privacyIDEA on Univention Corporate Server
privacyIDEA 2.11 is now available on the Univention Corporate Server. Using authentication policies privacyIDEA can conditionally forward authentication requests to external RADIUS servers. This way you can setup easy migration scenarios of old, EOL OTP systems.
You can find more on the RADIUS forwarding in the release notes.
SLA and Subscription
Already for a while privacyIDEA is available in the AppCenter of the Univention Corporate Server. This plattform provides an easy installation, maintenance and update. For running privacyIDEA on the Univention Corporate Server you need a valid service level aggreement. You may get your personal test subscription here.
Today privacyIDEA 2.11 was released. This new version allows easy migration if you are running an old, proprietary 3rd party OTP solution.
If you are entitled with a valid support contract, please do not hesitate to contact us in case of any question.
Easy migration of an existing OTP system to privacyIDEA
Often customers decide to switch their existing, proprietary OTP / two factor authentication system. They do it for several reasons. The existing system is to old and they get no useful updates anymore. Often the existing system is not flexible enough. The tokens, which run with this system, do not comply with the todays requirements. Companies merge and each company comes with its own proprietary authentication system. Sometimes the existing system is simply to expensive. And sometimes the customer prefers to use a transparent open source solution due to the increasing problems in trust and survailance.
These are reasons, why customers decide to use privacyIDEA.
Today privacyIDEA provides several possibilities to perform such a smooth migration. E.g. the RADIUS token. But starting with privacyIDEA version 2.11 there will be an even simpler migration scenario. privacyIDEA 2.11 will be released on March, 18th. If you want to stay tuned, please subscribe to our newsletter.
Centrally defined RADIUS servers
With privacyIDEA 2.11 you get the possibility to centrally define RADIUS servers. This is similar to the possibility to define SMTP servers centrally, which was introduced in privacyIDEA 2.10.
These RADIUS server definitions now can be used within RADIUS tokens or policies!
Up to privacyIDEA 2.10 each user had to get his own RADIUS token. Such a RADIUS token points to the RADIUS server of the obsolete OTP system. As long as the user has no real OTP token within privacyIDEA, the user will be authenticated against the obsolete OTP system.
One policy for all users
Starting with version 2.11 you now can define a privacyIDEA policy based on this centrally defined RADIUS server.
To do this, the existing passthru-policy was enhanced. The passthru policy fires, if a user has no token assigned within privacyIDEA. With the passthru-policy the authentication request is forwarded to the LDAP or AD or — new in version 2.11 — to a centrally defined RADIUS server.
This means, that you only need to define one single policy to start a smooth migration from your old OTP system to privacyIDEA. You can then enroll new tokens to the users within privacyIDEA step by step without a hurry or without doing a hard switch!
The scenario described in this post works flawlessly with all systems, that use a RADIUS server. Including systems like Kobil, RSA SecurID, SafeNet, Vasco (in alphabetical order).
To test privacyIDEA4UCS easily and quickly you can get a ready installed Appliance Image for VMWare ESX, KVM or Virtual Box.
The Image ist a ready installed Univention Corporate Server and a privacyIDEA system on top of it. The privacyIDEA RADIUS component is also installed. You are only asked to enter the IP address configuration and decide, if you want to automatically create a new domain or join an existing Active Directory.
The system will be configured after a shore time and you are ready to login to the Management UI and enroll your first tokens.
privacyIDEA4UCS Appliance is ideal, if you want to get a first glimpse really quickly. After a few minutes the system will be up an running. privacyIDEA4UCS itself is good, if you need professional support for the complete software stack, starting at the operating system up to the privacyIDEA application.
Here you can download the images. Please tell us your email address. We will only contact you once to ask for your feedback.[contact-form-7 404 "Not Found"]
If you choose to conect the privacyIDEA appliance to an existing Active Directory, no token administrators will be configured automatically. So you need to create some of your own like this:
- Login to the privacyIDEA machine as user root
pi-manage admin add admin admin@localhost
This will create a new token administrator and ask you for the password.
- You can then login with this account to create and manage tokens.
Follow 2FA with privacyIDEA on Twitter
Phone: +49 561 3166797
Fax: +49 561 3166798