Johan,
Here are some responses to your questions:
> TLS support for NAS-Radius Server communications (tunneling of Radius port 1812 UDP protocol inside TLS - certificate-based)
We don't support this. Only a basic form of RFC2865 using PAP (no CHAP).
Is this referring to RFC 6614?
> LDAP integration, and if yes, LDAP-S (again, TLS)
We support integration against AD that local system is connected to. This is using windows APIs - not LDAP.
We support integration with LDAP via LDAP-passthrough. The communication goes to Verify (in cloud) and then back to on-premises directory via the "Verify Bridge for Authentication". The communication with Verify is TLS. The bridge does support LDAPS connection.
> Policy-based OTP, as follows
> Policy does LDAP look-up
> Returns group membership & continue
> second policy checks attribnute (group membership)
> If member of group --> return accept
> if not member of group --> send OTP prompt + upstream authN request (e.g. to myTenant.ice.ibmcloud.com)
We do not support this use case today. It is only possible to have policies triggered before authentication or after *all* authentication.
There is no option to have the policy execute between password and 2FA (to allow a bypass of 2FA for example).
I understand the value of both of these items. If you have a need for these, please consider opening an RFE.
https://ibmsecurity-ci-community.ideas.aha.io/Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon March 01, 2021 10:56 AM
From: Johan Genbrugge
Subject: IBM Security Verify Gateway for RADIUS - RADIUS capabilities
I'm trying to figure out whether the IBM Security Verify Gateway for RADIUS supports:
- TLS support for NAS-Radius Server communications (tunneling of Radius port 1812 UDP protocol inside TLS - certificate-based)
- LDAP integration, and if yes, LDAP-S (again, TLS)
- Policy-based OTP, as follows
> Policy does LDAP look-up
> Returns group membership & continue
> second policy checks attribnute (group membership)
> If member of group --> return accept
-> if not member of group --> send OTP prompt + upstream authN request (e.g. to myTenant.ice.ibmcloud.com)
I've downloaded the CIV GW for RAdius. The sample IbmRadiusConfig.json file is a bit minimal
I've checked Configuring the IBM Security Verify Gateway for RADIUS server, but not much more to be found
So in short, the CIV GW for Radius is a small RADIUS server. Would be good to see what Radius-related RFC's are supported, and to have insight into Policy capabilities. My reference is FreeRadius, which support all of the above.
Many thanks
Johan
------------------------------
Johan Genbrugge
------------------------------