Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Thanks a lot Fab
On Feb 13, Fabiano <fabiano@powerpc.ch> wrote:
Hello,
Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait.
Hi Fabiano! I'm using mobile otp, but I use pam and not the shell script. (In fact, the shell script has some security issues which I found out a few days ago. Especially, it does not do the "one time" check correctly, because a token code can be reused until it expires!. To enable pam, I just wrote "pam" into the authenticate section, that's it. (and of course have a proper /etc/pam.d/radiusd file) Markus
Fabiano wrote:
Hello,
Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2...
$ man unlang Then, run the script in the post-auth section.
And I am not sure how to do this with Exec-Program-Wait.
Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ?
Sure. Get it from somewhere, and then send it to the script. Alan DeKok.
Alan, Thanks for your answer. Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how... Thanks a lot Best regards Fab Alan DeKok wrote :
Fabiano wrote:
Hello,
Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2...
$ man unlang
Then, run the script in the post-auth section.
And I am not sure how to do this with Exec-Program-Wait.
Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ?
Sure. Get it from somewhere, and then send it to the script.
Alan DeKok. -
Fabiano wrote:
Can you point me to a document or website where the following mechanism is described well ?
ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*.
The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ?
No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user.
Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how...
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. Alan DeKok.
Alan DeKok a écrit :
Fabiano wrote:
Can you point me to a document or website where the following mechanism is described well ?
ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*.
Ok, thanks.
The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ?
No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user.
Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how...
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? Thanks again !
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fabiano wrote:
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ?
It would help if you described what you are trying to do, and why. Alan DeKok.
Alan DeKok a écrit :
Fabiano wrote:
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ?
It would help if you described what you are trying to do, and why.
Alan, I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP server accepting only MSCHAPv2 auth. This PPTP server uses an internal database with flatfiles for authenticating VPN users but also offers auth through an external radius server. I thought that I could use the motp.sf.net project to make mobile clients (using cell phones qnd the j2me applet) authenticate with this setup. The MOTP project offers a shellscript named otverify.sh which waits some arguments to verify the client (Username, OTP, Init-Secret, PIN, Time Offset). Username and OTP are given by the VPN client Init-Secret, PIN and Time Offset are specified in the radius users file. Normally, this is done using xtradius, executing the script as external application and giving the arguments to it. The script answers ACCEPT or FAIL for final auth. That's it. I'm stuck here, having MSCHAPv2 clients and an auth script not useable with MSCHAPv2 auth. I have also tried this with the supplied PAM motp module, but as you said this is not possible. I had successful auths using radtest, but that's all... ;) I think that what I will try is rewrite the script in perl to generate the passwords every x seconds to a database and then make freeradius auth against the db entries. Do you think this is the best way ? Thanks again.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Is there any way to make freeradius check against multiple passwords for the same user in a mysql database ? In the case of an OTP, there are multiple passwords to check, because of time difference between server and client, therefore I need freeradius to try auth on multiple passwords in a table, for the same user. Is this possible ? Thanks a lot Fab
On Wed, Feb 18, 2009 at 11:44 AM, Fabiano <fabiano@powerpc.ch> wrote:
Hi,
Is there any way to make freeradius check against multiple passwords for the same user in a mysql database ? In the case of an OTP, there are multiple passwords to check, because of time difference between server and client, therefore I need freeradius to try auth on multiple passwords in a table, for the same user. Is this possible ?
You should be able to this by customizing the SQL syntax on sql.conf to reflect your needs. Regards, Liran Tal.
participants (4)
-
Alan DeKok -
Fabiano -
liran tal -
Markus Gaugusch