IBM Security Verify

I'm trying to figure out whether the IBM Security Verify Gateway for RADIUS supports:

- TLS support for NAS-Radius Server communications (tunneling of Radius port 1812 UDP protocol inside TLS - certificate-based)
- LDAP integration, and if yes, LDAP-S (again, TLS)
- Policy-based OTP, as follows
> Policy does LDAP look-up
> Returns group membership & continue
> second policy checks attribnute (group membership)
> If member of group --> return accept
-> if not member of group --> send OTP prompt + upstream authN request (e.g. to myTenant.ice.ibmcloud.com)

I've downloaded the CIV GW for RAdius. The sample IbmRadiusConfig.json file is a bit minimal
I've checked Configuring the IBM Security Verify Gateway for RADIUS server, but not much more to be found

So in short, the CIV GW for Radius is a small RADIUS server. Would be good to see what Radius-related RFC's are supported, and to have insight into Policy capabilities. My reference is FreeRadius, which support all of the above.

Many thanks
Johan

------------------------------
Johan Genbrugge
------------------------------

Johan,

Here are some responses to your questions:

> TLS support for NAS-Radius Server communications (tunneling of Radius port 1812 UDP protocol inside TLS - certificate-based)
We don't support this.  Only a basic form of RFC2865 using PAP (no CHAP).
Is this referring to RFC 6614?

> LDAP integration, and if yes, LDAP-S (again, TLS)
We support integration against AD that local system is connected to. This is using windows APIs - not LDAP.
We support integration with LDAP via LDAP-passthrough.  The communication goes to Verify (in cloud) and then back to on-premises directory via the "Verify Bridge for Authentication".  The communication with Verify is TLS.  The bridge does support LDAPS connection.

> Policy-based OTP, as follows
> Policy does LDAP look-up
> Returns group membership & continue
> second policy checks attribnute (group membership)
> If member of group --> return accept
> if not member of group --> send OTP prompt + upstream authN request (e.g. to myTenant.ice.ibmcloud.com)
We do not support this use case today.  It is only possible to have policies triggered before authentication or after *all* authentication.
There is no option to have the policy execute between password and 2FA (to allow a bypass of 2FA for example).

I understand the value of both of these items.  If you have a need for these, please consider opening an RFE.
https://ibmsecurity-ci-community.ideas.aha.io/

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon March 01, 2021 10:56 AM
From: Johan Genbrugge
Subject: IBM Security Verify Gateway for RADIUS - RADIUS capabilities

I'm trying to figure out whether the IBM Security Verify Gateway for RADIUS supports:

- TLS support for NAS-Radius Server communications (tunneling of Radius port 1812 UDP protocol inside TLS - certificate-based)
- LDAP integration, and if yes, LDAP-S (again, TLS)
- Policy-based OTP, as follows
> Policy does LDAP look-up
> Returns group membership & continue
> second policy checks attribnute (group membership)
> If member of group --> return accept
-> if not member of group --> send OTP prompt + upstream authN request (e.g. to myTenant.ice.ibmcloud.com)

I've downloaded the CIV GW for RAdius. The sample IbmRadiusConfig.json file is a bit minimal
I've checked Configuring the IBM Security Verify Gateway for RADIUS server, but not much more to be found

So in short, the CIV GW for Radius is a small RADIUS server. Would be good to see what Radius-related RFC's are supported, and to have insight into Policy capabilities. My reference is FreeRadius, which support all of the above.

Many thanks
Johan

------------------------------
Johan Genbrugge
------------------------------