2-step auth LDAP + Proxy

Thu Dec 28 03:47:05 CET 2017

> On 27 Dec 2017, at 16:51, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Dec 27, 2017, at 10:09 AM, Mathias Sundman <mathias at nilings.se> wrote:
>> However, he now wants to first authenticate the user with username/AD-password via LDAP against their AD, and if successful, the user should be prompted for the OTP code as a second step. This is currently not possible with the Gemalto SAS solution, so I’m therefor trying to deploy a FreeRADIUS (v3.0.13 on CentOS7) server in between and have FR perform the AD auth, return an Access-Challenge and then proxy the second Access-Request with the OTP code to Gemalto RADIUS.
> 
>   That's possible, but it takes a bit of tweaking.  But it requires an understanding of how Access-Challenge works.
> 
>> I’ve successfully managed to independently configure FR with the LDAP module to authenticate the username/password against their AD, or configure it as a proxy to send the requests to Gemalto, but I can’t really figure out how to chain these two auth methods together. After I enabled proxying of NULL realm, the first auth request is sent straight on to Gemalto.
> 
>  Then configure it to not do that...
> 
>  i.e. for the first packet, return Access-Challenge with a State and a Reply-Message (as a prompt to the user).  Then, the subsequent Access-Request should contain that same State attribute.  You can then check for the existence of State, and proxy only when it exists.
> 
>  Basically what you want is this.  You'll have to glue the pieces together yourself.
> 
> authorize {
> 	...
> 
> 	if (!State) {
> 		... set up for AD authentication ...
> 	} else {
> 		... set up for proxy to Gemalto ...
> 	}
> 	...
> }
> 
> authenticate {
> 	...
> 	Auth-Type LDAP {
> 		ldap
> 		if (ok) {
> 			update reply {
> 				State = &User-Name  # should be random, but this should be fine..
> 				Reply-Message = "Please enter OTP
> 			}
> 
> 			update control {
> 				Response-Packet-Type := Access-Challenge
> 			}
> 		}
> 	}
> 	...
> }
> 
>  That should give you the right direction.

Thanks a lot for your quick reply. With your help I now got it working! I also found the “challenge” example site which pretty much did what I wanted.

This is the working config I ended up with:

authorize {
        if (!State) {
                update control {
                        Auth-Type := Step1
                }
        }
        else {
                # Enable suffix to set realm and proxy the request.
                suffix
                update control {
                        Auth-Type := Step2
                }
        }
}

authenticate {
        Auth-Type Step1 {
                ldap
                update session-state {
                        Tmp-Integer-0 := "%{randstr:n}"
                }
                update reply {
                        Reply-Message := "Please enter OTP"
                }
                challenge
        }

        Auth-Type Step2 {
                pap
        }
}

I also had to enable attr_filter.pre-proxy in the pre-proxy section to filter out the State and Reply-Message attributes before the second Access-Request was proxied to Gemalto, otherwise the request was rejected as that server did not expect a request with a state.

- Mathias