On Feb 12, 2020, at 10:47 AM, Bill Noyce <billnoyce75@gmail.com> wrote:
I was hoping to follow the clearly written Wiki article: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
OK.
My problem is that the 2FA Radius Proxy used to verify the OTP requires a valid State value, so currently the login process is a 3 step process! I have allowed State in the Pre-Proxy Attributes filter.
So the current flow is: 1) Username/Password request via AD LDAP 2) Unsuccessful OTP request with invalid State value ( returns valid State value from the remote OTP Radius server )
More correctly *no* State. The State is created by the home server, and sent in an Access-Challenge.
3) Successful OTP request
Anyone able to suggest how I go about getting a valid State value from the OTP radius during the first Access-Request so that the first Access-Challenge response contains this valid State value?
Proxy the original Access-Request to the OTP radius. However, doing this involves checking the users password in the "authorize" section: authorize { if (!State) { if (&User-Password) { # If !State and User-Password (PAP), then force LDAP: update control { Ldap-UserDN := "%{User-Name}@my-domain.com" } } # run the "authenticate" method of "ldap" ldap.authenticate if (!ok) { reject } update control { Proxy-To-Realm := "foo" } ... } Something like that should work.