2FA token two fields
Hi All, I am suoper new to freeradius so sorry if this is a stupid question I have configured it for use for an application that is using username, password and a OTP The application asks the user for their username and password, and then once they have been entered asks for the OTP When running freeradus in debug mode i can see that the username is correct but the password field has been overwritten with the 2FA token , i am unsure what i need to change so this does not get overwriten and its seen as two fields... Here is the error (0) Received Access-Request Id 2 from 10.5.4.10:60850 to 10.5.4.9:1812 length 66 (0) User-Name = "testuser" (0) User-Password = "24577371" (0) Message-Authenticator = 0x03a7e13a57e67f6fba5b3d59cf917555 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: Failed resolving GID: No error (0) files: users: Matched entry DEFAULT at line 66 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = pam (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) [pam] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> testuser (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 2 from 10.5.4.9:1812 to 10.5.4.10:60850 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 2 with timestamp +216 Ready to process requests Thanks a lot for all the help -- Adam
On Feb 7, 2022, at 3:33 PM, Adam Barnett <adambarnett52@gmail.com> wrote:
I am suoper new to freeradius so sorry if this is a stupid question
Believe it or not, I was there once, too. It was about 1997, though. :(
I have configured it for use for an application that is using username, password and a OTP
The application asks the user for their username and password, and then once they have been entered asks for the OTP
When running freeradus in debug mode i can see that the username is correct but the password field has been overwritten with the 2FA token , i am unsure what i need to change so this does not get overwriten and its seen as two fields...
There's nothing you can change on FreeRADIUS to fix this. If the application only sends the OTP and not the password, then no amount of poking FreeRADIUS will fix the application. What's typically done is to mash the password together with the OTP. For an example, see: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai...
(0) Found Auth-Type = pam (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) [pam] = reject
I would suggest not using PAM. There's really no reason for it. The server can read just about any "passwd" file, database, etc. Just let the server do it's job, and avoid horrible complex things like PAM. Plus, if something goes wrong in the PAM layer, it's impossible to debug. In contrast, the FreeRADIUS debug output is huge, but 99% of the time it contains what you need to fix the problem. PAM? You get "failed". Why? "failed". What do I fix? "failed" Arg. Alan DeKok.
participants (2)
-
Adam Barnett -
Alan DeKok