I’m not sure what I am doing wrong. I am trying to use eap-tls to authenticate users against active directory, and if it passes, I want to prompt the user to enter their OTP. This is all working with PAP, but I want to use eap-tls since it is more secure. Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
(6) ntlm_auth: Program executed successfully (6) [ntlm_auth] = ok (6) if (ok) { (6) if (ok) -> TRUE (6) if (ok) { (6) update reply { (6) Reply-Message := "Please enter OTP" (6) } # update reply = noop (6) policy challenge { (6) update control { (6) &Response-Packet-Type = Access-Challenge (6) } # update control = noop (6) [handled] = handled (6) } # policy challenge = handled (6) } # if (ok) = handled (6) } # Auth-Type ntlm_auth = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) Reply-Message := "Please enter OTP" (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user. (6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # Auth-Type eap = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) Post-Auth-Type sub-section not found. Ignoring.
I only get this error when I try to send out a challenge. If I comment out the challenge line, then everything works, except then user does not get promted for their OTP and are allowed to authentice using only their domain password.
Here is a copy of my inner-tunnel config:
server inner-tunnel {
listen { ipaddr = 127.0.0.1 port = 18120 type = auth }
authorize { if (!State) { if (&User-Password) { update control { Auth-Type = ntlm_auth } } else { reject } } else { # If State, then proxy request: update control { Proxy-To-Realm := "otp" } } }
authenticate {
Auth-Type ntlm_auth { ntlm_auth if (ok) { update reply { # Create a random State attribute: # State := "%{randstr:aaaaaaaaaaaaaaaa}" Reply-Message := "Please enter OTP" } # Return Access-Challenge: # challenge } }
}
session { radutmp }
post-auth {
#if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY }
update { &outer.session-state: += &reply: } #}
Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } }
pre-proxy { }
post-proxy {
eap }
}
Any help that someone could give me to point me in the right direction would be greatly appreciated.
Thanks