2 Factor Authentication

Dudás Péter peter.pdudas at gmail.com
Thu Jan 5 00:05:43 CET 2017


Dear Alan!

"What's "duo auth" ?"
www.duo.com It is a 2 factor authentication service. And much more.

"That works only for PAP.  And why run "radclient" manually?  The server
can proxy RADIUS packets.  Why not do that?"
It is not relaying the password - only user name and authentication method
relayed (SMS/Push/Phone).
Writing the request attributes to a file then use that to authenticate on
the Duo auth proxy running on the same host.
Then Duo sends a request to the mobile phone - where the user grants or
deny the access. So this is how it has the second authentication factor.
And authentication successful. Why can't I chain 2 authentication? If they
are chained, then something changes.

I would proxy the request, but needs 2 authentication - first the Duo, then
AD auth (SSL=pap, L2TP=MSCHAPv2). Or first Ad then Duo.
Is it possible to proxy the request to Duo and then have a second
authentication on the same request depending on the result of the proxy
answer?

I cannot figure out - I think it will be a bug (either in Freeradius or AD
auth).
Somehow, if any external script runs before/after the Mschap authentication
that just fucks up the L2TP connection (PPP).
In windows it is Error 734 - but believe me it is not related with
multilink/single link at all.
Tested with Windows10/Android 6.0/IOS9.3.5.
Taking out DUO - works. Taking out mschap - works. Duo and mschap together:
failed connection.

Tried with just a module which runs a shell script which do nothing -
except Exit 0
Module has no output_pairs defined.
And it has the same result - connection failed. No red lines in the debug -
all fine.

I simply have no clue. Firewall log show authentication successful - but
the devices are not connected (Windows10/Android/iPad).
99% that it is related with MPPE keys - I just simply have no clue what is
the connection between the generated MPPE keys and a second authentication.

Or is this related with Session State? It is 2 different session and that's
why the reply changes?
Just guessing - spent a whole day to figure out and simply have no more
idea.
I'm not able to decrypt/use the MPPE keys - so cannot verify them.

Firewall just needs the Filter-Id and access-accept, then grants the
connection. So it is not firewall related issue.
PPP connection not established - that's why I think it can be related with
the MPPE keys. But as you can see the keys are generated at the mschap
authentication.
Is it possible to cache the MPPE keys to be sure they are not changed
during/because of the second authentication.

"Since you've only given a non-working debug output and not a working
one... no, we don't know what's going on."
The debug contains 2 successful authentication and an Access-Accept answer.
So it is a successful authentication - just have a problem somewhere.

Thank you!


More information about the Freeradius-Users mailing list