Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm" ksk2 at gmx.net
Wed Dec 12 13:15:19 CET 2018 

Hi,

regarding the LDAP-password change (question in my initial mail) I managed to create this configuration:

authorize {

	filter_username

	preprocess

	# empty password which triggers password-change
	if (User-Password =~ /^$/ && !State) {

		update reply {
			Reply-Message := "Old Password: "

			# Setting the Prompt via radius did not work here, instead this had to be configured on the Cisco-Router
			# radius-server challenge-noecho
			Prompt := No-Echo
		}

		update session-state {
			Tmp-String-0 := "Old-Password-Phase"
		}

		challenge
	}
	# password-change, query for new password
	elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^Old-Password-Phase$/ && State) {

		ldap
		pap
		pap.authenticate

		update reply {
			Reply-Message := "New Password: "
			Prompt := No-Echo
		}

		update session-state {
			Tmp-String-0 := "New-Password-Phase-1"
		}

		challenge
	}
	# password-change, query for new password again
	elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-1$/ && State) {

		update reply {
			Reply-Message := "New Password (repeat): "
			Prompt := No-Echo
		}

		update session-state {
			Tmp-String-1 := User-Password
			Tmp-String-0 := "New-Password-Phase-2"
		}

		challenge
	}
	# compare both and write it to LDAP
	elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-2$/ && State) {

		if(User-Password != &session-state:Tmp-String-1) {

			update reply {
				Reply-Message := "Passwords do not match.\n"
			}

			reject
		}
		
		# Call a script that finally writes the new password to LDAP (tbd)
		perl

	}
	else {
		ldap
		pap
	}
}

Which creates these prompts on a Cisco-router:

root at dn-aaa-rad1:~# ssh user at cisco-router
Password: 
Old Password: 
New Password: 
New Password (repeat): 
 
This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?

Best wishes

Michael

Gesendet: Dienstag, 04. Dezember 2018 um 13:43 Uhr
Von: "Alan DeKok" <aland at deployingradius.com>
An: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
On Dec 4, 2018, at 7:37 AM, michael böhm <ksk2 at gmx.net> wrote:
> Is my elsif(State ...)-statement a robust way to check if this packet
> belongs to a challenge-response of this exact user?

It's:

a) the user specified in the User-Name, and

b) a response to a previous Access-Challenge.

> I want to avoid
> situations where a user might be able to authenticate with just a Token
> and no password.

Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.

> We are testing the configuration now. Thank you very much for your
> help!

You're welcome.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list