2FA Challenge via Proxy Realm with valid State
Bill Noyce
billnoyce75 at gmail.com
Thu Feb 13 11:11:07 CET 2020
Thanks Alan,
Your advise was spot on. I moved/added the ldap.authenticate so that both
steps use the Proxy-To-Realm and this meant the correct Access-Challenge
response is sent during the first step.
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}@my-domain.com"
Auth-Type := LDAP
}
ldap.authenticate
if (!ok) {
reject
}
} else {
reject
}
}
update control {
Proxy-To-Realm := "proxy-test"
}
I kept 2 rejects for both a missing User-Password and an invalid LDAP bind.
the Proxy-To-Realm always fires off.
[user at test-vm ~]$ echo "User-Name=testuser,User-Password=testpassword"
|radclient -x 127.0.0.1:1812 auth test1234
Sent Access-Request Id 35 from 0.0.0.0:52833 to 127.0.0.1:1812 length 46
User-Name = "testuser"
User-Password = "testpassword"
Cleartext-Password = "testpassword"
Received Access-Challenge Id 35 from 127.0.0.1:1812 to 0.0.0.0:0 length 117
Reply-Message = "Enter a response from your token with serial
number 01234-45678."
State = 0x49475261646975733a4445562d455345432d483230333a313831323a31
(0) -: Expected Access-Accept got Access-Challenge
[user at test-vm ~]$ echo
"User-Name=testuser,User-Password=27938732,State=0x49475261646975733a4445562d455345432d483230333a313831323a31"
|radclient -x 127.0.0.1:1812 auth test1234
Sent Access-Request Id 178 from 0.0.0.0:33432 to 127.0.0.1:1812 length 77
User-Name = "testuser"
User-Password = "27938732"
State = 0x49475261646975733a4445562d455345432d483230333a313831323a31
Cleartext-Password = "27938732"
Received Access-Accept Id 178 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
Thanks again,
Bill
More information about the Freeradius-Users
mailing list