Use 2 modules to auth together.
luckydog xf
luckydogxf at gmail.com
Mon Nov 26 16:00:30 CET 2018
Thank, Alan, you enlighten me.
Turns out NAS( my VPN) does not support Access-Challenge. Googled and
found that Challenge seems to be a speical access-request packet with the
Code field set to 11. So can I make the conclusion that it would send an
access-quest again? in other words, start a new authentication process
like another normal request with an exception that State attribute exists.
Let me suppose my VPN supports Access-Challenge, so my configuation is
something like:
-------------------------------
authorize {
# The first auth does not have any State attribute.
if (!State) {
# MS-CHAP has no User-Password, so it's true.
if (!User-Password ) {
# If !State and User-Password is null, then
goes to MS-CHAP:
update {
&control:Auth-Type := MS-CHAP
}
}
else { reject }
# Make sure it does not contain any other attributes except State.
else {
update {
# IS THIS PART CORRECT ? I think so, as a new request is
issued by challage, so it would start over from top to buttom to walk
throught the entire process.
&control:Auth-Type := MY_OWN_OTP_AUTH
}
}
}
authentication {
Auth-Type MS-CHAP {
mschap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:XXXXXXXXXXXXX}"
Reply-Message := "Please type your OTP:"
}
# Return Access-Challenge, goes to the 2nd auth.
# IS IT the correct way to raise a challange?
challenge
}
Please help me to take a look at configuration above, two questions:
1. Is else part correct? which will use my own python auth module
2. Is it correct to raise a challenge using 'challenge' filter of
FreeRADIUS?
Thanks again.
On Mon, Nov 26, 2018 at 8:10 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> > Our user is in AD and VPN will do an MSCHAP authentication first and
> > filter property of User-Name from access request, then call an
> > access-challenge to verify against the other module whose logic is as
> > simple as starting a http request via http://XXX/check/username=
> > <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200,
> it's
> > ok.
>
> That's really just more authorization.
>
> > Basically, I want to auth a single login against two modules, only both
> > of them are successful, the auth could be deemed as OK.
>
> That's possible, subject to certain caveats.
>
> > # ### authentication #####
> > authentication {
> > Auth-Type MS-CHAP {
> > mschap
> > if (ok) {
> > update reply {
> > # Create a random State attribute:
> > State := "%{randstr:XXXXXXXXXXXXX}"
> > Reply-Message := "Please type your OTP:"
> > }
> > # Return Access-Challenge, goes to the 2nd auth.
> > challenge
>
> That's good, but it likely won't work due to the NAS. Doing OTP like
> that requires support from the NAS. Does the NAS support doing MS-CHAP and
> then receiving an Access-Challenge?
>
> If it does, then your next step is to write down what you want to
> happen, like this:
>
> 1) packet 1 contains MS-CHAP
> 2) it authenticates agains MS-CHAP
> 3) if MS-CHAP is successful, it returns a State, challenge, and reply
> message
> 4) when the next packet comes in with a state attribute, authenticate the
> OTP
>
> Note that the packet in step 4 *should not* contain any MS-CHAP
> attributes. It should just contain the response to the OTP.
>
> So your freeradius configuration is:
>
> 1) run MS-CHAP like normal
> 2) do state / reply-message / challenge in "Auth-Type MS-CHAP"
>
> As a *separate* item:
>
> 3) if packet contains State
> 4) do OTP verification
>
> The only thing tying the two packets together is the State attribute.
> They are otherwise completely independent.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list