On Jan 4, 2017, at 6:05 PM, Dudás Péter <peter.pdudas@gmail.com> wrote:
I would proxy the request, but needs 2 authentication - first the Duo, then AD auth (SSL=pap, L2TP=MSCHAPv2). Or first Ad then Duo. Is it possible to proxy the request to Duo and then have a second authentication on the same request depending on the result of the proxy answer?
No. We're fixing that in v4.
Tried with just a module which runs a shell script which do nothing - except Exit 0 Module has no output_pairs defined. And it has the same result - connection failed. No red lines in the debug - all fine.
That's suspicious.
I simply have no clue. Firewall log show authentication successful - but the devices are not connected (Windows10/Android/iPad). 99% that it is related with MPPE keys - I just simply have no clue what is the connection between the generated MPPE keys and a second authentication.
The MPPE keys are automatically derived from the authentication method / credentials. They change with every login.
I'm not able to decrypt/use the MPPE keys - so cannot verify them.
You don't decrypt them. The debug log shows their real value.
Firewall just needs the Filter-Id and access-accept, then grants the connection. So it is not firewall related issue.
Well, if the firewall is not allowing the user online, then it is a firewall issue.
PPP connection not established - that's why I think it can be related with the MPPE keys. But as you can see the keys are generated at the mschap authentication.
Yes. And if your script doesn't modify the MPPE keys, everything should be dine.
Is it possible to cache the MPPE keys to be sure they are not changed during/because of the second authentication.
Don't do that.
"Since you've only given a non-working debug output and not a working one... no, we don't know what's going on." The debug contains 2 successful authentication and an Access-Accept answer. So it is a successful authentication - just have a problem somewhere.
If FreeRADIUS returns Access-Accept and the user doesn't get online.. blame the NAS. Alan DeKok.