FreeRadius TOTP authenticate fail passcode validation
Hello, I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ] This is the configuration file for sites-enable/default: authorize{ #TOTP Authorize if (User-Password !~ /^(.*)([0-9]{6})$/) { reject } update request { User-Password := "%{1}" TOTP-Password := "%{2}" } #Example Use BOB if (&User-Name == "bob") { update control { TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== } } totp.authenticate if (!ok) { reject } pap } authenticate { Auth-Type PAP { pap } } This is the configuration file of clients.conf : Client network-device { ipaddr = 192.168.1.0/24 secret = testing123 } Note: I have test to send the TOTP-Secret via update control or update request, and that gave me different output when call TOTP.authenticate returns fail or noop . Radius client test: radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123 output radiusd -X Ready to process requests (0) Received Access-Request Id 38 from 192.168.1.10:48110 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/ 192.168.1.10/auth-detail-20230619 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619 (0) auth_log: EXPAND %t (0) auth_log: --> Mon Jun 19 16:05:09 2023 (0) [auth_log] = ok (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) [reject] = reject (0) } # if (User-Password !~ /^(.*)([0-9]{6})$/) = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110 length 47 (0) Reply-Message = "Hello bob THE BUILDER :D " Waking up in 3.9 seconds. (0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay was reached Ready to process requests Please let me know if you can help me on this 🙂 Thank you! Best regards, Miguel
I apologize but the previous logs were incorrect, it was an output log using just username + password. This is the output from radiusd -X when using username + password + passcode: Ready to process requests (0) Received Access-Request Id 105 from 192.168.1.10:45091 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "mypassword002434" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4877740bffa9041ce041994eb5764c90 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> FALSE (0) update request { (0) EXPAND %{1} (0) --> mypassword (0) User-Password := mypassword (0) EXPAND %{2} (0) --> 002434 (0) TOTP-Password := 002434 (0) } # update request = noop (0) if (&User-Name == "bob") { (0) if (&User-Name == "bob") -> TRUE (0) if (&User-Name == "bob") { (0) update control { (0) TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== (0) } # update control = noop (0) } # if (&User-Name == "bob") = noop (0) update reply { (0) reply-Message := TOTP-Password -> '002434' (0) No attributes updated for RHS TOTP-Secret (0) reply-Message := User-Password -> 'mypassword' (0) } # update reply = noop (0) [totp.authenticate] = fail (0) } # authorize = fail (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 105 from 192.168.1.10:1812 to 192.168.1.10:45091 length 32 (0) Reply-Message := "mypassword" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 105 with timestamp +38 due to cleanup_delay was reached Ready to process requests Thank you! João Miguel Regateiro <jmregateiro@gmail.com> escreveu no dia terça, 20/06/2023 à(s) 10:06:
Hello,
I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ]
This is the configuration file for sites-enable/default:
authorize{ #TOTP Authorize if (User-Password !~ /^(.*)([0-9]{6})$/) { reject }
update request { User-Password := "%{1}" TOTP-Password := "%{2}" } #Example Use BOB if (&User-Name == "bob") { update control { TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== } } totp.authenticate if (!ok) { reject } pap }
authenticate { Auth-Type PAP { pap } }
This is the configuration file of clients.conf : Client network-device { ipaddr = 192.168.1.0/24 secret = testing123 }
Note: I have test to send the TOTP-Secret via update control or update request, and that gave me different output when call TOTP.authenticate returns fail or noop .
Radius client test: radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123
output radiusd -X
Ready to process requests (0) Received Access-Request Id 38 from 192.168.1.10:48110 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/ 192.168.1.10/auth-detail-20230619 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619 (0) auth_log: EXPAND %t (0) auth_log: --> Mon Jun 19 16:05:09 2023 (0) [auth_log] = ok (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) [reject] = reject (0) } # if (User-Password !~ /^(.*)([0-9]{6})$/) = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110 length 47 (0) Reply-Message = "Hello bob THE BUILDER :D " Waking up in 3.9 seconds. (0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay was reached Ready to process requests
Please let me know if you can help me on this 🙂 Thank you!
Best regards, Miguel
On Jun 20, 2023, at 5:06 AM, João Miguel Regateiro <jmregateiro@gmail.com> wrote:,
I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ]
If it fails, then the short answer is that the TOTP doesn't match. There isn't really much else which can go wrong. I've pushed changes to the v3.2.x branch which let you do "radiusd -Xx", and the totp module will now print out the TOTP it expected, and the one it received. You'll have to download and build v3.2.x in order to use it, though. You can also build a command-line program to test the TOTP. Build the source as normal, and then do: $ cd src/modules/rlm_totp $ make totp And then can use the above key: $ ./totp totp 1687268891 JBSWY3DPEHPK3PXP 601664 Time 1687268891 Expected 601664 Received 601664 or: $ ./totp totp now JBSWY3DPEHPK3PXP 123456 Time 1687269000 Expected 895298 Received 123456 Fail My guess is that the TOTP you're giving it is wrong. But increased debug output will let you know exactly what's going on. Alan DeKok.
participants (2)
-
Alan DeKok -
João Miguel Regateiro