What is a one sentence summary of your feature request?
Fixing two major flaws with Radius Authentication - not built on top of LDAP / wrong charactor coding
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The Radius authentication is implemented with two major flaws - in my opinion:
-
It can only be used instead of ldap, not complementary on top. This would allow to use Radius with an external second factor, which we use. However, routing Active Directory authentication through Radius isn’t very secure, and would allow a corrupt Radius server complete permission into the password manager.
-
Once I used the radius authentication, the encrypted passwords were coding via the charactor coding ISO-8859-1 (Latin-1). This does not fit with the standard for RADIUS UTF-8 [1]. This lead to special charaters being wrongly transmitted.
Both factors forbid a practical use of this built-in feature.
-
Could be used via placing the Radius authentication as a true MFA-provider next to built-in 2FA. This would allow admins to force this or give users an option, if not every user is implemented in a central solution.
-
This could be solved via adding a drop down field in radius configuration, choosing the necessary character encoding, if you don’t want to break the status quo.
[1] RFC 6158: RADIUS Design Guidelines
How do you currently solve the challenges you have by not having this feature?
We do not use radius at all - but rather a separat implementation of MFA.