Comments on Active Directory IdP and YubiKey OTP integration that supports MS-CHAP v2
Alan DeKok
aland at deployingradius.com
Tue Feb 23 18:49:04 CET 2021
> On Feb 23, 2021, at 12:37 PM, David Herselman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hi,
>
> Just a small update with regards to getting the desired behaviour. One can not perform regex operations on IP attributes in the users file. The following will subsequently *not* work:
> DEFAULT Yubikey-OTP !* "", Packet-Src-IP-Address =~ "^196\.10\.10", Auth-Type := Reject
> Reply-Message = "Access Denied - 2FA required"
>
> Herewith the same thing in unlang, place it just after the '!control:Auth-Type && User-Password' check in the 'authorize {' section:
>
> if (!&Yubikey-OTP) {
> if (&Packet-Src-IP-Address =~ /^196\.10\.10/) {
Or even better:
if (<ipv4prefix>&Packet-Src-IP-Address < 192.168.10/24) {
Simple and faster. :) See "man unlang" for details.
Alan DeKok.
More information about the Freeradius-Users
mailing list