On Oct 5, 2021, at 3:25 AM, Quentin Rapin <quentinrapin@gmail.com> wrote:
I'm trying to setup a freeradius v.3.0.20 server using LDAP with MFA (Google authenticator).
3.0.23+ includes a TOTP module, which is compatible with google authenticator.
The LDAP part worked, however, since I added the MFA configuration, it doesn't work anymore, it seems that the password are not even checked against the ldap database (Windows AD). I followed this tutorial to get it working: https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/
That doesn't seem too bad.
Here is part of the logs :
Ready to process requests (0) Received Access-Request Id 67 from 127.0.0.1:46701 to 127.0.0.1:1812 length 95 (0) User-Name = "my_user" (0) User-Password = "Password831041"
That seems normal.
(0) policy filter_google_otp { (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) { (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) { (0) update request { (0) EXPAND %{2} (0) --> 831041 (0) &Google-Password := 831041 (0) EXPAND %{1} (0) --> Password (0) &User-Password := Password
That's good.
... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) ldap: User object found at DN "CN=test ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
So the user information wasn't found in LDAP. This has nothing to do with OTP issues. Try using "ldapsearch", as documented in mods-available/ldap Once that works, use the same configuration in FreeRADIUS. Alan DeKok.