I´am trying to create a php OTP script with challenge reponse. echo "Reply-Message += \"Enter SMS\",\n"; echo "State += \"$random\",\n"; echo "Response-Packet-Type = \"Access-Challenge\",\n"; exit(4); Reply and State gets sent to the client. But I can´t seem to get challenge response to work. Has anyone done this time off stuff before and is it even possible? Found Auth-Type = otp # Executing group from file /etc/raddb/sites-enabled/default +- entering group otp {...} [OTP] expand: %{User-Name} -> test2 [OTP] expand: %{User-Password} -> test2 [OTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [OTP] expand: %{reply:Pin} -> 0201 [OTP] expand: %{reply:Offset} -> 1 Exec-Program output: Reply-Message += "Enter SMS", State += "21427", Response-Packet-Type = "Access-Challenge", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "21427", Response-Packet-Type = "Access-Challenge", Exec-Program: returned: 4 ++[OTP] returns handled There was no response configured: rejecting request 15 Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 66 to 172.31.2.20 port 42617 Reply-Message += "Enter SMS" State += 0x3231343237 My sites-enabled authorize { preprocess chap mschap suffix eap { ok = return } unix files sql expiration logintime pap update control { Auth-Type := otp } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type otp { OTP pap } unix eap } My exec module exec OTP { wait = yes program = "/etc/raddb/otp.php %{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}"" input_pairs = request output_pairs = reply } Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 [Beskrivelse: Beskrivelse: cid:image001.jpg@01CB9163.2FCD3AC0] _____________________________________________ tr@zitcom.dk<mailto:tr@zitcom.dk> | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66
On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
I´am trying to create a php OTP script with challenge reponse.
echo "Reply-Message += \"Enter SMS\",\n";
echo "State += \"$random\",\n";
echo "Response-Packet-Type = \"Access-Challenge\",\n";
I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. Therefore, I'm not sure you can do that with an exec script alone. See: http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606... (ignore the non-technical bits, the poster was being... combative) ...and maybe: http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html I think something like the following might be what you need: authorize { ... myexec if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } ... } ...and make your "exec" script return "updated" (9) The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP?
Thats seems like a way to go. But your right... Its very hard to find documentation on this topic. Changed it and now It seems that update check I checket way before th script. ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (updated) ? Evaluating (updated) -> FALSE ++? if (updated) -> FALSE Found Auth-Type = otp # Executing group from file /etc/raddb/sites-enabled/default +- entering group otp {...} [pap] login attempt with password "test2" [pap] Using SHA1 encryption. [pap] User authenticated successfully ++[pap] returns ok [OTP] expand: %{User-Name} -> test2 [OTP] expand: %{User-Password} -> test2 [OTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [OTP] expand: %{reply:Pin} -> 0201 [OTP] expand: %{reply:Offset} -> 1 Exec-Program output: Reply-Message += "Enter SMS", State += "12536", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "12536", Exec-Program: returned: 9 ++[OTP] returns updated Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 145 to 172.31.2.20 port 56003 Reply-Message += "Enter SMS" State += 0x3132353336 Waking up in 4.9 seconds. Cleaning up request 0 ID 145 with timestamp +1 Ready to process requests. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 10:56 Til: freeradius-users@lists.freeradius.org Emne: Re: EXEC Access-challenge On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
I´am trying to create a php OTP script with challenge reponse.
echo "Reply-Message += \"Enter SMS\",\n";
echo "State += \"$random\",\n";
echo "Response-Packet-Type = \"Access-Challenge\",\n";
I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. Therefore, I'm not sure you can do that with an exec script alone. See: http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606... (ignore the non-technical bits, the poster was being... combative) ...and maybe: http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html I think something like the following might be what you need: authorize { ... myexec if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } ... } ...and make your "exec" script return "updated" (9) The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/10/12 10:57, Thomas Raabo - Zitcom A/S wrote:
Thats seems like a way to go.
But your right... Its very hard to find documentation on this topic.
Sure. The assumption is that Access-Challenge methods are generated by auth method code in "rlm". It's a testament to how flexible the server is that you can *do* it in unlang/perl/etc. - but it's not well documented.
Changed it and now
It seems that update check I checket way before th script.
++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop
I think this is in the wrong order. You've checked for "updated" before you've run the "exec" command.
How do you change the order it phil? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 12:44 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: EXEC Access-challenge On 11/10/12 10:57, Thomas Raabo - Zitcom A/S wrote:
Thats seems like a way to go.
But your right... Its very hard to find documentation on this topic.
Sure. The assumption is that Access-Challenge methods are generated by auth method code in "rlm". It's a testament to how flexible the server is that you can *do* it in unlang/perl/etc. - but it's not well documented.
Changed it and now
It seems that update check I checket way before th script.
++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop
I think this is in the wrong order. You've checked for "updated" before you've run the "exec" command. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote:
How do you change the order it phil?
You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ups. The output was copy-pasted wrong. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Thomas Raabo - Zitcom A/S Sendt: 11. oktober 2012 14:48 Til: FreeRadius users mailing list Emne: SV: SV: SV: EXEC Access-challenge Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote:
How do you change the order it phil?
You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignore My stupidity. I figured it out... I'll make a wiki and make my script public Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Thomas Raabo - Zitcom A/S Sendt: 11. oktober 2012 14:48 Til: FreeRadius users mailing list Emne: SV: SV: SV: EXEC Access-challenge Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote:
How do you change the order it phil?
You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Phil Mayers -
Thomas Raabo - Zitcom A/S