15.2.1.2.12. RADIUS Token¶
-
class
privacyidea.lib.tokens.radiustoken.
RadiusTokenClass
(db_token)[source]¶ -
authenticate
(passw, user=None, options=None)[source]¶ do the authentication on base of password / otp and user and options, the request parameters.
This is only called after it is verified, that the upper level is no challenge-request or challenge-response
The “options” are read-only in this method. They are not modified here. authenticate is the last method in the loop
check_token_list
.- communication with RADIUS server: yes, if is no previous “radius_result”
If there is a “radius” result in the options, we do not query the radius server
- modification of options: options can be modified if we query the radius server.
However, this is not important since authenticate is the last call.
- Parameters
passw – the password / otp
user – the requesting user
options – the additional request parameters
- Returns
tuple of (success, otp_count - 0 or -1, reply)
-
check_challenge_response
(user=None, passw=None, options=None)[source]¶ This method verifies if there is a matching question for the given passw and also verifies if the answer is correct.
It then returns the the otp_counter = 1
- Parameters
user (User object) – the requesting user
passw (string) – the password - in fact it is the answer to the question
options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”
- Returns
return otp_counter. If -1, challenge does not match
- Return type
int
-
check_otp
(otpval, counter=None, window=None, options=None)[source]¶ Originally check_otp returns an OTP counter. I.e. in a failed attempt we return -1. In case of success we return 1 :param otpval: :param counter: :param window: :param options: :return:
-
property
check_pin_local
¶ lookup if pin should be checked locally or on radius host
- Returns
bool
-
create_challenge
(transactionid=None, options=None)[source]¶ create a challenge, which is submitted to the user
This method is called after
is_challenge_request
has verified, that a challenge needs to be created.communication with RADIUS server: no modification of options: no
- Parameters
transactionid – the id of this challenge
options – the request context parameters / data
- Returns
tuple of (bool, message and data) bool, if submit was successful message is submitted to the user data is preserved in the challenge attributes - additional attributes, which are displayed in the
output
-
static
get_class_info
(key=None, ret='all')[source]¶ returns a subtree of the token definition
- Parameters
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns
subsection if key exists or user defined
- Return type
dict or string
-
is_challenge_request
(passw, user=None, options=None)[source]¶ This method checks, if this is a request, that triggers a challenge. It depends on the way, the pin is checked - either locally or remotely. In addition, the RADIUS token has to be configured to allow challenge response.
communication with RADIUS server: yes modification of options: The communication with the RADIUS server can
change the options, radius_state, radius_result, radius_message
- Parameters
passw (string) – password, which might be pin or pin+otp
user (User object) – The user from the authentication request
options (dict) – dictionary of additional request parameters
- Returns
true or false
-
is_challenge_response
(passw, user=None, options=None)[source]¶ This method checks, if this is a request, that is the response to a previously sent challenge. But we do not query the RADIUS server.
This is the first method in the loop
check_token_list
.communication with RADIUS server: no modification of options: The “radius_result” key is set to None
- Parameters
passw (string) – password, which might be pin or pin+otp
user (User object) – the requesting user
options (dict) – dictionary of additional request parameters
- Returns
true or false
- Return type
bool
-