Overview

In this documentation, we will demonstrate how to integrate OpenOTP with Swift Alliance Access 7.2 (AA) using the RADIUS protocol. While both LDAP and RADIUS protocols are available for integrating Swift Alliance Access with OpenOTP, this guide focuses specifically on the RADIUS integration. It has been developed using the official Swift Alliance Access 7.2 Administrator Guide. In this guide, we will utilize the RADIUS one-time password authentication method rather than the embedded two-factor authentication module implemented in Swift. WebADM and OpenOTP server(s) should already be configured with the RADIUS Bridge component(s).

Swift Alliance Access Configuration

Authentication Server Groups

First, we will configure the RADIUS servers at the AA level. Log in to the AA Web management page using the LSO (Local Security Officer) account and set up a new authentication server group.

Swift

Once you are under Radius Authentication Servers Group, you are able to configure the required information to communicate with Radius Bridge.

Swift

Configure the Primary Server in the Future configuration section.

Swift
  • 192.168.4.160: Is my Radius Bridge, WebADM & OpenOTP Server IP.
  • Key Left: This should be a value of 16 characters.
  • Key Right: This should be a value of 16 characters.
    These two keys (bilateral key) will be used as Radius secret in the Radius Bridge clients definition.
  • Port Number: This is the port used by the Radius Bridge service.

Once this configuration is complete, click the save button. If you have a WebADM/OpenOTP cluster, configure the secondary server in the same way. These changes must be approved by the RSO (Right Security Officer) account. After the RSO has approved the new configuration, the RADIUS server configuration on Alliance Access is complete.

The use of one-time passwords is configured per operator. To activate one-time passwords, navigate to the Operator Details for each security officer, set the Authentication Type to RADIUS one-time password, and select the appropriate Authentication Server Group. Each change must be approved by both the RSO and LSO accounts.

Radius Bridge Configuration

Clients Configuration

To allow Swift Alliance Access to communicate over Radius protocol, we have to configure the AA Radius client in Radius Bridge configuration.
To configure the client edit /otp/radiusd/conf/clients.conf file. At the end of this file, you will find the client definition.

[root@webadm ~]# vi /opt/radiusd/conf/clients.conf

Add a new client for allowing Swift AA:

client Swift_AA {
        ipaddr = 192.168.4.12
        secret = Left_key_1234567Right_key_123456
}
  • 192.168.4.12: Is the Swift AA IP who will contact Radius Bridge.
  • Left_key_1234567Right_key_123456: Is the concatenation of left and right keys defined in Alliance Access configuration.

Once the Swift Alliance Access client is configured in clients.conf file, you will have to restart Radius Bridge service:

[root@webadm ~]# /opt/radiusd/bin/radiusd restart

These changes must be done on each Radius Bridge if you are working with a WebADM/OpenOTP cluster.

Radiusd Advanced Configuration (Optional)

To map the User IP information in WebADM WebSrv logs, you will have to configure the attribute used by Swift which contains the User IP in Radius Bridge configuration in the source_attribute setting.

[root@webadm ~]# vi /opt/radiusd/conf/radiusd.conf
# Source attribute
# This is the RADIUS attribute in which the RADIUS client can pass the end user source IP address to
# OpenOTP. Attribute must be of type IPAddr.
# By default the source attribute is set to Calling-Station-Id & PaloAlto-Client-Source-IP.
source_attribute = "Swift_user_ip_attribute"

Restart Radius Bridge service after modifying this file.

Client Policy Configuration

We will now configure a client policy for Swift authentications. Login on the WebADM Administrator GUI > Admin tab > Client Policies > Add Client.

Name the client policy object which will be created, on my side Swift Alliance Access and optionally add a description.

Swift

Click the Proceed button, then select Create Object.

You will now be in the Swift Client Policy configuration menu. The first setting to configure is Client Name Aliases, where you will enter the IP address of the AA that will connect to OpenOTP. For example, in my case, it is 192.168.4.12.

Swift

The next step is to configure the authentication policy to require MFA on Swift AA. Scroll down to Default Application Settings, check the box, and click on Edit.
Configure at least the following settings from OpenOTP:

-Login Mode to LDAPOTP to require both LDAP and OTP passwords. If you only want OpenOTP to validate the OTP password, set it to OTP.

-Challenge Mode Supported to No because the Radius challenge is not supported in AA version 7.2

Finally, click on Apply.

You should have this result like below:

Swift

Click the Apply button to save your client policy.

Your client policy for Swift is now configured. You can test a login on AA with OpenOTP.

Swift supports OpenOTP and Push login. However, if the Push notification is not received or if you are unable to approve the login, authentication will fail due to the lack of a fallback method. In such cases, you will need to retry the authentication, and the failed login counter will increase at the Swift level. After a certain number of failed login attempts for the same account, the account will be blocked at the Swift level.

LDAP User and Swift user mapping

If your Swift users already have accounts in your Directory, you can map the LDAP account to the Swift local account at the LDAP level. This mapping is done by adding the Swift login name to an LDAP attribute. This attribute must be configured in the /opt/webadm/conf/webadm.conf file under the uid_attrs setting. By default, the Active Directory template includes the following attributes.

uid_attrs               "cn", "samAccountName", "userPrincipalName"

If one of these attributes is not in use, you can configure the Swift username with that attribute. If the default attributes are already in use in your organization, you can choose another attribute, such as uid. In this case, you will need to add the uid attribute to the uid_attrs setting in the webadm.conf file, as shown below:

uid_attrs               "cn", "samAccountName", "userPrincipalName", "uid"

When you log in to Swift using your Swift account, the Swift username will be sent to OpenOTP and matched with the corresponding LDAP account.

Configuration is complete; you can now try logging in to Swift Alliance Access with OpenOTP.