initial import

.gitignore

@@ -14,7 +14,6 @@ dist/
 downloads/
 eggs/
 .eggs/
-lib/
 lib64/
 parts/
 sdist/
@@ -23,7 +22,6 @@ wheels/
 *.egg-info/
 .installed.cfg
 *.egg
-MANIFEST
 
 # PyInstaller
 #  Usually these files are written by a python script from a template

CHANGELOG

@@ -0,0 +1,7 @@
+2.0.5 2019-04-19
+
+Initial release on GitHub.
+
+2.0.0 2018-12-21
+
+Initial version.

MANIFEST

@@ -0,0 +1,6 @@
+name: SPS_RADIUS
+description: RADIUS (RSA) Multi-Factor Authentication plugin
+version: 2.0.5
+type: aa
+api: 1.1
+entry_point: main.py

Pipfile

@@ -0,0 +1,8 @@
+[packages]
+pyrad = "*"
+
+[dev-packages]
+pyrad = "*"
+
+[requires]
+python_version = "3.6"

README.md

@@ -1,2 +1,30 @@
 # safeguard-sessions-plugin-radius-mfa
 RADIUS Multi-Factor Authentication plugin for Safeguard for Privileged Sessions
+
+# Support
+- This plugin is officially supported for One Identity Safeguard for Privileged Sessions (SPS) customers with a valid maintenance contract. Feature requests and bug reports should be submitted via the regular support channel on the [One Identity Support page](https://support.oneidentity.com). Such requests are tracked and will be answered within the time frames set out in the support agreement.
+
+- We welcome feature requests, pull requests, and bug reports submitted via GitHub.com, but in this case there is no guaranteed response time.
+
+# About us
+
+One Identity solutions eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. Our solutions enhance business agility while addressing your IAM challenges with on-premises, cloud and hybrid environments.
+
+# Contacting us
+
+For sales or other inquiries, visit the [One Identity Contact page](https://www.oneidentity.com/company/contact-us.aspx) or call +1-800-306-9329.
+
+# Technical support resources
+
+Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at the [One Identity Support page](https://support.oneidentity.com/).
+
+The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
+
+- Submit and manage a Service Request
+- View Knowledge Base articles
+- Sign up for product notifications
+- Download software and technical documentation
+- View how-to-videos at [YouTube](https://www.YouTube.com/OneIdentity)
+- Engage in community discussions
+- Chat with support engineers online
+- View services to assist you with your product

default.cfg

@@ -0,0 +1,183 @@
+[radius]
+# Required: enter the name of your server below, where the RADIUS interface is
+# available.
+; server=<radius-server-ip-or-hostname>
+
+# Port where the RADIUS server is listening for access requests.
+; port=1812
+
+# Required: Specify your RADIUS shared secret below.  To use a local
+# Credential Store to host this data, set the parameter to $ and read the
+# "Store sensitive plugin data securely" section in the documentation.
+; secret=<$-or-shared-secret-with-radius-server>
+
+# Specify the password encoding method 'pap' or 'chap'.
+; auth_type=pap
+
+# Number of times to retry sending a RADIUS request if the communication fails.
+; conn_retries=3
+
+# Number of seconds to wait for an answer at each retry.
+; conn_timeout=5
+
+###### Common plugin options ######
+# To enable or change a parameter, uncomment its line by removing the ';'
+# character and replacing the right side of '=' with the desired value.
+# If the parameter has the following structure
+# ; name=<value>
+# then the related option is turned off until you replace '<value>'.
+#
+# If the parameter has the following structure
+# ; name=value
+# then the related option is is automatically turned on with the default value
+# of 'value'.
+#
+# To handle sensitive data, you can use a local Credential Store to retrieve
+# parameters from.
+# Enter the name of the local Credential Store (Policies > Credential Store) as
+# the value of the 'name' parameter in section [credential_store]. To retrieve a
+# parameter from this Credential Store, type the $ character as the value of
+# a parameter in this configuration file. To use the $ character as value,
+# type $$ instead. For more information, read the "Store sensitive plugin data
+# securely" section in the Tutorial document.
+
+[auth]
+# To override the prompt when using 2FA/MFA, enter the new prompt below.
+; prompt=Press Enter for push notification or type one-time password:
+
+# For better security, you can hide the characters (OTP or password) that the
+# user types after the prompt.
+# To hide the characters, set 'disable_echo' to 'yes'.
+; disable_echo=no
+
+[connection_limit by=client_ip_gateway_user]
+# To limit the number of parallel sessions the gateway user can start from a
+# given client IP address, configure 'limit'. For an unlimited number of
+# sessions, type '0'.
+; limit=0
+
+[authentication_cache]
+# CAUTION: Do not configure this section unless you know exactly what you are
+# doing. For more information, read the "[authentication_cache]" section in the
+# Tutorial document.
+; hard_timeout=90
+; soft_timeout=15
+; reuse_limit=0
+
+######[WHITELIST]######
+# The [whitelist source=user_list] and [whitelist source=ldap_server_group]
+# sections allow configuring authentication whitelists based on a User List
+# policy or an LDAP Server policy. These two sections are independent, any of
+# the two can be configured and can allow the user to bypass 2FA/MFA
+# authentication.
+
+[whitelist source=user_list]
+# The [whitelist source=user_list] section allows whitelisting users based on a
+# User List policy configured in SPS (Policies > User Lists). To enable this
+# whitelist, configure one of the use cases below.
+# IMPORTANT: the user names are compared to the User List in a case-sensitive
+# manner.
+
+# Use case #1: To allow specific users to connect without providing 2FA/MFA
+# credentials, the User List policy should have the following settings:
+# Set 'Allow' to 'No user' and list the users in the 'Except' list. Then type
+# the name of this User List policy as the value of the 'name' parameter here.
+; name=<name-of-user-list-policy>
+
+# Use case #2: To enforce 2FA/MFA authentication for selected users, the User
+# List policy should have the following settings: Set 'Allow' to 'All users' and
+# list the users in the 'Except' list. Then type the name of this User List
+# policy as the value of the 'name' parameter here.
+; name=<name-of-user-list-policy>
+
+[whitelist source=ldap_server_group]
+# The [whitelist source=ldap_server_group] section allows whitelisting users
+# based on LDAP Server group membership, To enable this whitelist, configure one
+# of the use cases below.
+# IMPORTANT: the user names and groups are compared in LDAP in a
+# case-insensitive manner.
+
+# Use case #1: To allow members of specific LDAP/AD group(s) to connect without
+# providing 2FA/MFA credentials, type the names of these LDAP/AD groups as
+# values of the 'except' parameter and set the 'allow' parameter to 'no_user':
+; allow=no_user
+; except=<group-1>,<group-2>,...
+
+# Use case #2: To enforce 2FA/MFA authentication only on members of specific
+# LDAP/AD groups, type the names of these LDAP/AD groups as values of the
+# 'except' parameter and set the 'allow' parameter to 'all_users'.
+; allow=all_users
+; except=<group-1>,<group-2>,...
+
+######[USERMAPPING]######
+# Usually the gateway user and the external 2FA/MFA identity are different.
+# Because the authentication is based on the 2FA/MFA identity, to be able to
+# authenticate with the gateway user, you will have to map these two to each
+# other. The following methods are possible: explicit and LDAP server.
+#
+# The explicit method has priority over the LDAP server method.
+# If there is no [USERMAPPING] and no [username_transform], then the 2FA/MFA
+# identity will be the same as the gateway user name.
+
+[usermapping source=explicit]
+# To map the gateway user name to an external 2FA/MFA identity, configure the
+# following name-value pairs.
+# NOTE: Type the user names in lowercase.
+; <user-name-1>=<id-1>
+; <user-name-2>=<id-2>
+
+[usermapping source=ldap_server]
+# To map the gateway user name (that is in LDAP/AD and has a non-empty UTF8
+# attribute string) to an external 2FA/MFA identity, configure the
+# 'user_attribute' parameter the following way:
+# It must be an LDAP/AD user attribute that contains the external identity.
+# Example: description, cn, mail. For a complete list consult
+# https://docs.microsoft.com/en-gb/windows/desktop/ADSchema/c-user.
+# IMPORTANT: you must configure the name of the LDAP/AD server policy in
+# the [ldap_server] section.
+; user_attribute=description
+
+[username_transform]
+# If the 2FA/MFA service requires the use of domain name in the external
+# 2FA/MFA identity, configure the 'append_domain' parameter. This will append
+# the domain name after the external 2FA/MFA identity with a '@' character.
+# For example, if 'append_domain' is set to 'foobar.com', then '@foobar.com'
+# will be appended to the external identity.
+# If you have configured [USERMAPPING], the [username_transform] process will
+# run after the [usermapping] process.
+; append_domain=<domain-without-at-sign>
+
+[ldap_server]
+# Required if you have configured [whitelist source=ldap_server_group] or
+# [usermapping source=ldap_server].
+# The name of the LDAP server policy (Policies > LDAP Servers).
+; name=<name-of-LDAP-server-policy>
+
+[credential_store]
+# Name of the local credential store configured in SPS for hosting sensitive
+# configuration data. For more information, read the "Store sensitive
+# plugin data securely" section in the Tutorial document.
+; name=<name-of-credential-store-policy-that-hosts-sensitive-data>
+
+[logging]
+# To configure the log level, enter one of the following values:
+# 'debug', 'info', 'warning', 'error', 'critical'
+; log_level=info
+
+[https_proxy]
+# To set the HTTPS proxy environment for the plugin, configure the following.
+; server=<proxy-server-name-or-ip>
+; port=3128
+
+[question_1]
+# IMPORTANT: To configure this optional section, contact our Support Team.
+# To request additional information from the user (for example, ticket number)
+# define one or more [question_] section (for example, [question_1],
+# [question_2]). The user input will be stored under the value of 'key' in the
+# 'questions' section of the session cookie.
+; prompt=<prompt-to-show-to-the-user>
+; key=<target-key-for-the-answer>
+
+# For better security, you can hide the characters that the user types after the
+# prompt. To hide the characters, set 'disable_echo' to 'yes'.
+; disable_echo=yes