GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ vzakharchenko β†’ keycloak-radius-plugin

vzakharchenko / keycloak-radius-plugin

Licence: Apache-2.0 license
Make the radius server as part of keycloak SSO

Programming Languages

java
68154 projects - #9 most used programming language
javascript
184084 projects - #8 most used programming language
HTML
75241 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

dockerciscomikrotikkeycloakdocker-composeyubikeyradiushotspotradius-accountingradius-serverradsec-serverwebauthnradius-protocolfido2chillispotkeycloak-pluginradius-pluginradius-proxyradius-attributesauthport

Projects that are alternatives of or similar to keycloak-radius-plugin

FreeRADIUS-Server-Configuration-Tool
🎯 FreeRADIUS Server Configuration Tool πŸ–₯️
Stars: ✭ 33 (-67.65%)
Mutual labels:  radius, radius-accounting, radius-server
clarion
WebAuthn (U2F) helper for CLI operations (e.g. SSH Log in)
Stars: ✭ 78 (-23.53%)
Mutual labels:  yubikey, webauthn, fido2
awesome-yubikey
Curated list of awesome Yubikey resources, open source projects, tools and tutorials.
Stars: ✭ 22 (-78.43%)
Mutual labels:  yubikey, webauthn, fido2
vmam
VLAN Mac-address Authentication Manager
Stars: ✭ 19 (-81.37%)
Mutual labels:  radius, radius-server
Solo
Solo 1: open security key supporting FIDO2 & U2F over USB + NFC
Stars: ✭ 1,986 (+1847.06%)
Mutual labels:  webauthn, fido2
Opensk
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
Stars: ✭ 2,114 (+1972.55%)
Mutual labels:  webauthn, fido2
line-fido2-server
FIDO2(WebAuthn) server officially certified by FIDO Alliance and Relying Party examples.
Stars: ✭ 350 (+243.14%)
Mutual labels:  webauthn, fido2
Fastnetmon
FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
Stars: ✭ 2,860 (+2703.92%)
Mutual labels:  cisco, mikrotik
uru-card
Arduino based firmware for FIDO2 Authenticator
Stars: ✭ 114 (+11.76%)
Mutual labels:  webauthn, fido2
FIDO-Server
Open-source FIDO server, featuring the FIDO2 standard.
Stars: ✭ 17 (-83.33%)
Mutual labels:  webauthn, fido2
phpmixbill
PHP Mikrotik Billing - Voucher management for Mikrotik Hotspot
Stars: ✭ 134 (+31.37%)
Mutual labels:  mikrotik, hotspot
webauthn-demo
WebAuthn demo with Ionic/Angular and Spring Boot
Stars: ✭ 22 (-78.43%)
Mutual labels:  webauthn, fido2
webauthn-example
Basic WebAuthn client and server in go
Stars: ✭ 53 (-48.04%)
Mutual labels:  webauthn, fido2
gomiko
multi-vendor networking SDK.
Stars: ✭ 46 (-54.9%)
Mutual labels:  cisco, mikrotik
go-libfido2
libfido2 bindings for golang
Stars: ✭ 42 (-58.82%)
Mutual labels:  webauthn, fido2
android-webauthn-authenticator
A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.
Stars: ✭ 101 (-0.98%)
Mutual labels:  webauthn, fido2
adfsmfa
MFA for ADFS 2022/2019/2016/2012r2
Stars: ✭ 86 (-15.69%)
Mutual labels:  webauthn, fido2
radiusd
Distributed Radius-server to do authentication+accounting.
Stars: ✭ 50 (-50.98%)
Mutual labels:  radius, radius-server
topolograph
Topolograph.com is an online project which can visualize OSPF/ISIS topology based on single OSPF LinkState DataBase scrapping from one network device ( thanks OSPF =). Then you can not only see (and check) the shortest path from source to destination, but also see the outcome from link or node failure along the path to the destination. The exist…
Stars: ✭ 84 (-17.65%)
Mutual labels:  cisco, mikrotik
wp-webauthn
πŸ”’ WP-WebAuthn allows you to safely login to your WordPress site without password.
Stars: ✭ 85 (-16.67%)
Mutual labels:  webauthn, fido2
View All Similar Projects βž”

Embedded Radius Server in Keycloak SSO

CircleCI Java CI with Maven Node.js Examples Coverage Status [Maven Central] BCH compliance

Run radius server inside keycloak. features:

Examples

Donate

Donate

Release Setup

  1. Download keycloak-radius.zip asset from github releases
  2. unzip release 
    unzip keycloak-radius.zip -d keycloak-radius
  3. run keycloak 
    sh keycloak-radius/bin/standalone.sh  -c standalone.xml -b 0.0.0.0 -Djboss.bind.address.management=0.0.0.0 --debug 8190 -Djboss.http.port=8090
  4. open http://localhost:8090
  5. initialize keycloak master realm

Docker Container

Run inside Docker Container

Manual Setup

build project

requirements: java jdk 11 and above, maven 3.5 and above

  • cd keycloak-plugins
  • mvn clean install

Configure Keycloak (based on Quarkus)

requirements: keycloak 18.0.1

cp ${SOURCE}/keycloak-plugins/radius-plugin/target/radius-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/radius-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/rad-sec-plugin/target/rad-sec-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/rad-sec-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/mikrotik-radius-plugin/target/mikrotik-radius-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/mikrotik-radius-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/cisco-radius-plugin/target/cisco-radius-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/cisco-radius-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/chillispot-radius-plugin/target/chillispot-radius-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/chillispot-radius-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/radius-disconnect-plugin/target/radius-disconnect-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/radius-disconnect-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-plugins/proxy-radius-plugin/target/proxy-radius-plugin-1.4.6-SNAPSHOT.jar ${KEYCLOAK_PATH}/providers/proxy-radius-plugin-1.4.6-SNAPSHOT.jar
cp ${SOURCE}/keycloak-radius-plugin/keycloak-plugins/radius-theme/target/radius-theme-1.4.6-SNAPSHOT.zip ${KEYCLOAK_PATH}/providers/radius-theme-1.4.6-SNAPSHOT.jar

where

Configure Keycloak WildFly (deprecated)

requirements: keycloak 18.0.1

  • setup radius-plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius --resources=${SOURCE}/keycloak-plugins/radius-plugin/target/radius-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,javax.servlet.api,org.jboss.resteasy.resteasy-jaxrs,javax.ws.rs.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,org.apache.commons.lang3"
  • setup rad-sec plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.rad.sec --resources=${SOURCE}/keycloak-plugins/rad-sec-plugin/target/rad-sec-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.apache.commons.lang3"
  • setup mikrotik plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.mikrotik --resources=${SOURCE}/keycloak-plugins/mikrotik-radius-plugin/target/mikrotik-radius-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.apache.commons.lang3"
  • setup cisco plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.cisco --resources=${SOURCE}/keycloak-plugins/cisco-radius-plugin/target/cisco-radius-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.apache.commons.lang3"
  • setup chillispot plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.chillispot --resources=${SOURCE}/keycloak-plugins/chillispot-radius-plugin/target/chillispot-radius-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.apache.commons.lang3"
  • setup radius-disconnect plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.dm --resources=${SOURCE}/keycloak-plugins/radius-disconnect-plugin/target/radius-disconnect-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,javax.ws.rs.api,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.keycloak.keycloak-model-jpa,javax.persistence.api,org.hibernate,org.apache.commons.lang3"
  • setup proxy-radius plugin 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.proxy --resources=${SOURCE}/keycloak-plugins/proxy-radius-plugin/target/proxy-radius-plugin-1.4.6-SNAPSHOT.jar --dependencies=org.jboss.logging,org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.apache.commons.io,javax.activation.api,com.fasterxml.jackson.core.jackson-databind,org.keycloak.keycloak-common,com.fasterxml.jackson.core.jackson-core,javax.transaction.api,org.hibernate,io.netty,org.slf4j,javax.xml.bind.api,org.apache.commons.codec,keycloak.plugins.radius,org.apache.commons.lang3"
  • setup radius theme 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --command="module add --name=keycloak.plugins.radius.theme --resources=${SOURCE}/keycloak-radius-plugin/keycloak-plugins/radius-theme/target/radius-theme-1.4.6-SNAPSHOT.zip
  • run script for standalone 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --file=${SOURCE}/cli/radius.cli
  • run script for standalone-ha 
    ${KEYCLOAK_PATH}/bin/jboss-cli.sh --file=${SOURCE}/cli/radius-ha.cli
    where
  • KEYCLOAK_PATH - Path where you are unpacked keycloak-18.0.1.zip (you can use RADIUS_CONFIG_PATH instead of KEYCLOAK_PATH)
  • SOURCE - Path where you checked out the code and built the project

Environment Variables

Variable Name Variable Value Config file Location
KEYCLOAK_PATH Path where you are unpacked keycloak ${KEYCLOAK_PATH}/config/radius.config
RADIUS_CONFIG_PATH Path where you store radius.config ${RADIUS_CONFIG_PATH}/radius.config

Examples:

export RADIUS_CONFIG_PATH= /opt/keycloak/radius/config

or

export KEYCLOAK_PATH= /opt/keycloak/

Configuration

Radius server config file

  • create file ${KEYCLOAK_PATH}config/radius.config or ${RADIUS_CONFIG_PATH}/radius.config

  • example 

    {
"sharedSecret": "radsec",
"authPort": 1812,
"accountPort": 1813,
"numberThreads": 8,
"useUdpRadius": true,
"externalDictionary": "/opt/dictionary",
"otp": false,
"radsec": {
"privateKey": "config/private.key",
"certificate": "config/public.crt",
"numberThreads": 8,
"useRadSec": true
},
"coa":{
"port":3799,
"useCoA":true
}
}
    where

  • sharedSecret - Used to secure communication between a RADIUS server and a RADIUS client.

  • authPort - Authentication and authorization port

  • accountPort - Accounting port

  • useUdpRadius - if true, then listen to authPort and accountPort

  • radsec - radsec configuration

  • privateKey - private SSL key (https://netty.io/wiki/sslcontextbuilder-and-private-key.html)

  • certificate - certificates chain

  • useRadSec - if true, then listen radsec port

  • numberThreads - number of connection threads

  • coa - CoA request configuration

  • port - CoA port (Mikrotik:3799, Cisco:1700)

  • useCoA - use CoA request

  • otp - use OTP without password

  • externalDictionary - path to the dictionary file in freeradius format

Run Keycloak Locally

#!/usr/bin/env bash
set -e
cd keycloak-18.0.1
sh bin/kc.sh --debug 8190 start-dev --http-port=8090

Keycloak Client with Radius Protocol

radiusProtocol

Mapping Radius Password to Keycloak Credentials

Radius Protocol Keycloak credentials Keycloak credentials with OTP Kerberos credentials Ldap credentials Keycloak Radius credentials Keycloak Radius credentials with OTP Keycloak OTP(if config file contains "otp":true)
PAP Yes Yes Yes Yes Yes Yes NO
CHAP No No No No Yes Yes Yes
MSCHAPV2 No No No No Yes Yes Yes

Assign Radius Attributes to Role

NOTE: Composite roles supported

RoleAttributes

Role Conditional Attributes

if conditional Attribute is present and has valid value then all other attributes will be applied. (Example: apply role attributes only if NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    COND_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example:

COND_NAS-IP-Address = "192.168.88.1, 192.168.88.2"

ConditionalRole The role will only be applied if the NAS server address is 192.168.88.1 or 192.168.88.2.

Role REJECT Attributes (Example)

if reject Attribute is present and has valid value then access request will be rejected. (Example: reject user request if access request contains attribute NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    REJECT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example:

REJECT_NAS-IP-Address = "192.168.88.2"

reject_conditional The role will only be applied if the NAS server address is not 192.168.88.2, otherwise request will be rejected

Role REJECT WITHOUT CONDITION

If Reject Attribute is present then access request will be rejected. Structure of Attribute: REJECT_RADIUS=<ANY VALUE> Example:

REJECT_RADIUS = "true"

Role ACCEPT Attributes (Example)

if accept Attribute is present and has valid value then access request will be accepted, otherwise rejected. (Example: accept user request if access request contains attribute NAS-IP-Address= 192.168.88.1,192.168.88.2)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    ACCEPT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example:

ACCEPT_NAS-IP-Address = "192.168.88.1"

acceptConditional The role will only be applied if the NAS server address is not 192.168.88.2, otherwise request will be rejected

Assign Radius Attributes to Group

NOTE: SubGroups supported groupAttributes

Group Conditional Attributes

if conditional Attribute is present and has valid value then all other attributes will be applied. (Example: apply group attributes only if NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    COND_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role Conditional Attributes/README.md:1

Group REJECT Attributes

if reject Attribute is present and has valid value then access request will be rejected. (Example: reject user request if access request contains attribute NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    REJECT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role REJECT Attributes

Group REJECT WITHOUT CONDITION

If Reject Attribute is present then access request will be rejected. Structure of Attribute: REJECT_RADIUS=<ANY VALUE> Example:

REJECT_RADIUS = "true"

Group ACCEPT Attributes

if accept Attribute is present and has valid value then access request will be accepted, otherwise rejected. (Example: accept user request if access request contains attribute NAS-IP-Address= 192.168.88.1,192.168.88.2)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    ACCEPT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role ACCEPT Attributes

Assign Radius Attributes to User

userAttributes

User Conditional Attributes

if conditional Attribute is present and has valid value then all other attributes will be applied. (Example: apply user attributes only if NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    COND_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role Conditional Attributes/README.md:1

User REJECT Attributes

if reject Attribute is present and has valid value then access request will be rejected. (Example: reject user request if access request contains attribute NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    REJECT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role REJECT Attributes

User ACCEPT Attributes

if accept Attribute is present and has valid value then access request will be accepted, otherwise rejected. (Example: accept user request if access request contains attribute NAS-IP-Address= 192.168.88.1,192.168.88.2)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    ACCEPT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role ACCEPT Attributes

Assign Radius Attributes to Authorization Resource

Change admin theme to "Radius"

radiusTheme

Enable Authorization on Radius Client

Authorization

Create Resource

Authorization

Assign Attributes to Resource

assignAttributesToResource

Create policy and permissions

Resource Conditional Attributes

if conditional Attribute is present and has valid value then all other attributes will be applied. (Example: apply user attributes only if NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    COND_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role Conditional Attributes/README.md:1

Resource REJECT Attributes

if reject Attribute is present and has valid value then access request will be rejected. (Example: reject user request if access request contains attribute NAS-IP-Address= 192.168.88.1)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    REJECT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role REJECT Attributes

Resource REJECT without condition

If Reject Attribute is present then access request will be rejected. Structure of Attribute: REJECT_RADIUS=<ANY VALUE> Example:

REJECT_RADIUS = "true"

Resource ACCEPT Attributes

if accept Attribute is present and has valid value then access request will be accepted, otherwise rejected. (Example: accept user request if access request contains attribute NAS-IP-Address= 192.168.88.1,192.168.88.2)

Structure of Attribute: 

<PREFIX><ATTRIBUTE_NAME>=<values>

  • PREFIX = 
    ACCEPT_
  • ATTRIBUTE_NAME attribute name from access-request
  • VALUES Comma-separated list of attribute values

Example: Role ACCEPT Attributes

Hotspot Example (with Facebook login)

Hotspot Example (with Facebook login)

Example CoA Configuration

Radius Disconnect Message

Radius Proxy

Radius Proxy Module

Keycloak Radius credentials

  • Setup Radius Credentials during first time login
    1. set Action "Update Radius Password" (or send this event to user be email) updateRadiusPassword
    2. User sets his own Radius password RadiusUserPassword

Otp Password

  1. enable Otp Password on Keycloak side. https://www.keycloak.org/docs/latest/server_admin/ impersonateUserExample3 impersonateUserExample4
  2. password in request must contain the password and otp.
  3. Structure Password in request:
    • PAP password: <Keycloak Password/RADIUS Password><OTP> example: testPassword123456, where testPassword is password, 123456 is otp
    • MSCHAP/CHAP: <RADIUS Password><OTP> example: testPassword123456, where testPassword is password, 123456 is otp
    • PAP password with Otp (if config file contains "otp":true) : <OTP> example: 123456, where 123456 is otp

OTP Password example

WebAuthn Authentication

wiki page

Add custom Radius Dictionary(example for Fortinet)

  • create dictionary Fortinet.dictionary:
VENDOR		12356   Fortinet

VENDORATTR	12356 Fortinet-Group-Name			1	string
VENDORATTR	12356 Fortinet-Client-IP-Address		2	ipaddr
VENDORATTR	12356 Fortinet-Vdom-Name			3	string
VENDORATTR	12356 Fortinet-Client-IPv6-Address		4	octets
VENDORATTR	12356 Fortinet-Interface-Name			5	string
VENDORATTR	12356 Fortinet-Access-Profile			6	string
  • run as docker container
  docker run -p 8090:8080 -e  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true" -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e RADIUS_DICTIONARY=/opt/dictionary -v `pwd`/Fortinet.dictionary:/opt/dictionary   vassio/keycloak-radius-plugin

Development

wiki page

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].