with your hints I managed to get this running: That's good. I get the error in freeradius -X:
(2) Found Auth-Type = PAP (2) Found Auth-Type = Accept (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this? Yes. If you upgrade to 3.0.17, the message will go away. Only one more problem is to solve:
In post-auth we have a Perl-script that relies on the groups that come from LDAP to make user rights decisions. When we are in Next-Token-Mode (case 1.2) we do not query LDAP, so freeradius cannot pass the groups to the Perl script. OK. Is there a way to tell freeradius to cache the LDAP-groups from the last request for case 1.1 and use them in 1.2? You can cache LDAP groups in the session-state list. But they're only cached for a series of challenge/ response packets. Alan DeKok.
Hi Alan, this seems to do exactly what we want: # In any case: check the LDAP and local user-file first ldap files # Case 1: No script-user -> 2FA if(User-Name !~ /^sc_.+$/) { # Case 1.1: LDAP-PW + Token if(User-Password =~ /^(.+)([0-9]{6})$/) { # LDAP-password in %{1} # Token in %{2} update request { User-Password := "%{1}" } # Check password and reject if incorrect pap pap.authenticate update request { User-Password := "%{2}" } # Proxy the request to the SecurID-server update control { Proxy-To-Realm := "securid" } } # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode elsif(State && User-Password =~ /^([0-9]{6})$/) { update control { Proxy-To-Realm := "securid" } } } # Case 2: script-user else { pap } Is my elsif(State ...)-statement a robust way to check if this packet belongs to a challenge-response of this exact user? I want to avoid situations where a user might be able to authenticate with just a Token and no password. We are testing the configuration now. Thank you very much for your help! I'll check back in a few weeks regarding the password change / TACACS+ feature I asked for in my initial mail. For the moment we'll do the password changes via a web-interface for the LDAP which is fine. Best wishes Michael Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html