Duo, YubiKey, and RSA-AM HTTP Backends
These specialized HTTP backends provide multi‑factor / token validation and strong authentication support layered on top of primary credential checks (username/password, EAP inner methods, etc.). They share core HTTP backend semantics (timeouts, connection pooling, TLS, statistics) but expose service‑specific fields.
| Backend | Purpose | Typical Factor |
|---|---|---|
duo | Duo Security MFA / pre-auth workflows | Push / OTP / Phone |
yubikey | Yubico OTP validation | One-time password token |
rsa-am | RSA Authentication Manager / SecurID | Hardware/software token (PIN+token code) |
1. Duo Backend (duo)
pre_authentication can classify a request (allow / deny / enroll) before primary auth completes.
| Field | Required | Notes |
|---|---|---|
url | Yes | Duo API hostname |
username | Yes | Integration / client key |
secret | Yes | HMAC secret key |
pre_authentication | Recommended | true to perform pre-auth triage |
timeout | Yes | Milliseconds per request |
connections | No | Connection pool size (default: 100) |
Example:
backends {
duo "DUO_MFA" {
url "https://api-12345678.duosecurity.com";
username "DIXXXXXXXXXXXXXXXXXX";
secret "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef";
pre_authentication true;
timeout 5s;
}
}
2. YubiKey Backend (yubikey)
Validates modhex OTPs against a Yubico OTP validation endpoint, such as YubiCloud or a self-hosted validation server.
Configure a validation endpoint, not a raw YK-KSM decryption endpoint. YK-KSM is commonly paired with YK-VAL, but YK-KSM alone does not implement the validation protocol that this backend uses.
Radiator resolves username and secret when the backend is called. This lets you populate them from variables set earlier in the handler pipeline. The resolved secret value must still be a valid base64-encoded Yubico API key.
| Field | Required | Notes |
|---|---|---|
url | Yes | Full validation endpoint URL, such as https://api.yubico.com/wsapi/2.0/verify |
username | Yes | Client ID issued by Yubico or your validation server. May be a literal string or an expression resolved at request time. |
secret | Yes | Base64-encoded API key used for HMAC signing. May be a literal string or an expression resolved at request time. |
timeout | Yes | Milliseconds per request |
connections | No | Pool size (default: 100) |
Example:
backends {
yubikey "YUBIKEY_AUTH" {
url "https://api.yubico.com/wsapi/2.0/verify";
username "12345";
secret "base64encodedsecret=";
timeout 4s;
}
}
Example with request-scoped variables:
backends {
yubikey "YUBIKEY_AUTH" {
url "https://api.yubico.com/wsapi/2.0/verify";
username "%{vars.aaa.yubikey.user}";
secret "%{vars.aaa.yubikey.secret}";
timeout 4s;
}
}
When the user submits <password><otp> in one PAP field, configure range on the backend action in the handler pipeline instead. See backend action for details.
3. RSA Authentication Manager (rsa-am)
Challenge/response token validation with optional multi‑step flow.
| Field | Required | Notes |
|---|---|---|
url | Yes | RSA AM API endpoint |
username | Yes | API user |
secret | Yes | API secret / password |
challenge_timeout | Recommended | Milliseconds allowed for challenge flow |
policy | Optional | Server-side policy name |
timeout | Yes | Base HTTP timeout |
connections | No | Pool size (default: 100) |
Example:
backends {
rsa-am "RSA_AM" {
url "https://rsa-am.example.com";
username "api_user";
secret "SuperSecretPassword";
challenge_timeout 60s;
policy "DefaultPolicy";
timeout 5s;
}
}