MSCHAPv2 followed by a smsotp authentication
Hello, I have a propiertary radius client which I want to authenticate against freeradius the following way: - User types is username: directory\Administrator password:secret - Freeradius authenticates against active directory. This already works - From the documentation of the propiertary radius client: After authenticating to RADIUS, you may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported. - So now I want freeradius to send 'Access Challenge' and send a sms to the user (for that purpose I wrote a perl daemon which listens on a unix socket in order to talk to smsotp freeradius module)[1]. However nothing comes in. I configured freeradius the following way: sites-enabled/default: authorize { smsotp mschap } authenticate { mschap Auth-Type smsotp { mschap smsotp } Auth-Type smsotp-reply { smsotp } } users: DEFAULT Auth-Type = smsotp radius -X output here: http://thomas.glanzmann.de/tmp/radius-x.txt [1] smsotpd: http://thomas.glanzmann.de/tmp/smsotpd.pl And now my questions: - Is it possible to do a mschapv2 authentication followed by Access challenge in order to send out a sms with a one time password by configuring freeradius or do I need to code? Where do I find pointers? I read the source code of the smsotp and the rlm_example module, I get the basic idea that first the otp is generated and than it is checked, however I don't get how to configure freeradius to choose the codepath. I also don't get if it is possible to stack authentication methods in freeradius. Cheers, Thomas
Thomas Glanzmann wrote:
I have a propiertary radius client which I want to authenticate against freeradius the following way:
- User types is username: directory\Administrator password:secret - Freeradius authenticates against active directory.
Which authentication method? This matters a lot.
This already works
- From the documentation of the propiertary radius client:
After authenticating to RADIUS, you may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported.
What does that mean?
- So now I want freeradius to send 'Access Challenge' and send a sms to the user (for that purpose I wrote a perl daemon which listens on a unix socket in order to talk to smsotp freeradius module)[1]. However nothing comes in.
What does that mean? "nothing comes in" ???
authenticate { mschap Auth-Type smsotp { mschap smsotp }
I really doubt that will work.
- Is it possible to do a mschapv2 authentication followed by Access challenge in order to send out a sms with a one time password by configuring freeradius or do I need to code?
No. It's impossible. MS-CHAP is an authentication method with pre-defined meaning, user interaction, and data flow. Adding something to it is impossible.
Where do I find pointers? I read the source code of the smsotp and the rlm_example module, I get the basic idea that first the otp is generated and than it is checked, however I don't get how to configure freeradius to choose the codepath. I also don't get if it is possible to stack authentication methods in freeradius.
Sometimes, yes. It depends on the authentication method. Alan DeKok.
Hello Alan,
Which authentication method? This matters a lot.
I configured it to use MSCHAPv2 (but they also support PAP, CHAP and MSCHAPv1)
After authenticating to RADIUS, you may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported.
What does that mean?
I have absolutly no clue, but I'm getting closer. I now managed to configure freeradius in order that I get the second prompt (see below).
- So now I want freeradius to send 'Access Challenge' and send a sms to the user (for that purpose I wrote a perl daemon which listens on a unix socket in order to talk to smsotp freeradius module)[1]. However nothing comes in.
What does that mean? "nothing comes in" ???
I meant that my perl deamon is never called by freeradius, but now I figured out to receive at least the first stage of the smsotp (I had to send out a greeting on the socket otherwise smsotpd radius plugin would wait for ever) configuration.
authenticate { mschap Auth-Type smsotp { mschap smsotp }
I really doubt that will work.
I modified it to look like that: authorize { mschap } authenticate { Auth-Type MS-CHAP { mschap smsotp } Auth-Type smsotp-reply { smsotp } } I now get the first prompt, followed by the second prompt which is asking for the pin received via sms. However when I type in a code, I don't see anything in freeradius or my smsotpd. Output of smsotpd now shows: (minisqueeze) [~/work/smsotpd] ./smsotpd.pl <generate otp for directory\Administrator> generate otp for directory\Administrator <quit> Received QUIT Which is the first stage of the challenge response. http://thomas.glanzmann.de/tmp/radius-x.txt http://thomas.glanzmann.de/tmp/smsotpd.pl http://thomas.glanzmann.de/tmp/radius.pcap I sniffed and I only see two packets (one Access Request and one Access Challenge). However when I type the sms passocde and press return, absolutly nothing happens (no packets are send over the network and I get a new prompt. Cheers, Thomas
Hello Alan,
MSCHAPv2
So when I said it was impossible, what did you think that meant?
a) keep working on it
b) try something else
your e-mail arrived after I did the 'progress'. Can you tell me for which other authentication (pap, chap, mschapv1) methods it works? Cheers, Thomas
Hello Alan,
PAP. And only PAP. And sometimes not even there.
I now installed a commercial radius server (Nordic Edge) which supports it and I sniffed a successful exchange. You can find it here: http://upload.glanzmann.de/radius.pcap Could you please let me know if it is possible to configure freeradius that it behaves the same way? If this is not possible I assume to stack 'pap' on top of rlm_example. In that case can you please let me know what do I need to configure in order to have pap and rlm_example on top? Cheers, Thomas
Hallo Alan, here is the nordic edge radius server pcap: http://upload.glanzmann.de/radius.pcap here is the freeradius server pcap: http://upload.glanzmann.de/freeradius.pcap What I don't get is, when I compare the two 'Access-Challenges' they look very similar to me. However my propiertary radius client does not send another packet after I typed in the otp. Any idea what freeradius does different here? Cheers, Thomas
Hello Alan,
Any idea what freeradius does different here?
the only difference I see here is that radius has a hex number in the state field while the propietary has digits. I assume that is why my propiertary client chokes. I'll try to configure freeradius to produce digits as well and retry and also file a bug report with the propiertary vendor. Cheers, Thomas
Thomas Glanzmann wrote:
the only difference I see here is that radius has a hex number in the state field while the propietary has digits. I assume that is why my propiertary client chokes.
Possibly. If so, the proprietary client doesn't implement RADIUS. The State field is not interpreted. It's used simply as an opaque blob that ties a challenge to a subsequent request. Alan DeKok.
Hello Alan,
Possibly. If so, the proprietary client doesn't implement RADIUS.
thanks a lot. However, I'm going to hunt that one down, because I think I'm very close to solve it and than I'll document it here. As soon as the product is released to the public I'll also add a wiki entry or howto guide.
The State field is not interpreted. It's used simply as an opaque blob that ties a challenge to a subsequent request.
I saw that when I opened it in wireshark. I changed the source code of rlm_smsotp to only include integers, however that did not solve it yet, but it can't be much else, I'll report back as soon as I figured it out. Thank you for all the input you gave me. Cheers, Thomas
Hello Alan, my initial thought that the state may only contain numbers, was wrong. Now I want to verify that the message authenticator sent by freeradius is correct, can you please walk me through how to do that? I also added debugging code to freeradius so that it tells me that it creates the Authenticator after smsotp was called and the reply type is set to Access-Challenge. But it needs to be something and the Message Authenticator is the only thing that I can't currently verify, so I have the hope that freeradius does calculate it wrong for Access-Challenges at least when using the rlm_smsotp module. Please advice. Shared secret between freeradius and client: testing123 PCAP File: http://thomas.glanzmann.de/tmp/freeradius.pcap And I'm interested how I can verify that the Message Authentictor in the Access-Challenge is correct. Btw. do you know of any 'radtest' client which supports challenge-response? Cheers, Thomas
Thomas Glanzmann wrote:
my initial thought that the state may only contain numbers, was wrong. Now I want to verify that the message authenticator sent by freeradius is correct, can you please walk me through how to do that?
Read the code.
I also added debugging code to freeradius so that it tells me that it creates the Authenticator after smsotp was called and the reply type is set to Access-Challenge. But it needs to be something and the Message Authenticator is the only thing that I can't currently verify, so I have the hope that freeradius does calculate it wrong for Access-Challenges at least when using the rlm_smsotp module. Please advice.
FreeRADIUS calculates the correct Message-Authenticator.
Shared secret between freeradius and client: testing123
PCAP File: http://thomas.glanzmann.de/tmp/freeradius.pcap
And I'm interested how I can verify that the Message Authentictor in the Access-Challenge is correct.
You're wasting your time. FreeRADIUS works. It works with 1000's of access points and switches. If it doesn't work with some vendors product, it's because that vendor doesn't implement RADIUS. I really can't say this any other way.
Btw. do you know of any 'radtest' client which supports challenge-response?
For specific authentication methods, radclient. For random things, no. Alan DeKok.
Hello Alan,
Authenticator must be wrong
You're wasting your time.
You're right. I found the problem. The proprietary radius client chokes on the "\" in the username, I can't believe it. However it is working for me now. Who do I need to approach in order to submit the 'smsotpd' perl implementation to the freeradius distribution once I cleaned it up so that I can release it to the general public? I would also write documentation to smsotpd in the wiki, I already checked out the wiki using, git, who do I submit my changes to or is it possible to get write access for the one page using a git commit trigger? Cheers, Thomas
Thomas Glanzmann wrote:
You're right. I found the problem. The proprietary radius client chokes on the "\" in the username, I can't believe it. However it is working for me now. Who do I need to approach in order to submit the 'smsotpd' perl implementation to the freeradius distribution once I cleaned it up so that I can release it to the general public?
If it's small, email it to the list. Otherwise, use github.
I would also write documentation to smsotpd in the wiki, I already checked out the wiki using, git, who do I submit my changes to or is it possible to get write access for the one page using a git commit trigger?
You can't write to the wiki via git. You have to use the web interface. Alan DeKok.
Hello Alan,
If it's small, email it to the list. Otherwise, use github.
find smsotpd.pl attached. Please consider it for upstream. If you reject it, please let me know exactly what needs to be changed in order to accept it to upstream.
You can't write to the wiki via git. You have to use the web interface.
I put the documentation here: http://wiki.freeradius.org/Rlm_smsotp Please proof-read (spelling, grammar but most important correctnes) and modify or tell me what is missing. Alan, I thank you for walking me through this. Cheers, Thomas
Hello everyone, find a video which describes the setup of a freeradius server here: http://thomas.glanzmann.de/smsotp.pdf http://thomas.glanzmann.de/smsotp.swf Cheers, Thomas
Hello everyone, here is a c implementation of the smsotpd. http://thomas.glanzmann.de/smsotpd.2012-06-04.tar.bz2 Cheers, Thomas
Dear Thomas, You are the Ger Man. I like software. Thank You very much. Yours Faithfully, Timmy
Hello everyone, here is a c implementation of the smsotpd.
http://thomas.glanzmann.de/smsotpd.2012-06-04.tar.bz2
Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thomas Glanzmann wrote:
Hello everyone, here is a c implementation of the smsotpd.
The tar file seems strange. There's a smsotpd.2012-06-04c directory, but most of the files seem to have a "smsotpd.2012-06-04" prefix. *Without* the directory: $ ls -1 smsotpd.2012-06-04.gitignore smsotpd.2012-06-04.tar.bz2 smsotpd.2012-06-04README smsotpd.2012-06-04c smsotpd.2012-06-04create_berkeley_db.pl smsotpd.2012-06-04dictionary smsotpd.2012-06-04ntlm_auth.pl smsotpd.2012-06-04pap_challenge_request.pl smsotpd.2012-06-04smsotpd.pl That's... weird. I would have expected a top-level directory, with all of the files in that directory. Maybe you didn't add a trailing '/' to the directory name when you created the "tar" file? Alan DeKok.
Hello Alan, [ sorry for the late response, I read that mailinglist only every few days ]
The tar file seems strange. There's a smsotpd.2012-06-04c directory, but most of the files seem to have a "smsotpd.2012-06-04" prefix. *Without* the directory:
thank you for telling me. There was a slash missing in my git-archive command. I fixed that: git archive --format=tar --prefix=smsotpd.2012-06-04/ HEAD | bzip2 -9 > ~/.www/smsotpd.2012-06-04.tar.bz2 # ~ slash was missing Cheers, Thomas
Hello Alan,
your e-mail arrived after I did the 'progress'. Can you tell me for which other authentication (pap, chap, mschapv1) methods it works?
I configured it to use pap, and I have now the same behaviour using pap, mschapv1 and mschapv2. The client sends a 'Access Request' the server answers with a 'Access Challenge', I get a prompt, but no further communication when I press OK. I now try to get a pcap from a working authentication in order to see what is going on here. Cheers, Thomas
Thomas Glanzmann wrote:
I configured it to use pap, and I have now the same behaviour using pap, mschapv1 and mschapv2. The client sends a 'Access Request' the server answers with a 'Access Challenge', I get a prompt, but no further communication when I press OK.
See rlm_example for how to do challenge-response. You're creating an authentication method with a lot of moving parts. It may be difficult to debug. Alan DeKok.
participants (3)
-
Alan DeKok -
Thomas Glanzmann -
Timmy