Use 2 modules to auth together.
hi, all, Any way to handle a second access request? Our user is in AD and VPN will do an MSCHAP authentication first and filter property of User-Name from access request, then call an access-challenge to verify against the other module whose logic is as simple as starting a http request via http://XXX/check/username= <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's ok. Basically, I want to auth a single login against two modules, only both of them are successful, the auth could be deemed as OK. # site-enabled/default authorize { if (!State) { # MS-CHAP has no User-Password, so it's true. if (!User-Password ) { # If !State and User-Password is null, then goes to MS-CHAP: update { &control:Auth-Type := MS-CHAP } } else { reject } } else { # The 2nd auth module. # I DON'T KNOW HOW TO WRITE. } } } # ### authentication ##### authentication { Auth-Type MS-CHAP { mschap if (ok) { update reply { # Create a random State attribute: State := "%{randstr:XXXXXXXXXXXXX}" Reply-Message := "Please type your OTP:" } # Return Access-Challenge, goes to the 2nd auth. challenge } } } Thanks a lot.
On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Our user is in AD and VPN will do an MSCHAP authentication first and filter property of User-Name from access request, then call an access-challenge to verify against the other module whose logic is as simple as starting a http request via http://XXX/check/username= <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's ok.
That's really just more authorization.
Basically, I want to auth a single login against two modules, only both of them are successful, the auth could be deemed as OK.
That's possible, subject to certain caveats.
# ### authentication ##### authentication { Auth-Type MS-CHAP { mschap if (ok) { update reply { # Create a random State attribute: State := "%{randstr:XXXXXXXXXXXXX}" Reply-Message := "Please type your OTP:" } # Return Access-Challenge, goes to the 2nd auth. challenge
That's good, but it likely won't work due to the NAS. Doing OTP like that requires support from the NAS. Does the NAS support doing MS-CHAP and then receiving an Access-Challenge? If it does, then your next step is to write down what you want to happen, like this: 1) packet 1 contains MS-CHAP 2) it authenticates agains MS-CHAP 3) if MS-CHAP is successful, it returns a State, challenge, and reply message 4) when the next packet comes in with a state attribute, authenticate the OTP Note that the packet in step 4 *should not* contain any MS-CHAP attributes. It should just contain the response to the OTP. So your freeradius configuration is: 1) run MS-CHAP like normal 2) do state / reply-message / challenge in "Auth-Type MS-CHAP" As a *separate* item: 3) if packet contains State 4) do OTP verification The only thing tying the two packets together is the State attribute. They are otherwise completely independent. Alan DeKok.
Thank, Alan, you enlighten me. Turns out NAS( my VPN) does not support Access-Challenge. Googled and found that Challenge seems to be a speical access-request packet with the Code field set to 11. So can I make the conclusion that it would send an access-quest again? in other words, start a new authentication process like another normal request with an exception that State attribute exists. Let me suppose my VPN supports Access-Challenge, so my configuation is something like: ------------------------------- authorize { # The first auth does not have any State attribute. if (!State) { # MS-CHAP has no User-Password, so it's true. if (!User-Password ) { # If !State and User-Password is null, then goes to MS-CHAP: update { &control:Auth-Type := MS-CHAP } } else { reject } # Make sure it does not contain any other attributes except State. else { update { # IS THIS PART CORRECT ? I think so, as a new request is issued by challage, so it would start over from top to buttom to walk throught the entire process. &control:Auth-Type := MY_OWN_OTP_AUTH } } } authentication { Auth-Type MS-CHAP { mschap if (ok) { update reply { # Create a random State attribute: State := "%{randstr:XXXXXXXXXXXXX}" Reply-Message := "Please type your OTP:" } # Return Access-Challenge, goes to the 2nd auth. # IS IT the correct way to raise a challange? challenge } Please help me to take a look at configuration above, two questions: 1. Is else part correct? which will use my own python auth module 2. Is it correct to raise a challenge using 'challenge' filter of FreeRADIUS? Thanks again. On Mon, Nov 26, 2018 at 8:10 PM Alan DeKok <aland@deployingradius.com> wrote:
On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Our user is in AD and VPN will do an MSCHAP authentication first and filter property of User-Name from access request, then call an access-challenge to verify against the other module whose logic is as simple as starting a http request via http://XXX/check/username= <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's ok.
That's really just more authorization.
Basically, I want to auth a single login against two modules, only both of them are successful, the auth could be deemed as OK.
That's possible, subject to certain caveats.
# ### authentication ##### authentication { Auth-Type MS-CHAP { mschap if (ok) { update reply { # Create a random State attribute: State := "%{randstr:XXXXXXXXXXXXX}" Reply-Message := "Please type your OTP:" } # Return Access-Challenge, goes to the 2nd auth. challenge
That's good, but it likely won't work due to the NAS. Doing OTP like that requires support from the NAS. Does the NAS support doing MS-CHAP and then receiving an Access-Challenge?
If it does, then your next step is to write down what you want to happen, like this:
1) packet 1 contains MS-CHAP 2) it authenticates agains MS-CHAP 3) if MS-CHAP is successful, it returns a State, challenge, and reply message 4) when the next packet comes in with a state attribute, authenticate the OTP
Note that the packet in step 4 *should not* contain any MS-CHAP attributes. It should just contain the response to the OTP.
So your freeradius configuration is:
1) run MS-CHAP like normal 2) do state / reply-message / challenge in "Auth-Type MS-CHAP"
As a *separate* item:
3) if packet contains State 4) do OTP verification
The only thing tying the two packets together is the State attribute. They are otherwise completely independent.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
luckydog xf