chain two authentication modules together
Hi All, I searched some related posts in the forum and see Alan pointed out the rlm_example.c has the example for chaining two authentication modules. I have 2.1.10 version source code. In the rlm_example.c, the authentication part is only like this: static int example_authenticate(void *instance, REQUEST *request) { /* quiet the compiler */ instance = instance; request = request; return RLM_MODULE_OK; } Can't see how two authentication modules get chained here. What I'm wanting to do is integrate LDAP and OTP. The OTP I want to use doesn't have interface to radius. So I'm planning to get that OTP source code into a new FR module. For LDAP part, I just want to include the existing module to the new one. Is this doable? I guess I may need implant the LDAP module code into the new module too. The whole authentication process is: 1. LDAP authentication. 2. If successful, do something and request 2nd OTP authencation. If not, reject the authentication.
From what I read here, the new module must be the way to do this. But is there any easy way to integrate existing module like LDAP into the new module?
Thanks a lot for your help. Really appreciate it. Lou -- View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog... Sent from the FreeRadius - User mailing list archive at Nabble.com.
madmatrix <hailumeng@gmail.com> wrote:
What I'm wanting to do is integrate LDAP and OTP. The OTP I want to use doesn't have interface to radius. So I'm planning to get that OTP source code into a new FR module. For LDAP part, I just want to include the existing module to the new one. Is this doable? I guess I may need implant the LDAP module code into the new module too.
I *strongly* recommend you use rlm_perl/rlm_python. I found it very straight forward to quickly implement rfc2289 with eap-gtc.
The whole authentication process is: 1. LDAP authentication. 2. If successful, do something and request 2nd OTP authencation. If not, reject the authentication.
I think you might find yourself having to either: * combined password of form "<ldap password> <otp challenge response>" * two separate RADIUS authentications, say use PAM to first do a regular RADIUS password check and also require a second check to another RADIUS server (a FreeRADIUS virtual server for example) that then does the OTP As you have not described what the problem is (EAP for 802.1X, web portal, PAM backed authentication, etc?) it is hard to give you advice.
From what I read here, the new module must be the way to do this. But is there any easy way to integrate existing module like LDAP into the new module?
If you use rlm_perl/rlm_python, you will find the job much easier, fast on the prototyping front and maintenance will be a lot less trouble (ie, no need to recompile things as an example). Cheers -- Alexander Clouter .sigmonster says: Don't feed the bats tonight.
Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good choice for me. The main thing I want to do is to give remote vpn client a two-factor authentication. Since freeradius, pam and all opensource otp solution are available, I think free two-factor authentication is doable instead the expensive RSA solution. So the first authentication is against our AD. If successful, the system should generate one time password and send it to user through SMS or the other ways. The user then put otp into the 2nd challenge prompt. Freeradius authenticate this otp against otp server. I already tried using pam to authenticate against AD or OTP. I was trying to use PAM stack to make this happen. But it's hard to put some scripts to send password to user between the two PAM modules. So I turned to FreeRadius to see if it can have some ways to do this. So if I use rlm_python, I can utilize some existing executable files (like ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and OTP. To send OTP to user is much easier to do in python too. Am I correct? Thanks for your help. Lou On Fri, Jun 17, 2011 at 3:10 PM, Alexander Clouter [via FreeRadius] < ml-node+4499878-126979644-220770@n5.nabble.com> wrote:
madmatrix <[hidden email]<http://user/SendEmail.jtp?type=node&node=4499878&i=0>> wrote:
What I'm wanting to do is integrate LDAP and OTP. The OTP I want to use doesn't have interface to radius. So I'm planning to get that OTP source code into a new FR module. For LDAP part, I just want to include the existing module to the new one. Is this doable? I guess I may need implant the LDAP module code into the new module too.
I *strongly* recommend you use rlm_perl/rlm_python. I found it very straight forward to quickly implement rfc2289 with eap-gtc.
The whole authentication process is: 1. LDAP authentication. 2. If successful, do something and request 2nd OTP authencation. If not, reject
the authentication.
I think you might find yourself having to either: * combined password of form "<ldap password> <otp challenge response>" * two separate RADIUS authentications, say use PAM to first do a regular RADIUS password check and also require a second check to another RADIUS server (a FreeRADIUS virtual server for example) that then does the OTP
As you have not described what the problem is (EAP for 802.1X, web portal, PAM backed authentication, etc?) it is hard to give you advice.
From what I read here, the new module must be the way to do this. But is there any easy way to integrate existing module like LDAP into the new module?
If you use rlm_perl/rlm_python, you will find the job much easier, fast on the prototyping front and maintenance will be a lot less trouble (ie, no need to recompile things as an example).
Cheers
-- Alexander Clouter .sigmonster says: Don't feed the bats tonight.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog... To unsubscribe from chain two authentication modules together, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4499333&code=aGFpbHVtZW5nQGdtYWlsLmNvbXw0NDk5MzMzfC03NjIyMDI5NDM=>.
-- View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog... Sent from the FreeRadius - User mailing list archive at Nabble.com.
madmatrix <hailumeng@gmail.com> wrote:
Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good choice for me. The main thing I want to do is to give remote vpn client a two-factor authentication.
Depending on how your VPN works and what the clients can support, you could use the OTP to create the tunnel, and then EAP on the inside to authenticate (and VLAN assign) the user. It would complement any wireless/wired 802.1X solution you have on site perfectly too. Although a good plan, as the OTP being the first hop means your user credentials cannot be brute forced, your might find it complicated to pull off; at a first glance I am not sure how something like IPsec could be OTPised...maybe you will get more luck with OpenVPN.
Since freeradius, pam and all opensource otp solution are available, I think free two-factor authentication is doable instead the expensive RSA solution.
Always bear in mind, as long as the man hours you put in are less or roughly equal to the RSA solution (over a three year period), then that's a worthwhile approach. Also gives you something to present as a talk to other organisations. :)
So the first authentication is against our AD. If successful, the system should generate one time password and send it to user through SMS or the other ways. The user then put otp into the 2nd challenge prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was trying to use PAM stack to make this happen. But it's hard to put some scripts to send password to user between the two PAM modules. So I turned to FreeRadius to see if it can have some ways to do this.
For your initial version, I recommend when the user is prompted for a password, you get them to type "<otp> <password>" (RSA style). Check the OTP *first* and then validate the password. You RADIUS configuration will look like: ---- authorize { .... your_python_otp_script ldap .... } ---- 'your_python_otp_script' will *rewrite* User-Password so that when it gets to the ldap module it's as if the user just sent their password without the OTP. Of course if the OTP is incorrect, your_python_otp_script can return instantly reject giving you your two factor authentication.
So if I use rlm_python, I can utilize some existing executable files (like ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and OTP. To send OTP to user is much easier to do in python too. Am I correct?
rlm_python will let you change how your OTP system functions quickly which is helpful as: * newer flexibility technologies come along you want to use * users fix the initial approach too complicated. As the brains is really all in a python script, you should find it trivial to change to meet their needs One word of warning, do *not* use system()/exec() or whatever python uses. Use a native LDAP module. Same with the OTP/SMS approach if possible. Calling OS commands like that, especially when there are native libraries, is generally a Bad Idea(tm) and the coding gods *will* smite you for your crimes. Cheers -- Alexander Clouter .sigmonster says: Time as he grows old teaches all things. -- Aeschylus
Thanks a lot Alexander. Your thoughts help me a lot. I will utilize python to get otp integrated and use its native lib. :) I'm afraid our vpn client doesn't support otp. But when it passes user/passwd to radius. I think vpn client or NAS really doesn't care about your backend. I think for otp first, I must pass the user name with otp password together to otp server. For second ldap auth, I may strip off the user name prompt. It's a reverse version compared to usual AD/RSA way. Another question for users file, for default users, should I put auth-type as my python or ldap? I'm a little bit confused there. If I only put python there, ldap module may not be executed. Really appreciated your help. I feel more confident now for this project. Thanks. Lou On Jun 18, 2011 6:11 AM, "Alexander Clouter [via FreeRadius]" < ml-node+4501148-2134591798-220770@n5.nabble.com> wrote:
madmatrix <hailumeng@gmail.com> wrote:
Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good choice for me. The main thing I want to do is to give remote vpn client a two-factor authentication.
Depending on how your VPN works and what the clients can support, you could use the OTP to create the tunnel, and then EAP on the inside to authenticate (and VLAN assign) the user. It would complement any wireless/wired 802.1X solution you have on site perfectly too.
Although a good plan, as the OTP being the first hop means your user credentials cannot be brute forced, your might find it complicated to pull off; at a first glance I am not sure how something like IPsec could be OTPised...maybe you will get more luck with OpenVPN.
Since freeradius, pam and all opensource otp solution are available, I think free two-factor authentication is doable instead the expensive RSA solution.
Always bear in mind, as long as the man hours you put in are less or roughly equal to the RSA solution (over a three year period), then that's a worthwhile approach. Also gives you something to present as a talk to other organisations. :)
So the first authentication is against our AD. If successful, the system should generate one time password and send it to user through SMS or the other ways. The user then put otp into the 2nd challenge prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was trying to use PAM stack to make this happen. But it's hard to put some scripts to send password to user between the two PAM modules. So I turned to FreeRadius to see if it can have some ways to do this.
For your initial version, I recommend when the user is prompted for a password, you get them to type "<otp> <password>" (RSA style). Check the OTP *first* and then validate the password. You RADIUS configuration will look like: ---- authorize { ....
your_python_otp_script
ldap
.... } ----
'your_python_otp_script' will *rewrite* User-Password so that when it gets to the ldap module it's as if the user just sent their password without the OTP. Of course if the OTP is incorrect, your_python_otp_script can return instantly reject giving you your two factor authentication.
So if I use rlm_python, I can utilize some existing executable files (like ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and OTP. To send OTP to user is much easier to do in python too. Am I correct?
rlm_python will let you change how your OTP system functions quickly which is helpful as: * newer flexibility technologies come along you want to use * users fix the initial approach too complicated. As the brains is really all in a python script, you should find it trivial to change to meet their needs
One word of warning, do *not* use system()/exec() or whatever python uses. Use a native LDAP module. Same with the OTP/SMS approach if possible. Calling OS commands like that, especially when there are native libraries, is generally a Bad Idea(tm) and the coding gods *will* smite you for your crimes.
Cheers
-- Alexander Clouter .sigmonster says: Time as he grows old teaches all things. -- Aeschylus
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_______________________________________________ If you reply to this email, your message will be added to the discussion
below:
http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog...
To unsubscribe from chain two authentication modules together, visit
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsub... -- View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Alexander, one thing I'm still confused here is why we put otp and ldap all in authorization block in freeradius not the authentication? Lou On Jun 18, 2011 6:11 AM, "Alexander Clouter [via FreeRadius]" < ml-node+4501148-2134591798-220770@n5.nabble.com> wrote:
madmatrix <hailumeng@gmail.com> wrote:
Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good choice for me. The main thing I want to do is to give remote vpn client a two-factor authentication.
Depending on how your VPN works and what the clients can support, you could use the OTP to create the tunnel, and then EAP on the inside to authenticate (and VLAN assign) the user. It would complement any wireless/wired 802.1X solution you have on site perfectly too.
Although a good plan, as the OTP being the first hop means your user credentials cannot be brute forced, your might find it complicated to pull off; at a first glance I am not sure how something like IPsec could be OTPised...maybe you will get more luck with OpenVPN.
Since freeradius, pam and all opensource otp solution are available, I think free two-factor authentication is doable instead the expensive RSA solution.
Always bear in mind, as long as the man hours you put in are less or roughly equal to the RSA solution (over a three year period), then that's a worthwhile approach. Also gives you something to present as a talk to other organisations. :)
So the first authentication is against our AD. If successful, the system should generate one time password and send it to user through SMS or the other ways. The user then put otp into the 2nd challenge prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was trying to use PAM stack to make this happen. But it's hard to put some scripts to send password to user between the two PAM modules. So I turned to FreeRadius to see if it can have some ways to do this.
For your initial version, I recommend when the user is prompted for a password, you get them to type "<otp> <password>" (RSA style). Check the OTP *first* and then validate the password. You RADIUS configuration will look like: ---- authorize { ....
your_python_otp_script
ldap
.... } ----
'your_python_otp_script' will *rewrite* User-Password so that when it gets to the ldap module it's as if the user just sent their password without the OTP. Of course if the OTP is incorrect, your_python_otp_script can return instantly reject giving you your two factor authentication.
So if I use rlm_python, I can utilize some existing executable files (like ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and OTP. To send OTP to user is much easier to do in python too. Am I correct?
rlm_python will let you change how your OTP system functions quickly which is helpful as: * newer flexibility technologies come along you want to use * users fix the initial approach too complicated. As the brains is really all in a python script, you should find it trivial to change to meet their needs
One word of warning, do *not* use system()/exec() or whatever python uses. Use a native LDAP module. Same with the OTP/SMS approach if possible. Calling OS commands like that, especially when there are native libraries, is generally a Bad Idea(tm) and the coding gods *will* smite you for your crimes.
Cheers
-- Alexander Clouter .sigmonster says: Time as he grows old teaches all things. -- Aeschylus
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_______________________________________________ If you reply to this email, your message will be added to the discussion
below:
http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog...
To unsubscribe from chain two authentication modules together, visit
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsub... -- View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-tog... Sent from the FreeRadius - User mailing list archive at Nabble.com.
madmatrix <hailumeng@gmail.com> wrote:
Alexander, one thing I'm still confused here is why we put otp and ldap all in authorization block in freeradius not the authentication?
As I'm an idiot. They should also be present in the authenticate section. In authorise, your OTP python method checks to see if it is a valid authentication syntax (creating a challenge if necessary) returning reject if it it invalid. It validates and rewrites User-Password to contain just the bare password, whilst you can create a custom dictionary attribute (for example User-OTP) that is sperately processed in authenticate. So, for example: ---- authorize { ... # User-Password is 'foo bar' python-otp # User-Password is 'foo' # User-OTP is 'bar' ldap ... } authenticate { ... Auth-Type python-otp { otp ldap } ... } ---- Cheers -- Alexander Clouter .sigmonster says: Price does not include taxes.
participants (2)
-
Alexander Clouter -
madmatrix