You should always take a look at the Changelog, but starting with privacyIDEA we added a document READ_BEFORE_UPDATE, which contains important information to consider before upgrade.

New Features: RADIUS integration, VASCO support, Offline Refill and more

With privacyIDEA 2.22 we added the possibility to pass more useful userinformation to a RADIUS client like a VPN. The administrator can add a policy to include the resolver and the realm of a user who authenticated successfully. This response data can then be used in the FreeRADIUS plugin and modified by regular expressions to add any arbitrary RADIUS attribute in the RADIUS response, which then would be sent to the VPN. This additional information can be used by Cisco ASA, Citrix Netscaler or any other enterprise grade VPN to put the user into certain subnets or to assign resource to the user.

VASCO token support

privacyIDEA is Open Source. We love Open Source and open standards. But sometimes you have to communicate with proprietary partners, so that they have the chance to become open. This is why privacyIDEA 2.22 comes with support for the proprietary VASCO Digipass tokens. This way it is easier to run VASCO tokens and open standards tokens like HOTP, TOTP or Yuibkeys in parallel and maybe even one day migrate all VASCO tokens – after the batteries have died – to other devices.

If you want to learn more about migrating your VASCO tokens, please contact NetKnights for professional sevices.

Offline Refill

We are improving the offline capability of privacyIDEA in conjunction with the PAM module and the privacyIDEA Credential Provider. The new offline refill will allow to automatically refill the hashed OTP values on the notebooks, which are available for authentication, if the notebook is offline. This way users or administrators will not have to worry anymore when taking the hardware on a business trip.

Send SMS via SMPP

SMPP (Short Message Peer-to-Peer) is a protocol used by carriers for sending SMS. privacyIDEA 2.22 comes with a new SMS Provider to send SMS via SMPP. This can be used for sending SMS in the SMS token during authentication but also for sending SMS in the notification event handler, to notify users or administrators on certain events.

Use Counter handler for monitoring and statistics

We often see, that the event handler is a mighty tool to cope with many different requirements. In addition to the notification handler, token handler, script handler and federation handler privacyIDEA 2.22 now comes with a simply but very flexible counter handler. Just like every handler it can be attached to any event (API call) and will trigger under defined conditions. The counter handler simply increses a counter in the database for this very event.

These counters can now be used for statistics or monitoring, e.g. when increasing a certain counter on the event failed authentication with HOTP token. This way the administrator could monitor the number of failed authentications per time interval.

Each token has a tokenkind

Many installations use hardware tokens and software tokens at the same time. To be more flexible in distinguishing these tokens when it comes to deleting tokens or deciding giving access, we added an additional class attribute to tokens. The “tokenkind”. In contrast to the tokentype, which is simply the mathematics of the token, the tokenkind defines if this very token object is  hardware token, a software token or a virtual token.

Use arbitrary tokeninfo in authorization policies

Authorization policies are used to decide if an authenticated user should get access or not. As the arbitrary tokeninfo fields are getting used more in more in event handler definitions, the tokeninfo can now also be used in the authorization policies to grant or deny access.

This way event handlers could modify token information and this modified token information can be used for granting access. Event handling and authorization thus get connected more tightly.

Lots of enhancements

There are further enhancements of existing features in privacyIDEA. We improved the token export the PSKC files – we will also export PW token types and the counter values of HOTP and TOTP tokens. The export can now also be used to reencrypt a token database.

The SMS and Email token types can now either use the fixed mobile number or email address in the token data or read the mobile/email dynamically from the user store on each authentication event.

The administrator can define a policy so that the validity of the U2F attestation certificate will be ignored. Some U2F devices come with a attestation certificate with an invalid validity period.

We improved the speed of the LinOTP migration script, so that a database with tens of thousands of tokens can be easily migrated.

The pi-manage script can now generate API tokens with a freely chosen validity time.

The user can now set the description of HOTP and TOTP tokens during enrollment.

The administrator can add a timeout to the SMTP server configuration.

The email tokens can now use a complex html template for sending emails.

The LDAP resolver allows to define each attribute as a multivalue attribute.

The event handler condition can trigger on failed authentication.

For the complete changelog with also contains all the fixes, please take a look a the Github repository.

Enterprise Edition

If you are running large mission critical setups, privacyIDEA is also available as Enterprise Edition with support and warranty/liability.

privacyIDEA at Grazer Linuxtage and Linuxfest Northwest

At the end of April you can hear a talk about privacyIDEA in Austria at the Grazer Linuxtage. You will learn, how you can easily migrate an old, existing, proprietary 2FA system to privacyIDEA. Project member Friedrich Weber will also host a workshop at the Grazer Linuxtage, where you can participate in installing privacyIDEA and configuring to your needs.

At the same time Cornelius Kölbel will give a talk in Bellingham Technical Colleage, U.S.A. At the LinuxFest NorthWest 2018 you can learn about what makes privacyIDEA so unique in regards to workflow integrations using the privacyIDEA Event Handler system automating a lot of individual tasks.

Join the discussion

Join the discussion a community.privacyidea.org.

Today we released privacyIDEA 2.15. In this release privacyIDEA command line client supports the initialization and enrollment of the Nitrokey. The Nitrokey is an open USB devices that acts as authentication device and password safe. It can hold your PGP keys but also provides several OTP slots. privacyIDEA now can initialize these OTP slots, so that you can use your own key material and use the Nitrokey as an open and trusted authenticator. This way you get the maximum trust and transparency by running open source software, using open and standardized algorithms and open hardware.

Arbitrary User Attributes and Client Overview

With privacyIDEA 2.15 the administrator now can edit arbitrary user attributes. These user attributes can be included in the authentication response and the new privacyIDEA FreeRADIUS plugin can map these user attributes to any RADIUS response attribute.

In the Web UI the administrator now also gets an overview of all authenticating clients. This may help him to keep track of the connected applications.

Download

You can download privacyIDEA via github, the python package index or the Ubuntu Launchpad repository. privacyIDEA is also available as privacyIDEA Enterprise Edition from NetKnights providing additional downloads for CentOS or the Univention Corporate Server.

Changelog

• Client Overview. Display the type of the requesting   authenticating clients (#489)
• Support for NitroKey OTP mode (admin client)

Enhancements

• You can edit arbitrary user attributes in privacyIDEA.
• Such user attributes can be mapped to any RADIUS attribute.
• Performance enhancements using Caching singletons for Config, Realm, Resolver and Policies
• Allow configuration of the registration email text (#494)
• Return SAML attributes only in case of successful authentication (#500)
• Policy “reset_all_user_tokens” allow to reset all  failcounters on successful authentication (#471)
• Client rewrite mapping also checks for X-Forwarded-For (#395, #495)

Fixes

• Fixing RemoteUser fails to display WebUI (#499)
• String comparison in HOSTS resolver (#484)

Updating an Ubuntu installation from launchpad works out of the box. When updating a pip installation, please note that a new database table was added.

OTP system migration

privacyIDEA now helps you to migrate an old 3rd party installation to privacyIDEA. To do so the new RADIUS passthru policy was added. privacyIDEA can pass all authentication requests for users without a token to the defined RADIUS server. This way you can migrate tokens smoothly and run your old system and your new privacyIDEA side by side until you have removed all old tokens or moved all users and tokens to privacyIDEA.

LDAP Improvements

The LDAP received some nice improvements. It can now handle special characters like é and ß in the username and the password reliably. With Active Directory in Windows 2012 you can now use the objectGUID as the UID in the LDAP resolver.

We now use paged searched when retrieving user lists. This way you can get really all users in the LDAP directory.

Changelog

You can find a complete changelog at github.

This Howto describes the setup of privacyIDEA on CentOS 7 including a FreeRADIUS 3 configuration.

This Howto is provided by Patrick Hirschbühl. Thanks a lot for this contribution!

privacyIDEA + MySQL on CentOS 7

Minimal Installation of CentOS 7

yum -y install net-tools
yum -y install wget NetworkManager-tui

Example for /etc/hosts

 192.168.1.2 privacyideaserver privacyideaserver.domain

/etc/selinux/config

SELINUX=disabled

Install necessary software:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum -y install epel-release
yum -y install yum-priorities

Edit /etc/yum.repos.d/epel.repo

[epel]
 name=Extra Packages for Enterprise Linux 7 - $basearch
 #baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
 mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
 failovermethod=priority
 priority=10
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

Install further software:

yum update
yum -y groupinstall 'Development Tools'
yum -y install open-vm-tools net-tools; reboot
yum install ntp -y

Optional Tools:

yum install links nmap rkhunter

privacyIDEA

yum install mariadb-server httpd mod_wsgi mod_ssl python-devel gcc mariadb-devel libjpeg-devel \
freeradius freeradius-utils freeradius-perl openldap-devel perl-libwww-perl perl-Config-IniFiles \
perl-Try-Tiny perl-Data-Dump perl-JSON perl-LWP-Protocol-http* python-virtualenv libffi-devel \
freetype-devel libpng-devel postgresql-devel

 systemctl enable radiusd.service
 systemctl start radiusd
 systemctl enable mariadb.service
 systemctl start mariadb
 systemctl enable httpd.service
 systemctl start httpd

Create Database

mysql_secure_installation
echo 'create database privacyidea;' | mysql -u root -p
echo 'grant all privileges on privacyidea.* to "privacyidea"@"localhost" identified by "unknown";' \
   | mysql -u root -p

Install privacyIDEA

virtualenv /opt/privacyIDEA
cd /opt/privacyIDEA
source bin/activate

Install further requirements for building packages with pip:

yum -y install libxslt-devel libxml2-devel

Download requirements.txt from https://github.com/privacyidea/privacyidea/blob/master/requirements.txt

pip install -r requirements.txt
pip install MySQL-python
pip install privacyidea
mkdir /etc/privacyidea
mkdir /var/log/privacyidea

Edit /etc/privacyidea/pi.cfg:

# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = ['super', 'administrators']
# Your database
SQLALCHEMY_DATABASE_URI = 'mysql://privacyidea:unknown@localhost/privacyidea'
# This is used to encrypt the auth_token
SECRET_KEY = 't0p s3cr3t'
# This is used to encrypt the admin passwords
PI_PEPPER = "Never know..."
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
# PI_LOGLEVEL = 20
# PI_INIT_CHECK_HOOK = 'your.module.function'

Run further commands:

pi-manage.py create_enckey
pi-manage.py create_audit_keys
pi-manage.py createdb
pi-manage.py admin add admin -e admin@localhost

Add firewall rules

firewall-cmd --permanent --zone=public --add-service=http --add-service=https --add-service=radius
firewall-cmd --reload
firewall-cmd --zone=public --list-all

Test

systemctl stop httpd
pi-manage.py runserver -h Hostname-or-IP -p 80
systemctl start httpd

Create user

useradd -r -m privacyidea -d /opt/privacyIDEA

Fix rights privacyIDEA

chown -R privacyidea:root /etc/privacyidea
/opt/privacyIDEA/bin/privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea
chmod 400 /etc/privacyidea/enckey
chmod 400 /etc/privacyidea/*.pem
chown -R privacyidea:root /var/log/privacyidea

privacyIDEA Apache config

mkdir -p /var/run/wsgi
cp /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi /etc/privacyidea
mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.disabled

Edit /etc/httpd/conf/httpd.conf:

ServerName Hostname-or-IP:80

Edit /etc/httpd/conf.d/privacyidea.conf:

TraceEnable off
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

<VirtualHost _default_:80>
  ServerAdmin webmaster@localhost
  ServerName localhost
  RewriteEngine On
  RewriteCond %{HTTPS} !=On
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost _default_:443>
  ServerAdmin webmaster@localhost
  ServerName localhost
  DocumentRoot /var/www
  <Directory />
    Require all granted
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  # The daemon is running as user 'privacyidea'
  # This user should have access to the encKey database encryption file
  WSGIDaemonProcess privacyidea python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea
  WSGIProcessGroup privacyidea
  WSGIPassAuthorization On
  WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
  SSLEngine On
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
  SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem
  SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key
</VirtualHost>

Enable Apache config:

/opt/privacyIDEA/bin/privacyidea-create-certificate -f /etc/httpd/conf.d/privacyidea.conf
apachectl configtest
systemctl restart httpd

Config Freeradius 3 for privacyIDEA

cp /opt/privacyIDEA/lib64/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm \
  /etc/raddb/mods-config/perl/

Edit /etc/raddb/mods-available/perl:

perl {
 filename = ${modconfdir}/${.:instance}/privacyidea_radius.pm
}

ln -s /etc/raddb/mods-available/perl /etc/raddb/mods-enabled/

Edit /etc/raddb/clients.conf:

client Radius-Client {
  ipaddr = 192.168.1.1/32
  secret = shared_secret_key
  require_message_authenticator = no
  nas_type = other
}

Edit /etc/raddb/sites-available/privacyidea:

server default {
 listen {
   type = auth
   ipaddr = *
   port = 0
   limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
   }
 }
 listen {
   ipaddr = *
   port = 0
   type = acct
   limit {
   }
 }

authorize {
   preprocess
   digest
   suffix
   ntdomain
   files
   expiration
   logintime
   pap
   update control {
      Auth-Type := Perl
   }
}

authenticate {
   Auth-Type Perl {
     perl
   }
   digest
}

preacct {
   suffix
   files
}

accounting {
   detail
}

session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}

ln -s /etc/raddb/sites-available/privacyidea /etc/raddb/sites-enabled/
rm /etc/raddb/sites-enabled/default
rm /etc/raddb/sites-enabled/inner-tunnel

Edit /etc/privacyidea/rlm_perl.ini:

[Default]
URL = https://127.0.0.1/validate/check
#REALM = someRealm
#RESCONF = someResolver
SSL_CHECK = false
#DEBUG = true

Edit /etc/raddb/mods-config/perl/privacyidea_radius.pm

our $CONFIG_FILE = “/etc/privacyidea/rlm_perl.ini”;
cp /opt/privacyIDEA/etc/privacyidea/dictionary /etc/raddb/

Test Freeradius

systemctl stop radiusd
radiusd -X
echo "User-Name=user, User-Password=password" | radclient -sx localhost auth testing123
systemctl restart radiusd

Fix rights privacyIDEA and Freeradius

chown -R privacyidea:root /etc/privacyidea
chgrp -R radiusd /etc/raddb
cd /etc/raddb
ll -Z
restorecon /etc/raddb/*

reboot

Change Password Admin User

cd /opt/privacyIDEA
source bin/activate
pi-manage.py admin change -p admin

Update privacyIDEA

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

It shows how you can setup a privacyIDEA system on CentOS 6.5 in conjunction with the FreeRADIUS.

Thus being able to have one central authentication system and connect many applications to this system via the RADIUS protocol.