Regarding providing Custom TOTP MFA in freeradius
Hi Team, I have recently been working and developing with the freeradius EAP protocol. I need to send access-challenge request with state and Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol which will prompt the user to enter TOTP and send the access request again and will process and authenticate the user for MFA. I have gone through this solution <https://lists.freeradius.org/pipermail/freeradius-users/2019-February/094471.html> inside the authorize section of inner-tunnel but the EAP module sends access-reject when doing this change, Please guide me in the proper direction on how to achieve this in our environment. Regards Dineshkumar
On Apr 2, 2024, at 2:06 AM, Dineshkumar pachamuthu <dineshkumar.pachamuthu@gmail.com> wrote:
I have recently been working and developing with the freeradius EAP protocol. I need to send access-challenge request with state and Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol which will prompt the user to enter TOTP and send the access request again and will process and authenticate the user for MFA.
I have gone through this solution inside the authorize section of inner-tunnel but the EAP module sends access-reject when doing this change, Please guide me in the proper direction on how to achieve this in our environment.
There is no mechanism in the EAP-TTLS protocol where you can send an Access-Challenge back to the end user device. Even if you sent a Reply-Message to it inside of the TTLS tunnel, the end user device would ignore it. No EAP-TTLS supplicant supports prompting users with a challenge. Alan DeKok.
Hi Alan, Thanks for the replay, Sorry for the late reply. I understand Sending Access-Challenge is not possible with TTLS or with any EAP type since Supplicant will not be compatible to process that. I have one more question, is there a way to tell the client/supplicant to use/Access requests with specific EAP type. If the RADIUS client sends PEAP (MSCHAPV2) in the inner-tunnel I want to send supplicant (NAK request) and ask for only EAP-TTLS/PAP, so the client will resend the request with EAP-TTLS/PAP. is this Feasible by change details at inner-tunnel or server config files? Thanks Dineshkumar On Tue, Apr 2, 2024 at 7:09 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 2, 2024, at 2:06 AM, Dineshkumar pachamuthu < dineshkumar.pachamuthu@gmail.com> wrote:
I have recently been working and developing with the freeradius EAP protocol. I need to send access-challenge request with state and Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol which will prompt the user to enter TOTP and send the access request again and will process and authenticate the user for MFA.
I have gone through this solution inside the authorize section of inner-tunnel but the EAP module sends access-reject when doing this change, Please guide me in the proper direction on how to achieve this in our environment.
There is no mechanism in the EAP-TTLS protocol where you can send an Access-Challenge back to the end user device. Even if you sent a Reply-Message to it inside of the TTLS tunnel, the end user device would ignore it.
No EAP-TTLS supplicant supports prompting users with a challenge.
Alan DeKok.
On Apr 30, 2024, at 7:40 AM, Dineshkumar pachamuthu <dineshkumar.pachamuthu@gmail.com> wrote: Thanks for the replay, Sorry for the late reply. I understand Sending Access-Challenge is not possible with TTLS or with any EAP type since Supplicant will not be compatible to process that. I have one more question, is there a way to tell the client/supplicant to use/Access requests with specific EAP type. If the RADIUS client sends PEAP (MSCHAPV2) in the inner-tunnel I want to send supplicant (NAK request) and ask for only EAP-TTLS/PAP, so the client will resend the request with EAP-TTLS/PAP. is this Feasible by change details at inner-tunnel or server config files?
EAP doesn't allow for sending NAK after the inner tunnel has been established. Alan DeKok.
Sorry for the misunderstanding. I mean can we force EAP-TTLS over Access-Request of PEAP request before tunnel is established,, i.e force a particular EAP in supplicant over another in freeradius using NAK or any other way? Regards, Dineshkumar On Tue, Apr 30, 2024 at 5:38 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 30, 2024, at 7:40 AM, Dineshkumar pachamuthu < dineshkumar.pachamuthu@gmail.com> wrote: Thanks for the replay, Sorry for the late reply. I understand Sending Access-Challenge is not possible with TTLS or with any EAP type since Supplicant will not be compatible to process that. I have one more question, is there a way to tell the client/supplicant to use/Access requests with specific EAP type. If the RADIUS client sends PEAP (MSCHAPV2) in the inner-tunnel I want to send supplicant (NAK request) and ask for only EAP-TTLS/PAP, so the client will resend the request with EAP-TTLS/PAP. is this Feasible by change details at inner-tunnel or server config files?
EAP doesn't allow for sending NAK after the inner tunnel has been established.
Alan DeKok.
On Apr 30, 2024, at 1:21 PM, Dineshkumar pachamuthu <dineshkumar.pachamuthu@gmail.com> wrote:
Sorry for the misunderstanding. I mean can we force EAP-TTLS over Access-Request of PEAP request before tunnel is established,, i.e force a particular EAP in supplicant over another in freeradius using NAK or any other way?
You can set EAP-Type, and that's the EAP type which will be used . See the documentation in mods-available/eap. Alan Dekok.
Hi Alan Thanks for the suggestion. By changing "*default_eap_type = eap-ttls*" and inside of ttls configuration "*default_eap_type = pap*" (commented all other auth type of EAP) , everything worked fine in the Windows machine. However in iphones and mac machines, I getting peer not accepting error as follows: eap: Expiring EAP session with state 0x282049aa28215c6d (38) eap: Finished EAP session with state 0x282049aa28215c6d (38) eap: Previous EAP request found for state 0x282049aa28215c6d, released from the list (38) eap: Peer sent packet with method EAP NAK (3) (38) eap: *Peer NAK'd asking for unsupported EAP type MSCHAPv2 *(26), skipping... (38) eap: ERROR: No mutually acceptable types found But I read that the iPhone supports EAP-TTLS/PAP (not sure on this). Do I need to change any other settings to make client/supplicant send access requests as EAP-TTLS/PAP. Thanks, Dineshkumar On Tue, Apr 30, 2024 at 11:02 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 30, 2024, at 1:21 PM, Dineshkumar pachamuthu < dineshkumar.pachamuthu@gmail.com> wrote:
Sorry for the misunderstanding. I mean can we force EAP-TTLS over
Access-Request of PEAP request before tunnel is established,, i.e force a particular EAP in supplicant over another in freeradius using NAK or any other way?
You can set EAP-Type, and that's the EAP type which will be used . See the documentation in mods-available/eap.
Alan Dekok.
On May 2, 2024, at 3:58 PM, Dineshkumar pachamuthu <dineshkumar.pachamuthu@gmail.com> wrote:
Thanks for the suggestion. By changing "default_eap_type = eap-ttls" and inside of ttls configuration "default_eap_type = pap" (commented all other auth type of EAP) , everything worked fine in the Windows machine. However in iphones and mac machines, I getting peer not accepting error as follows:
eap: Expiring EAP session with state 0x282049aa28215c6d (38) eap: Finished EAP session with state 0x282049aa28215c6d (38) eap: Previous EAP request found for state 0x282049aa28215c6d, released from the list (38) eap: Peer sent packet with method EAP NAK (3) (38) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
You've edited the configuration files to remove EAP-MSCHAPv2. Don't do that. Alan DeKok.
Yes Alan,I understand the issue. But I want to force EAP-TTLS/PAP for all clients including iphone and android devices, irrespective of what protocol the client uses I want to make them resent with the PAP inner method. Is this achievable or not? Thanks Dineshkumar On Thu, May 2, 2024 at 9:36 PM Alan DeKok <aland@deployingradius.com> wrote:
On May 2, 2024, at 3:58 PM, Dineshkumar pachamuthu < dineshkumar.pachamuthu@gmail.com> wrote:
Thanks for the suggestion. By changing "default_eap_type = eap-ttls" and
inside of ttls configuration "default_eap_type = pap" (commented all other auth type of EAP) , everything worked fine in the Windows machine. However in iphones and mac machines, I getting peer not accepting error as follows:
eap: Expiring EAP session with state 0x282049aa28215c6d (38) eap: Finished EAP session with state 0x282049aa28215c6d (38) eap: Previous EAP request found for state 0x282049aa28215c6d,
released from the list
(38) eap: Peer sent packet with method EAP NAK (3) (38) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
You've edited the configuration files to remove EAP-MSCHAPv2. Don't do that.
Alan DeKok.
On 02/05/2024 18:35, Dineshkumar pachamuthu wrote:
Yes Alan,I understand the issue. But I want to force EAP-TTLS/PAP for all clients including iphone and android devices, irrespective of what protocol the client uses I want to make them resent with the PAP inner method. Is this achievable or not?
If you want the client to use EAP-TTLS/PAP then you need to configure the client to do that. If the client tries to use something else, and you've disabled it on the server, the authentication will fail, as you've found. -- Matthew
participants (3)
-
Alan DeKok -
Dineshkumar pachamuthu -
Matthew Newton