Apache Auth via User/OTP fails
Hello, I try to authenticate via my Apache Webserver to my freeradius Server. The Apache connects successful, and provides User/OneTimePassword to the freeradius. Here I use the following Config: Auth-Type OTP_OWA { update control { SECRET := `/usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} ` LAST_USED_PIN := `/usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}` PIN := `/bin/bash /freeradius_scripts/getPin %{control:SECRET}` PIN_FROM_USER := %{User-Password} ATTEMPTS := `/usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}` Auth-Type := `/usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}` } } Unfortunately I receive an REJECT from the freeradius: {DEBUG Output}: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type OTP_OWA { (0) update control { (0) Executing: /usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} : (0) EXPAND --username=%{User-Name} (0) --> --username=USER.NAME (0) Program returned code (0) and output SECRET (0) SECRET := SECRET (0) Executing: /usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output 12346 (0) LAST_USED_PIN := 12346 (0) Executing: /bin/bash /freeradius_scripts/getPin %{control:SECRET}: (0) EXPAND %{control:SECRET} (0) --> SECRET (0) Program returned code (0) and output 12346 (0) PIN := 12346 (0) PIN_FROM_USER := %{User-Password} (0) Executing: /usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output '0' (0) ATTEMPTS := 0 (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) EXPAND --pin=%{control:PIN} (0) --> --pin=12346 (0) EXPAND --pin_from_user=%{User-Password} (0) --> --pin_from_user=12346 (0) EXPAND --last_used_pin=%{control:LAST_USED_PIN} (0) --> --last_used_pin=64321 (0) EXPAND --attempts=%{control:ATTEMPTS} (0) --> --attempts=0 (0) Program returned code (0) and output 'Accept' (0) Auth_Type_LOG := Accept (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) EXPAND --pin=%{control:PIN} (0) --> --pin=12346 (0) EXPAND --pin_from_user=%{User-Password} (0) --> --pin_from_user=12346 (0) EXPAND --last_used_pin=%{control:LAST_USED_PIN} (0) --> --last_used_pin=64321 (0) EXPAND --attempts=%{control:ATTEMPTS} (0) --> --attempts=0 (0) Program returned code (0) and output 'Accept' (0) Auth-Type := Accept (0) } # update control = noop (0) update reply { (0) Reply-Message := Accept (0) } # update reply = noop (0) } # Auth-Type OTP_OWA = noop (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) update control { (0) Executing: /usr/bin/php /freeradius_scripts/write_in_log_win.php --username=%{User-Name} --auth_type=%{control:Auth_Type_LOG} --ip=%{Calling-Station-Id} --reply=Reject: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) EXPAND --auth_type=%{control:Auth_Type_LOG} (0) --> --auth_type=Accept (0) EXPAND --ip=%{Calling-Station-Id} (0) --> --ip= (0) Program returned code (0) and output 'Reject' (0) LOG_EINTRAG := Reject (0) } # update control = noop (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> USER.NAME (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 117 from 10.1.56.3:1812 to 10.1.56.167:1026 length 28 So my .php Script checks the OTP-PIN ans returns “Accept”, but the freeradius answers Accept-Reject… Why? Thanks for any response 😉 Andreas
On 27/11/2023 12:38, Vogt, Andreas wrote:
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type OTP_OWA { (0) update control { (0) Executing: /usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} : (0) EXPAND --username=%{User-Name} (0) --> --username=USER.NAME (0) Program returned code (0) and output SECRET (0) SECRET := SECRET (0) Executing: /usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output 12346 (0) LAST_USED_PIN := 12346 (0) Executing: /bin/bash /freeradius_scripts/getPin %{control:SECRET}: (0) EXPAND %{control:SECRET} (0) --> SECRET (0) Program returned code (0) and output 12346 (0) PIN := 12346 (0) PIN_FROM_USER := %{User-Password} (0) Executing: /usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output '0' (0) ATTEMPTS := 0 (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) EXPAND --pin=%{control:PIN} (0) --> --pin=12346 (0) EXPAND --pin_from_user=%{User-Password} (0) --> --pin_from_user=12346 (0) EXPAND --last_used_pin=%{control:LAST_USED_PIN} (0) --> --last_used_pin=64321 (0) EXPAND --attempts=%{control:ATTEMPTS} (0) --> --attempts=0 (0) Program returned code (0) and output 'Accept' (0) Auth_Type_LOG := Accept (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:
I hope this is only a toy server for playing around. Running that number of external scripts must make this the most inefficient configuration I've seen in years.
(0) Program returned code (0) and output 'Accept' (0) Auth-Type := Accept (0) } # update control = noop (0) update reply { (0) Reply-Message := Accept (0) } # update reply = noop (0) } # Auth-Type OTP_OWA = noop
Your Auth-Type section is returning "noop", not "ok". It's too late to set Auth-Type here - you do that in the authorize section.
(0) Failed to authenticate the user
So my .php Script checks the OTP-PIN ans returns “Accept”, but the freeradius answers Accept-Reject… Why?
Return "ok" from the authenticate section. You can do that with an "if" to test the response from the hundreds of scripts. if (whatever) { ok } -- Matthew
participants (2)
-
Matthew Newton -
Vogt, Andreas