14.2.1.2.13. RADIUS Token¶
- class edumfa.lib.tokens.radiustoken.RadiusTokenClass(db_token)[source]¶
constructor - create a token class object with it’s db token binding
- Parameters:
aToken – the db bound token
- authenticate(passw, user=None, options=None)[source]¶
do the authentication on base of password / otp and user and options, the request parameters.
This is only called after it is verified, that the upper level is no challenge-request or challenge-response
The “options” are read-only in this method. They are not modified here. authenticate is the last method in the loop
check_token_list
.- communication with RADIUS server: yes, if is no previous “radius_result”
If there is a “radius” result in the options, we do not query the radius server
- modification of options: options can be modified if we query the radius server.
However, this is not important since authenticate is the last call.
- Parameters:
passw – the password / otp
user – the requesting user
options – the additional request parameters
- Returns:
tuple of (success, otp_count - 0 or -1, reply)
- check_challenge_response(user=None, passw=None, options=None)[source]¶
This method verifies if there is a matching question for the given passw and also verifies if the answer is correct.
It then returns the the otp_counter = 1
- Parameters:
user (User object) – the requesting user
passw (string) – the password - in fact it is the answer to the question
options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”
- Returns:
return otp_counter. If -1, challenge does not match
- Return type:
int
- check_otp(otpval, counter=None, window=None, options=None)[source]¶
Originally check_otp returns an OTP counter. I.e. in a failed attempt we return -1. In case of success we return 1 :param otpval: :param counter: :param window: :param options: :return:
- property check_pin_local¶
lookup if pin should be checked locally or on radius host
- Returns:
bool
- create_challenge(transactionid=None, options=None)[source]¶
create a challenge, which is submitted to the user
This method is called after
is_challenge_request
has verified, that a challenge needs to be created.communication with RADIUS server: no modification of options: no
- Parameters:
transactionid – the id of this challenge
options – the request context parameters / data
- Returns:
tuple of (bool, message and data) bool, if submit was successful message is submitted to the user data is preserved in the challenge reply_dict - additional attributes, which are displayed in the
output
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition
- Parameters:
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns:
subsection if key exists or user defined
- Return type:
dict or string
- is_challenge_request(passw, user=None, options=None)[source]¶
This method checks, if this is a request, that triggers a challenge. It depends on the way, the pin is checked - either locally or remotely. In addition, the RADIUS token has to be configured to allow challenge response.
communication with RADIUS server: yes modification of options: The communication with the RADIUS server can
change the options, radius_state, radius_result, radius_message
- Parameters:
passw (string) – password, which might be pin or pin+otp
user (User object) – The user from the authentication request
options (dict) – dictionary of additional request parameters
- Returns:
true or false
- is_challenge_response(passw, user=None, options=None)[source]¶
This method checks, if this is a request, that is the response to a previously sent challenge. But we do not query the RADIUS server.
This is the first method in the loop
check_token_list
.communication with RADIUS server: no modification of options: The “radius_result” key is set to None
- Parameters:
passw (string) – password, which might be pin or pin+otp
user (User object) – the requesting user
options (dict) – dictionary of additional request parameters
- Returns:
true or false
- Return type:
bool
- mode = ['authenticate', 'challenge']¶