Configuring FreeRadius with LDAP and Google MFA

Alan DeKok aland at deployingradius.com
Tue Oct 5 17:05:48 CEST 2021


On Oct 5, 2021, at 3:25 AM, Quentin Rapin <quentinrapin at gmail.com> wrote:
> I'm trying to setup a freeradius v.3.0.20 server using LDAP with MFA
> (Google authenticator).

  3.0.23+ includes a TOTP module, which is compatible with google authenticator.

> The LDAP part worked, however, since I added the MFA configuration, it
> doesn't work anymore, it seems that the password are not even checked
> against the ldap database (Windows AD).
> I followed this tutorial to get it working:
> https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/

  That doesn't seem too bad.

> Here is part of the logs :
> 
> Ready to process requests
> (0) Received Access-Request Id 67 from 127.0.0.1:46701 to
> 127.0.0.1:1812 length 95
> (0) User-Name = "my_user"
> (0) User-Password = "Password831041"

  That seems normal.

> (0) policy filter_google_otp {
> (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
> (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) -> TRUE
> (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
> (0) update request {
> (0) EXPAND %{2}
> (0) --> 831041
> (0) &Google-Password := 831041
> (0) EXPAND %{1}
> (0) --> Password
> (0) &User-Password := Password

  That's good.

> ...
> rlm_ldap (ldap): Rebinding to URL
> ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) ldap: User object found at DN "CN=test
> ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan"
> (0) ldap: Processing user attributes
> (0) ldap: WARNING: No "known good" password added. Ensure the admin
> user has permission to read the password attribute
> (0) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Deleting connection (1) - Was referred to a different
> LDAP server

  So the user information wasn't found in LDAP.  This has nothing to do with OTP issues.

  Try using "ldapsearch", as documented in mods-available/ldap

  Once that works, use the same configuration in FreeRADIUS.

  Alan DeKok.




More information about the Freeradius-Users mailing list