3.0.23+ includes a TOTP module, which is compatible with google authenticator.
Great, I checked it out, the example is clear. As said in the documentation, the module takes no configuration items. Does that mean that it is only compatible with google authenticator and knows where to find the file ? I mean it's even not required to indicate the path to the .google_authenticator file.
So the user information wasn't found in LDAP. This has nothing to do with OTP issues.
Try using "ldapsearch", as documented in mods-available/ldap
Once that works, use the same configuration in FreeRADIUS.
Just did that, it works well. I can retrieve the information. What's strange is that ldap authentication worked before I added the TOTP config. Le mar. 5 oct. 2021 à 17:06, Alan DeKok <aland@deployingradius.com> a écrit :
On Oct 5, 2021, at 3:25 AM, Quentin Rapin <quentinrapin@gmail.com> wrote:
I'm trying to setup a freeradius v.3.0.20 server using LDAP with MFA (Google authenticator).
3.0.23+ includes a TOTP module, which is compatible with google authenticator.
The LDAP part worked, however, since I added the MFA configuration, it doesn't work anymore, it seems that the password are not even checked against the ldap database (Windows AD). I followed this tutorial to get it working: https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/
That doesn't seem too bad.
Here is part of the logs :
Ready to process requests (0) Received Access-Request Id 67 from 127.0.0.1:46701 to 127.0.0.1:1812 length 95 (0) User-Name = "my_user" (0) User-Password = "Password831041"
That seems normal.
(0) policy filter_google_otp { (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) { (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) { (0) update request { (0) EXPAND %{2} (0) --> 831041 (0) &Google-Password := 831041 (0) EXPAND %{1} (0) --> Password (0) &User-Password := Password
That's good.
... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) ldap: User object found at DN "CN=test ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
So the user information wasn't found in LDAP. This has nothing to do with OTP issues.
Try using "ldapsearch", as documented in mods-available/ldap
Once that works, use the same configuration in FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html