multiotp with strongswan has no (ms)-chap-challenge

karthik kumar kumarkarthikn at gmail.com
Fri Mar 16 06:10:47 CET 2018 

Hi,
  I am setting up 2factor auth and we use Strongswan as our VPN server. I
use FreeRADIUS as backend of Strongwan.

This is the setup
mac osx (ikev2 with eap-mschapv2)  ---> Strongswan ---> FreeRADIUS -->
multiotp

First I tried with clear text password in /etc/raddb/users and it is
successful. For 2factor I need to pair it with multiOTP. I followed the doc
https://wiki.freeradius.org/guide/multiOTP-HOWTO

and it is successfully working

*# radtest -t mschap  kumar `oathtool --totp 3683453456769abc3452`
127.0.0.1  0 testing123*
*Sent Access-Request Id 1 from 0.0.0.0:53097 <http://0.0.0.0:53097> to
127.0.0.1:1812 <http://127.0.0.1:1812> length 131*
* User-Name = "kumar"*
* MS-CHAP-Password = "987897"*
* NAS-IP-Address = 127.0.0.1*
* NAS-Port = 0*
* Message-Authenticator = 0x00*
* Cleartext-Password = "987897"*
* MS-CHAP-Challenge = 0xcb76ef02a264e636*
* MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000021c2d6262c11c88b4265e63da64e4f80dc46364e75d90df*
*Received Access-Reject Id 1 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
0.0.0.0:0 <http://0.0.0.0:0> length 61*


*(0) multiotp: Executing: /usr/bin/multiotp %{User-Name} %{User-Password}
-src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge}
-chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}:*
*(0) multiotp: EXPAND %{User-Name}*
*(0) multiotp:    --> kumar*
*(0) multiotp: EXPAND %{User-Password}*
*(0) multiotp:    -->*
*(0) multiotp: EXPAND -src=%{Packet-Src-IP-Address}*
*(0) multiotp:    --> -src=127.0.0.1*
*(0) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}*
*(0) multiotp:    --> -chap-challenge=*
*(0) multiotp: EXPAND -chap-password=%{CHAP-Password}*
*(0) multiotp:    --> -chap-password=*
*(0) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}*
*(0) multiotp:    --> -ms-chap-challenge=0xcb76ef02a264e636*
*(0) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}*
*(0) multiotp:    -->
-ms-chap-response=0x0001000000000000000000000000000000000000000000000000021c2d6262c11c88b4265e63da64e4f80dc46364e75d90df*
*(0) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}*
*(0) multiotp:    --> -ms-chap2-response=*
*(0) multiotp: Program returned code (0) and output ''*
*(0) multiotp: Program executed successfully*
*(0)     [multiotp] = ok*


But when I use Strongswan, there is no MS-CHAP-Challenge (i tried with
%{mschap:Challenge})

*(1) multiotp: Executing: /usr/bin/multiotp %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}:*
*(1) multiotp: EXPAND %{User-Name}*
*(1) multiotp:    --> karthik*
*(1) multiotp: EXPAND %{User-Password}*
*(1) multiotp:    -->*
*(1) multiotp: EXPAND -src=%{Packet-Src-IP-Address}*
*(1) multiotp:    --> -src=127.0.0.1*
*(1) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}*
*(1) multiotp:    --> -chap-challenge=*
*(1) multiotp: EXPAND -chap-password=%{CHAP-Password}*
*(1) multiotp:    --> -chap-password=*
*(1) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}*
*(1) multiotp:    --> -ms-chap-challenge=*
*(1) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}*
*(1) multiotp:    --> -ms-chap-response=*
*(1) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}*
*(1) multiotp:    --> -ms-chap2-response=*


Any help on this please ?

Thanks

More information about the Freeradius-Users mailing list