Freeradius and 2 Factor Authentication

Aaron Smith Aaron.Smith at kzoo.edu
Wed Jun 1 19:41:51 CEST 2016


Thanks for the in depth answer.  So, it sounds like it *can* be done, but not easily.  I think I'll keep at it.  I might end up just settling on different tunnel protocols for different devices.

-----------------------------------
Aaron Smith
System Administrator  
Information Services 
Kalamazoo College
1200 Academy Street, Kalamazoo, MI 49006
(269) 337-7496
 Aaron.Smith at kzoo.edu


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+aaron.smith=kzoo.edu at lists.freeradius.org] On Behalf Of Cornelius Kölbel
Sent: Wednesday, June 01, 2016 10:55 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Freeradius and 2 Factor Authentication

Hello Aaron,

you are not the first to use FreeRADIUS with two factor authentication.
There are many installations of LinOTP and privacyIDEA using FreeRADIUS.
But the problem with OTP and MSCHAPv2 is MSCHAPv2.

Roughly: In MSCHAPv2 the the RADIUS server sends a challenge to the client.
The client will hash the challenge and the user password. Problem: The user password is usually combined out of <static password><OTP value>.

The RADIUS server receives a hash value of something, which it does not know. I.e. it does not know the OTP value.
So the RADIUS server - or the linotp plugin - would have to try the hashes of all possible OTP values. Since there could be a time skew in TOTP or the user could have blank presses in HOTP.

But it gets worse: The password usually is not only the OTP value but the concatenation of the users password or PIN and the OTP value. To be able to calculate the hash of the users password and the dynamic OTP value, the OTP server needs to know the users password in clear text, since

  HASH( pw+otp) != HASH(pw) + HASH (otp)

This way the only way to implement MSCHAPv2 with OTP is, to store the users passwords not hashed, but encrypted.
At this point you need to decide, if your users would like this.

Kind regards
Cornelius

Am Mittwoch, den 01.06.2016, 14:41 +0000 schrieb Aaron Smith:
> I've been working on setting up a Microsoft Routing and Remote Access server that uses Freeradius for Authentication.  Out of the box, it works fine with simple user entries in the "users" file.  This is with both the Ubuntu 14.04 apt-get installations of Freeradius (2.1.x) as well as a compiled from source version of Freeradius 2.2.9.  I run in to trouble when I try to add two factor authentication to the mix.  I'm trying to use LinOTP as a possible replacement of our CryptoCard Blackshield implementation.  The problem is that both products seem to only work with unencrypted passwords.  LinOTP has two options for Freeradius authentication.  There is a linotp2 module that can be compiled and installed along with Freeradius, and there is also a perl script that can be linked in with the rlm_perl module.  Looking at the perl script, it is expecting to find the attribute "User-Password" in the radius request, which it uses, along with the username, to go to a web URL on the LinOTP server to verify authentication.  I suspect that the linotp2 module works similarly.  The documentation provided by LinOTP says to set "DEFAULT Auth-Type := linotp2" if you're using the module or "DEFAULT Auth-Type := perl" if you're using the perl script in the freeradius users file.  Now, this will "work" for narrow authentication types like Microsoft's SSTP with an unencrypted password, but I'd like this solution to be more widely usable (Macs, iOS devices, etc) and use something like IKEv2, but that uses EAP-MSCHapv2.  If I try that, the authentication fails saying there is no password. 
> 
> My question is...am I tilting at windmills trying to make this work?  I feel like it *should* be possible to do 2 factor authentication without having to resort to PPTP/unecrypted password or microsoft's proprietary SSTP.  Is there a way to have freeradius pass the MSChapv2 password to a perl script or another module?  Or perhaps it's possible to modify the perl script so it can accept an encrypted password?  I feel like maybe there's a way to configure authentication in the "inner-tunnel" freeradius site that would make this possible.  EAP-MSChapv2 authentication works with a plain, unencrypted password in the users file, so it obviously HAS the password that the user sends in SOME fashion. 
> 
> A secondary question is that I imagine I can't be the first person to use Freeradius with 2 factor authentication.  I'd be curious to know how other folks have tackled this project and what products they used to accomplish it.
> 
> -----------------------------------
> Aaron Smith
> System Administrator
> Information Services
> Kalamazoo College
> 1200 Academy Street, Kalamazoo, MI 49006
> (269) 337-7496
>  Aaron.Smith at kzoo.edu
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Cornelius Kölbel
cornelius.koelbel at netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel





More information about the Freeradius-Users mailing list