need a separate password policy for RADIUS.

Random passwords are inherently more secure than user-chosen passwords, and uncorrelated to the main Keycloak password (if any).

Additional context n/a

candlerb avatar Mar 03 '22 15:03 candlerb

100% agreed I plan to implement a similar feature on my server. Did you find any workaround since the time you posted this issue ? I would really appreciate recommendations on ways to achieve this flow.

kema-dev avatar Jun 22 '23 11:06 kema-dev