Posts

,

privacyIDEA 2.11 with RADIUS Migration on Univention Corporate Server

privacyIDEA on Univention Corporate Server

privacyIDEA 2.11 is now available on the Univention Corporate Server. Using authentication policies privacyIDEA can conditionally forward authentication requests to external RADIUS servers. This way you can setup easy migration scenarios of old, EOL OTP systems.Logo_UCS_certified

You can find more on the RADIUS forwarding in the release notes.

SLA and Subscription

Already for a while privacyIDEA is available in the AppCenter of the Univention Corporate Server. This plattform provides an easy installation, maintenance and update. For running privacyIDEA on the Univention Corporate Server you need a valid service level aggreement. You may get your personal test subscription here.

privacyIDEA 2.11 released for easy migration

Today privacyIDEA 2.11 was released. This new version allows easy migration if you are running an old, proprietary 3rd party OTP solution.

Read more about easy OTP system migration with privacyIDEA.

If you are entitled with a valid support contract, please do not hesitate to contact us in case of any question.

Migrate your OTP system

Dear reader,
please join an upcoming web cast about an exiting new feature of privacyIDEA. During the last week privacyIDEA received two awards for being an innovative open source product.

Webcast: Migrate your old OTP-System

On March 30th we will conduct a webcast in English language to show you the new feature of upcomping privacyIDEA 2.11 for easy OTP system migration. privacyIDEA 2.11 will come with a new policy that eases migration drastically! Please sign up for the web cast. If you prefer a webcast in German language, you can sign up here.

privacyIDEA rewarded with THOMAS-KRENN Award.

The THOMAS-KRENN Award is a German award for innovative Open Source solutions. This weekend privacyIDEA received the 2nd place of this award, winning honour, fame and 2000 Euros of server hardware.

privacyIDEA BEST OF 20016

privacyIDEA is within the “BEST OF 2016” in IT Security Software in a German innovation price.

,

Migrating a proprietary OTP / two factor solution

Easy migration of an existing OTP system to privacyIDEA

Often customers decide to switch their existing, proprietary OTP / two factor authentication system. They do it for several reasons. The existing system is to old and they get no useful updates anymore. Often the existing system is not flexible enough. The tokens, which run with this system, do not comply with the todays requirements. Companies merge and each company comes with its own proprietary authentication system. Sometimes the existing system is simply to expensive. And sometimes the customer prefers to use a transparent open source solution due to the increasing problems in trust and survailance.

These are reasons, why customers decide to use privacyIDEA.

Today privacyIDEA provides several possibilities to perform such a smooth migration. E.g. the RADIUS token. But starting with privacyIDEA version 2.11 there will be an even simpler migration scenario. privacyIDEA 2.11 will be released on March, 18th. If you want to stay tuned, please subscribe to our newsletter.

Centrally defined RADIUS servers

With privacyIDEA 2.11 you get the possibility to centrally define RADIUS servers. This is similar to the possibility to define SMTP servers centrally, which was introduced in privacyIDEA 2.10.

Centrally defined RADIUS server "RSA SecurID"

Centrally defined RADIUS server “RSA SecurID”

These RADIUS server definitions now can be used within RADIUS tokens or policies!

Up to privacyIDEA 2.10 each user had to get his own RADIUS token. Such a RADIUS token points to the RADIUS server of the obsolete OTP system. As long as the user has no real OTP token within privacyIDEA, the user will be authenticated against the obsolete OTP system.

One policy for all users

Starting with version 2.11 you now can define a privacyIDEA policy based on this centrally defined RADIUS server.

radius-passthru-en

The centrally defined RADIUS server “RSA SecurID” is used in the passthru-policy.

To do this, the existing passthru-policy was enhanced. The passthru policy fires, if a user has no token assigned within privacyIDEA. With the passthru-policy the authentication request is forwarded to the LDAP or AD or — new in version 2.11 — to a centrally defined RADIUS server.

This means, that you only need to define one single policy to start a smooth migration from your old OTP system to privacyIDEA. You can then enroll new tokens to the users within privacyIDEA step by step without a hurry or without doing a hard switch!

Migrate!

The scenario described in this post works flawlessly with all systems, that use a RADIUS server. Including systems like Kobil, RSA SecurID, SafeNet, Vasco (in alphabetical order).

Just ask us!

privacyIDEA4UCS Appliance Image

To test privacyIDEA4UCS easily and quickly you can get a ready installed Appliance Image for VMWare ESX, KVM or Virtual Box.

The Image ist a ready installed Univention Corporate Server and a privacyIDEA system on top of it. The privacyIDEA RADIUS component is also installed. You are only asked to enter the IP address configuration and decide, if you want to automatically create a new domain or join an existing Active Directory.

The system will be configured after a shore time and you are ready to login to the Management UI and enroll your first tokens.

privacyIDEA4UCS Appliance is ideal, if you want to get a first glimpse really quickly. After a few minutes the system will be up an running. privacyIDEA4UCS itself is good, if you need professional support for the complete software stack, starting at the operating system up to the privacyIDEA application.

Here you can download the images. Please tell us your email address. We will only contact you once to ask for your feedback.

[contact-form-7 404 "Not Found"]

Please Note

If you choose to conect the privacyIDEA appliance to an existing Active Directory, no token administrators will be configured automatically. So you need to create some of your own like this:

  1. Login to the privacyIDEA machine as user root
  2. Run:
    source /opt/privacyidea/privacyidea-venv/bin/activate
    pi-manage admin add admin admin@localhost

    This will create a new token administrator and ask you for the password.

  3. You can then login with this account to create and manage tokens.