On 28 Dec 2017, at 03:47, Mathias Sundman <mathias@nilings.se> wrote:
On 27 Dec 2017, at 16:51, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 27, 2017, at 10:09 AM, Mathias Sundman <mathias@nilings.se> wrote:
However, he now wants to first authenticate the user with username/AD-password via LDAP against their AD, and if successful, the user should be prompted for the OTP code as a second step. This is currently not possible with the Gemalto SAS solution, so I’m therefor trying to deploy a FreeRADIUS (v3.0.13 on CentOS7) server in between and have FR perform the AD auth, return an Access-Challenge and then proxy the second Access-Request with the OTP code to Gemalto RADIUS.
That's possible, but it takes a bit of tweaking. But it requires an understanding of how Access-Challenge works.
I also had to enable attr_filter.pre-proxy in the pre-proxy section to filter out the State and Reply-Message attributes before the second Access-Request was proxied to Gemalto, otherwise the request was rejected as that server did not expect a request with a state.
Just in case someone else is searching for the same problem, I’ve cleaned up the logic to make it work with multiple virtual servers where I manually force proxying to a specific Realm, instead of relying on the suffix/realm module to enable the proxying. This is now what I ended up with: authorize { if (!State) { ldap if (ok) { update control { Auth-Type := LDAP } } else { reject } } else { update control { Proxy-To-Realm := "test" } } } authenticate { Auth-Type LDAP { ldap if (ok) { update session-state { Tmp-Integer-0 := "%{randstr:n}" } update reply { Reply-Message := "Please enter OTP" } challenge } } } pre-proxy { attr_filter.pre-proxy } If you believe the logic is still flawed in any way, please let me know, otherwise I thank you again Alan for the quick reply and consider the problem solved.