The end user is prompted twice to enter their OTP after entering their user name and password credentials.
Entering 0 to the final OTP request allows authentication to continue.
Implemented the RADIUS server.
Implemented an OTP based module.
This is a known limitation of the RADIUS server service, which is detailed in RADIUS Server Limitations, specifically:
Because RADIUS authentication attempts always start with a user name and password transmitted in an Access-Request packet, the first module in an authentication chain used for RADIUS clients must accept a user name and a password.
Some AM callback types are not applicable to RADIUS clients. For example, a RedirectCallback directs HTTP clients, such as browsers, to HTTP resources to be used for some aspect of authentication. Redirects make no sense to RADIUS clients and cannot be consumed in any meaningful way.
A ConfirmationCallback also presents challenges for RADIUS clients.
As a result, some AM authentication modules cannot be used with RADIUS clients. Before attempting to use an authentication module with RADIUS clients, review the module's callbacks to determine whether the module will support RADIUS clients. You can use the REST API to determine the callbacks for an authentication module as described in Authenticating (REST).
Modules such as OATH, Authenticator (OATH) and HOTP include the ConfirmationCallback for the OTP. For example, in OATH.xml:<ConfirmationCallback> <OptionValues> <OptionValue> <Value>Submit OTP Code</Value> </OptionValue> </OptionValues> </ConfirmationCallback>
The default RADIUS handler class (OpenAMAuthHandler.java) translates this request as Submit=0.
This issue can be resolved using one of the following options, although such customizations are outside the scope of ForgeRock support:
- Create a custom authentication module that removes the ConfirmationCallback or merges them, for example, you could merge the password and OTP into a single request.
- Create a custom RADIUS handler class to translate this request differently to avoid the second prompt.
This change is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
You can customize the module's callbacks file (RADIUS.xml) if you want to change the text shown for the prompts to make them more user friendly. This file is located in the /path/to/tomcat/webapps/openam/config/auth/default directory (or the appropriate default_xx directory if you have localized AM). See Sample Auth Callbacks for further information.