You can't use Yubikey OTPs twice
On Oct 6, 2021, at 8:25 AM, Steven Vacaroaia <stef97@gmail.com> wrote:
Hi,
Thanks for taking the time to provide some guidance
I was talking about the comments here https://github.com/FreeRADIUS/mod_auth_radius
In the example I provided I tried to follow OTP workaround provided by you in the mod_auth_radius
The password mismatch issue seems to be related to Yubikey module complaining about REPLAYED_OTP ( I am using same password/username/key as few seconds ago when it worked)
many thanks Steven
On Wed, 6 Oct 2021 at 06:00, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Authenticator -to- RADIUS connection (Alan DeKok) 2. Apache2 auth_radius and OTP not working consistently (Steven Vacaroaia) 3. Re: Apache2 auth_radius and OTP not working consistently (Alan DeKok) 4. Re: Apache2 auth_radius and OTP not working consistently (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 5 Oct 2021 13:49:29 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authenticator -to- RADIUS connection Message-ID: <3FDAEFEE-1B4C-4F5D-87F1-FD5BC28B82EF@deployingradius.com> Content-Type: text/plain; charset=utf-8
On Oct 5, 2021, at 1:00 PM, Turner, Randy <Randy.Turner@landisgyr.com> wrote: We are using a package called “hostapd” to talk to FreeRADIUS – in some of the hostapd documentation they refer to hostapd as an 802.1x “authenticator”
Yes. 802.1X != RADIUS. They use different terminology, because they are different protocols, and do different (but related) things.
And why not just say from the start that you're using hostap? It's *always* better to be precise. Especially if you're not familiar with the technology.
This was the term I used in my original question which may have readers thinking I meant the actual device that was trying to access the network.
I didn't know what you meant. Because as soon as someone uses the wrong terminology, all bets are off.
In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the NAS-to-FreeRADIUS connection I was referring to.
This is not "FreeRADIUS parlance". The term "NAS" goes back to at least 1993, and the first RADIUS standards. A little bit of reading on the basic terminology would help.
So you're still confused about which things are involved, and what they do. I'm still not sure what you're asking.
The "NAS to FreeRADIUS" connection uses RADIUS. You can't use any other protocol there.
The "end user to hostap" connection uses 802.1X, which includes EAP. The EAP packets are then placed inside of RADIUS by the NAS, sent to FreeRADIUS.
EAP can carry many different kinds of authentication. EAP-TLS, EAP-TTLS, etc.
All of this information is available on the net (including Wikipedia) if you go look.
What is frustrating here is not just using the wrong terminology, it's also metering out of additional information all through the conversation. It would have been very simple to say "I have a computer using WiFi, I have hostap, and I want to authenticate the user device via FreeRADIUS". That would have given us *useful* information.
Instead, it's a vague question using incorrect terms, followed by "Oh yeah, I'm using this, too". This is frustrating.
Spend an hour or so reading the Wikipedia pages on RADIUS and EAP. That should clarify a lot of issues. And PLEASE give useful information in messages. That helps enormously.
Alan DeKok.
------------------------------
Message: 2 Date: Tue, 5 Oct 2021 16:55:40 -0400 From: Steven Vacaroaia <stef97@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Apache2 auth_radius and OTP not working consistently Message-ID: < CAJ4cwkN8acKC6p-ZAUHR1N2r_Jvs9SDudd5MkS+juk2_qtcdYQ@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi,
I am trying to get freeradius + AD + Yubikey as authentication mechanism for some of our websites
It is working on and off which makes it very difficult to troubleshoot
I noticed some notes / comments in the module but apparently I am not able to implement them properly although they seem pretty clear
It will be greatly appreciated if you can point me to what am I doing wrong
Example folder protected /var/www/html/test/user file needed to be used /var/www/html/test/user/index.php I put another file named index.html containing a link to index.php in the above folder
I can connect to it after authenticate but , when I am using the link I created to index.php, I am asked again to authenticate which fails with "password mismatched" error
I know I must be missing something really simple and I apologize for wasting your time with this but I am a bit desperate to get it working
Thanks Steven
------------------------------
Message: 3 Date: Tue, 5 Oct 2021 16:59:18 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Apache2 auth_radius and OTP not working consistently Message-ID: <19B2E21E-CFEE-407E-A601-D4868B5E0765@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Oct 5, 2021, at 4:55 PM, Steven Vacaroaia <stef97@gmail.com> wrote: I am trying to get freeradius + AD + Yubikey as authentication mechanism for some of our websites
It is working on and off which makes it very difficult to troubleshoot
it's best to test these things with "radclient". That way you test the RADIUS / AD / Yubikey portion separately from the web site.
TBH, most web server integration with RADIUS is pretty poor.
I noticed some notes / comments in the module but apparently I am not able to implement them properly although they seem pretty clear
Which module?
It will be greatly appreciated if you can point me to what am I doing wrong
Example folder protected /var/www/html/test/user file needed to be used /var/www/html/test/user/index.php I put another file named index.html containing a link to index.php in the above folder
That has nothing to do with FreeRADIUS. We don't ship a web server, so I have no idea how to fix anything here.
I can connect to it after authenticate but , when I am using the link I created to index.php, I am asked again to authenticate which fails with "password mismatched" error
I know I must be missing something really simple and I apologize for wasting your time with this but I am a bit desperate to get it working
Which were server are you using?
Whatever web server it is, you need to consult its documentation for how to configure RADIUS authentication.
Once FreeRADIUS gets a packet, we can help you. Until then, it's all web server magic that we know very little about.
Alan DeKok.
------------------------------
Message: 4 Date: Tue, 5 Oct 2021 17:01:05 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Apache2 auth_radius and OTP not working consistently Message-ID: <19201DA5-F29D-45BF-8A59-A7560E7DDD9E@deployingradius.com> Content-Type: text/plain; charset=us-ascii
Sorry... I missed the part about "Apache2", it's been a long day.
If you're getting a "password mismatched" error, then run FR in debug mode to see what it returns. Check if the passwords are correct, that the shared secrets are correct, etc.
I'd say "run Apache in debug mode", but it's debug mode is essentially useless.
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 198, Issue 14 *************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html