On Sep 6, 2019, at 12:41 PM, ngoetz75 <ngoetz24@gmail.com> wrote:
I’m not sure what I am doing wrong. I am trying to use eap-tls to authenticate users against active directory,
EAP-TLS authenticates users by certificate. It doesn't need / use AD. The most you could do is to check the username against the user ID in AD. If the user exists, keep going with EAP-TLS. Otherwise reject them.
and if it passes, I want to prompt the user to enter their OTP.
EAP-TLS doesn't use passwords. Therefore it doesn't use OTP. Maybe you mean TTLS?
This is all working with PAP, but I want to use eap-tls since it is more secure. Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
(6) ntlm_auth: Program executed successfully (6) [ntlm_auth] = ok (6) if (ok) { (6) if (ok) -> TRUE (6) if (ok) { (6) update reply { (6) Reply-Message := "Please enter OTP" (6) } # update reply = noop (6) policy challenge { (6) update control { (6) &Response-Packet-Type = Access-Challenge (6) } # update control = noop (6) [handled] = handled (6) } # policy challenge = handled (6) } # if (ok) = handled (6) } # Auth-Type ntlm_auth = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) Reply-Message := "Please enter OTP" (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.
Yes. EAP-TTLS has a fixed packet flow. You can't just inject something new and expect it to work. If you want OTP challenge / response with EAP-TTLS, you have to use EAP-GTC in the inner tunnel. PAP won't work. Alan DeKok.