Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

OTP based authentication modules prompt user twice when using RADIUS server with AM (All versions)

Last updated Jun 21, 2021

The purpose of this article is to provide assistance if end users are prompted twice to enter their OTP when logging in using certain authentication modules (OATH, Authenticator (OATH) and HOTP) in AM. This occurs when you are using the Remote Authentication Dial-In User Service (RADIUS) server service.


1 reader recommends this article

Symptoms

The end user is prompted twice to enter their OTP after entering their user name and password credentials.

Entering 0 to the final OTP request allows authentication to continue.

Recent Changes

Implemented the RADIUS server.

Implemented an OTP based module.

Causes

This is a known limitation of the RADIUS server service, which is detailed in RADIUS Server Limitations, specifically:

Because RADIUS authentication attempts always start with a user name and password transmitted in an Access-Request packet, the first module in an authentication chain used for RADIUS clients must accept a user name and a password.

Some AM callback types are not applicable to RADIUS clients. For example, a RedirectCallback directs HTTP clients, such as browsers, to HTTP resources to be used for some aspect of authentication. Redirects make no sense to RADIUS clients and cannot be consumed in any meaningful way.

A ConfirmationCallback also presents challenges for RADIUS clients.

As a result, some AM authentication modules cannot be used with RADIUS clients. Before attempting to use an authentication module with RADIUS clients, review the module's callbacks to determine whether the module will support RADIUS clients. You can use the REST API to determine the callbacks for an authentication module as described in Authenticating (REST).

Modules such as OATH, Authenticator (OATH) and HOTP include the ConfirmationCallback for the OTP. For example, in OATH.xml:

<ConfirmationCallback>    <OptionValues>         <OptionValue>             <Value>Submit OTP Code</Value>          </OptionValue>     </OptionValues> </ConfirmationCallback>

The default RADIUS handler class (OpenAMAuthHandler.java) translates this request as Submit=0.

Solution

This issue can be resolved using one of the following options, although such customizations are outside the scope of ForgeRock support:

  • Create a custom authentication module that removes the ConfirmationCallback or merges them, for example, you could merge the password and OTP into a single request.
  • Create a custom RADIUS handler class to translate this request differently to avoid the second prompt.

This change is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

Note

You can customize the module's callbacks file (RADIUS.xml) if you want to change the text shown for the prompts to make them more user friendly. This file is located in the /path/to/tomcat/webapps/openam/config/auth/default directory (or the appropriate default_xx directory if you have localized AM). See Sample Auth Callbacks for further information.

See Also

RADIUS Server Guide

About the Sample Custom Authentication Module

Related Training

N/A

Related Issue Tracker IDs

OPENAM-8704 (Have option to avoid extra "0" radius challenge in Radius Server)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.