16.2.1.2.12. RADIUS Token¶
-
class
privacyidea.lib.tokens.radiustoken.
RadiusTokenClass
(db_token)[source]¶ -
authenticate
(passw, user=None, options=None)[source]¶ do the authentication on base of password / otp and user and options, the request parameters.
This is only called after it is verified, that the upper level is no challenge-request or challenge-response
The “options” are read-only in this method. They are not modified here. authenticate is the last method in the loop
check_token_list
.- communication with RADIUS server: yes, if is no previous “radius_result”
- If there is a “radius” result in the options, we do not query the radius server
- modification of options: options can be modified if we query the radius server.
- However, this is not important since authenticate is the last call.
Parameters: - passw – the password / otp
- user – the requesting user
- options – the additional request parameters
Returns: tuple of (success, otp_count - 0 or -1, reply)
-
check_challenge_response
(user=None, passw=None, options=None)[source]¶ This method verifies if there is a matching question for the given passw and also verifies if the answer is correct.
It then returns the the otp_counter = 1
Parameters: - user (User object) – the requesting user
- passw (string) – the password - in fact it is the answer to the question
- options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”
Returns: return otp_counter. If -1, challenge does not match
Return type: int
-
check_otp
(otpval, counter=None, window=None, options=None)[source]¶ Originally check_otp returns an OTP counter. I.e. in a failed attempt we return -1. In case of success we return 1 :param otpval: :param counter: :param window: :param options: :return:
-
check_pin_local
¶ lookup if pin should be checked locally or on radius host
Returns: bool
-
create_challenge
(transactionid=None, options=None)[source]¶ create a challenge, which is submitted to the user
This method is called after
is_challenge_request
has verified, that a challenge needs to be created.communication with RADIUS server: no modification of options: no
Parameters: - transactionid – the id of this challenge
- options – the request context parameters / data
Returns: tuple of (bool, message and data) bool, if submit was successful message is submitted to the user data is preserved in the challenge attributes - additional attributes, which are displayed in the
output
-
static
get_class_info
(key=None, ret='all')[source]¶ returns a subtree of the token definition
Parameters: - key (string) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
Return type: dict or string
-
is_challenge_request
(passw, user=None, options=None)[source]¶ This method checks, if this is a request, that triggers a challenge. It depends on the way, the pin is checked - either locally or remotely. In addition, the RADIUS token has to be configured to allow challenge response.
communication with RADIUS server: yes modification of options: The communication with the RADIUS server can
change the options, radius_state, radius_result, radius_messageParameters: - passw (string) – password, which might be pin or pin+otp
- user (User object) – The user from the authentication request
- options (dict) – dictionary of additional request parameters
Returns: true or false
-
is_challenge_response
(passw, user=None, options=None)[source]¶ This method checks, if this is a request, that is the response to a previously sent challenge. But we do not query the RADIUS server.
This is the first method in the loop
check_token_list
.communication with RADIUS server: no modification of options: The “radius_result” key is set to None
Parameters: - passw (string) – password, which might be pin or pin+otp
- user (User object) – the requesting user
- options (dict) – dictionary of additional request parameters
Returns: true or false
Return type: bool
-