we've decided to use the Radius-interface of the SecurID-server and not the proprietary protocol. OK. Now I need unlang to make the access decision:
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) = ACCEPT to NAS
I tried it like that in the authorize-section but it did not work: See the FAQ for "it doesn't work". filter_username preprocess
# %{1} = ldap-password # %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" }
update request { User-Password := "%{1}" }
ldap }
pap
The proxying itself is working fine but not the correlation of the two results. What does that mean? Could you please give me a minimal example of how to create this and-logic in unlang? My $0.02 is to check the users password *first*, and then proxy to RSA if it passed. if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } # get the "known good" password from LDAP ldap # check the users password # if this fails, the user will be automatically rejected pap.authenticate update control { Proxy-To-Realm := "securid" } update request { User-Password := "%{1}" } } else { ... do stuff for non-RSA users ... } Alan DeKok.
Hi Alan, with your hints I managed to get this running: # Case 1: No script-user -> 2FA if(User-Name !~ /^sc_.+$/) { # Case 1.1: LDAP-PW + Token if(User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{1}" } ldap files pap pap.authenticate update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" } } # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode elsif(State && User-Password =~ /^([0-9]{6})$/) { update control { Proxy-To-Realm := "securid" } } } # Case 2: script-user else { ldap files pap } I get the error in freeradius -X: (2) Found Auth-Type = PAP (2) Found Auth-Type = Accept (2) ERROR: Warning: Found 2 auth-types on request for user '<user>' Can I ignore this? Only one more problem is to solve: In post-auth we have a Perl-script that relies on the groups that come from LDAP to make user rights decisions. When we are in Next-Token-Mode (case 1.2) we do not query LDAP, so freeradius cannot pass the groups to the Perl script. Is there a way to tell freeradius to cache the LDAP-groups from the last request for case 1.1 and use them in 1.2? If there is no easy way I would delete Case 1.2 and tell the user to type in the LDAP-password again followed by the next Token. Thanks and best wishes Michael Gesendet: Montag, 03. Dezember 2018 um 14:11 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html