14.2.1.2.13. RADIUS Token

class edumfa.lib.tokens.radiustoken.RadiusTokenClass(db_token)[source]

constructor - create a token class object with it’s db token binding

Parameters:

aToken – the db bound token

authenticate(passw, user=None, options=None)[source]

do the authentication on base of password / otp and user and options, the request parameters.

This is only called after it is verified, that the upper level is no challenge-request or challenge-response

The “options” are read-only in this method. They are not modified here. authenticate is the last method in the loop check_token_list.

communication with RADIUS server: yes, if is no previous “radius_result”

If there is a “radius” result in the options, we do not query the radius server

modification of options: options can be modified if we query the radius server.

However, this is not important since authenticate is the last call.

Parameters:
  • passw – the password / otp

  • user – the requesting user

  • options – the additional request parameters

Returns:

tuple of (success, otp_count - 0 or -1, reply)

check_challenge_response(user=None, passw=None, options=None)[source]

This method verifies if there is a matching question for the given passw and also verifies if the answer is correct.

It then returns the the otp_counter = 1

Parameters:
  • user (User object) – the requesting user

  • passw (string) – the password - in fact it is the answer to the question

  • options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”

Returns:

return otp_counter. If -1, challenge does not match

Return type:

int

check_otp(otpval, counter=None, window=None, options=None)[source]

Originally check_otp returns an OTP counter. I.e. in a failed attempt we return -1. In case of success we return 1 :param otpval: :param counter: :param window: :param options: :return:

property check_pin_local

lookup if pin should be checked locally or on radius host

Returns:

bool

create_challenge(transactionid=None, options=None)[source]

create a challenge, which is submitted to the user

This method is called after is_challenge_request has verified, that a challenge needs to be created.

communication with RADIUS server: no modification of options: no

Parameters:
  • transactionid – the id of this challenge

  • options – the request context parameters / data

Returns:

tuple of (bool, message and data) bool, if submit was successful message is submitted to the user data is preserved in the challenge reply_dict - additional attributes, which are displayed in the

output

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

Parameters:
  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns:

subsection if key exists or user defined

Return type:

dict or string

static get_class_prefix()[source]

return the token type prefix

static get_class_type()[source]

return the class type identifier

is_challenge_request(passw, user=None, options=None)[source]

This method checks, if this is a request, that triggers a challenge. It depends on the way, the pin is checked - either locally or remotely. In addition, the RADIUS token has to be configured to allow challenge response.

communication with RADIUS server: yes modification of options: The communication with the RADIUS server can

change the options, radius_state, radius_result, radius_message

Parameters:
  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – The user from the authentication request

  • options (dict) – dictionary of additional request parameters

Returns:

true or false

is_challenge_response(passw, user=None, options=None)[source]

This method checks, if this is a request, that is the response to a previously sent challenge. But we do not query the RADIUS server.

This is the first method in the loop check_token_list.

communication with RADIUS server: no modification of options: The “radius_result” key is set to None

Parameters:
  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – the requesting user

  • options (dict) – dictionary of additional request parameters

Returns:

true or false

Return type:

bool

mode = ['authenticate', 'challenge']
split_pin_pass(passw, user=None, options=None)[source]

Split the PIN and the OTP value. Only if it is locally checked and not remotely.

update(param)[source]

second phase of the init process - updates parameters

Parameters:

param – the request parameters

Returns:

  • nothing -