You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: update RADIUS Gateway Guide with missing features and fixes
- Update feature list with all features from releases v1.2 through v1.7.1
- Remove incorrect X-MSS-MSISDN VSA claim (not implemented in code)
- Add RADIUS client retry recommendation to NAS Requirements
- Add ldapsearch debugging command for LDAP troubleshooting
- Add Amazon ECR pull command and fix Docker Hub/ECR links
- Add RIG-specific radclient test examples to annexes
**OTP (SMS) challenge-response** — if the authentication falls back to OTP via SMS, you will receive an `Access-Challenge` response that includes a `State` value. You must respond with another `Access-Request` that includes the OTP as `User-Password` and the retrieved `State` value:
The idBlender company provides a free online web application that functions as a RADIUS client. It uses a backend service to perform the actual RADIUS request (so it is not the browser that sends the RADIUS requests, but a backend service) and can be used to test publicly available RADIUS servers.
Copy file name to clipboardExpand all lines: docs/radius-interface-gateway-guide/deployment.md
+19-2Lines changed: 19 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,6 +28,7 @@ The following points must be considered before you proceed with the deployment.
28
28
29
29
- The NAS RADIUS Access-Request packet contains either a **unique NAS-Identifier attribute** or it has a **unique and static source IP address/range**. RIG will pick the configuration based on this info.
30
30
- The RADIUS client timeout shall be set to **60 seconds**. This ensures enough time for the user to respond to the Mobile ID authentication request.
31
+
- The RADIUS client retry shall be set to no more than **1**. The client should not retry because there might still be a Mobile ID authentication session ongoing.
31
32
32
33
### Connectivity Requirements
33
34
@@ -45,6 +46,16 @@ You can verify the LDAP connectivity using the following command on the node whe
-s sub "(&(objectclass=inetOrgPerson)(uid=<user>))"
57
+
```
58
+
48
59
You can verify the Mobile ID API connectivity using the following command on the node where the RIG container application is running:
49
60
50
61
```bash
@@ -61,11 +72,11 @@ Here is an I18N Error Message JSON configuration example. Add the JSON content e
61
72
62
73
## Docker Run
63
74
64
-
You can pull the Docker images from [Docker Hub](https://hub.docker.com/) (or alternatively from Amazon ECR).
75
+
You can pull the Docker images from [Docker Hub](https://hub.docker.com/repository/docker/mobileidch/mid-radius-rig)or from [Amazon ECR](https://gallery.ecr.aws/mobileidch/mid-radius-rig).
65
76
66
77
For high availability, you will need the following components, running at least two instances each:
67
78
68
-
-**Mobile ID RADIUS Interface Gateway application** — [Docker Hub](https://hub.docker.com/) or Amazon ECR
79
+
-**Mobile ID RADIUS Interface Gateway application** — [Docker Hub](https://hub.docker.com/repository/docker/mobileidch/mid-radius-rig) or [Amazon ECR](https://gallery.ecr.aws/mobileidch/mid-radius-rig)
69
80
-**Redis database** using `redis` (requires 3 nodes for HA; alternatively, `keydb` may be used)
70
81
-**Redis web management tool** using `redis-commander` to manage the Redis database content
71
82
-**UDP network load balancer** using `nginx` with a custom `nginx.conf` configuration
@@ -76,6 +87,12 @@ How to pull an image from Docker Hub:
Copy file name to clipboardExpand all lines: docs/radius-interface-gateway-guide/introduction.md
+15-4Lines changed: 15 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,11 +10,10 @@ During authentication via RADIUS, an extra step requires users to confirm the ac
10
10
11
11
Some clients might decide to move from 1FA (one-factor authentication) to 2FA: username + password and Mobile ID. Other clients might decide to stick with 2FA but replace the existing combination of username + password and security device challenge with username + password plus Mobile ID as additional MFA.
12
12
13
-
RADIUS users are typically defined in the format `user@domain`. However, Mobile ID requires the phone number (MSISDN) of the user. Therefore, the phone number of the target user should be provided with one of the following options (RIG supports all three):
13
+
RADIUS users are typically defined in the format `user@domain`. However, Mobile ID requires the phone number (MSISDN) of the user. Therefore, the phone number of the target user should be provided with one of the following options:
14
14
15
15
- RIG connects to a customer's **Directory Service (LDAP)** to retrieve user attributes such as phone number (MSISDN) or other optional attributes such as User-Language, MobileID serial number, or the user's preferred authentication method.
16
16
- The RADIUS client provides the **MSISDN as part of the User-Name** (e.g. `4179xxxxxxx@mydomain.com`).
17
-
- The RADIUS client provides the **MSISDN via Vendor Specific Attribute** (`X-MSS-MSISDN`).
18
17
19
18
## RIG Feature List
20
19
@@ -23,12 +22,24 @@ RADIUS users are typically defined in the format `user@domain`. However, Mobile
0 commit comments