Thank you for your response.
You are correct, I meant to type ttls, not tls.
The Palo Alto firewall that I am using to authenticate against FreeRadius only supports the following types: PEAP-MSCHAPv2 PEAP with GTC EAP-TTLS with PAP PAP
Since I am trying to do two-factor (AD and OTP), I need to be able to return a challenge response back to the firewall requesting the user to enter their token. So far I have only gotten this to work properly with PAP. Since PAP is very insecure, I was hopping to use one of the other types. I was hopping that since PAP was working, I could do the same thing using PAP within a TTLS tunnel. Since I am forwarding the second factor (OTP) to another radius servers (safenet), I am assuming the freeradius servers will need the OTP password in clear text to forward to the safenet radius server. I didn't think that the PEAP options would work because they send a hash value instead of the password.
I am fairly new at doing this, so my assumptions could be incorrect.
Thanks
<quote author='Alan DeKok-2'>
On Sep 6, 2019, at 12:41 PM, ngoetz75 <ngoetz24@gmail.com> wrote:
I’m not sure what I am doing wrong. I am trying to use eap-tls to authenticate users against active directory,
EAP-TLS authenticates users by certificate. It doesn't need / use AD.
The most you could do is to check the username against the user ID in AD. If the user exists, keep going with EAP-TLS. Otherwise reject them.
and if it passes, I want to prompt the user to enter their OTP.
EAP-TLS doesn't use passwords. Therefore it doesn't use OTP.
Maybe you mean TTLS?
This is all working with PAP, but I want to use eap-tls since it is more secure. Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
(6) ntlm_auth: Program executed successfully (6) [ntlm_auth] = ok (6) if (ok) { (6) if (ok) -> TRUE (6) if (ok) { (6) update reply { (6) Reply-Message := "Please enter OTP" (6) } # update reply = noop (6) policy challenge { (6) update control { (6) &Response-Packet-Type = Access-Challenge (6) } # update control = noop (6) [handled] = handled (6) } # policy challenge = handled (6) } # if (ok) = handled (6) } # Auth-Type ntlm_auth = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) Reply-Message := "Please enter OTP" (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.
Yes. EAP-TTLS has a fixed packet flow. You can't just inject something new and expect it to work.
If you want OTP challenge / response with EAP-TTLS, you have to use EAP-GTC in the inner tunnel. PAP won't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html </quote> Quoted from: http://freeradius.1045715.n5.nabble.com/Fwd-Not-able-to-send-a-challenge-tp5...
_____________________________________ Sent from http://freeradius.1045715.n5.nabble.com