Re: Error 2FA - AD password and external OTP via RADIUS proxy
Configured as follows: One freeradius is configured like this: https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy The second freeradius is configured as follows: https://www.linotp.org/howtos/howto-radius.html That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it The problem is that it doesn't work: Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP] In other words, passwords are glued together. I don 't understand how to configure it
The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this:
if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } }
You will need to edit raddb/dictionary in order to define OTP-Password.
12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru> написал(а):
Thanks. In which file do I need to separate the LDAP and OTP password ? How do I edit a dictionary ?
11 марта 2020 г., в 23:42, Alan DeKok <aland@deployingradius.com> написал(а):
On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ?
The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP.
The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this:
if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } }
You will need to edit raddb/dictionary in order to define OTP-Password.
This lets you use User-Password as normal to connect to LDAP, and authenticate the user.
You can then check OTP-Password however you want.
Alan DeKok.
Perhaps I need to split passwords in a script and log in using a split password ? # If State, then proxy request: update control { Proxy-To-Realm := "proxy-test" Auth-Type := /bin/bash -f /etc/freeradius/3.0/scripts/otp.sh '%{User-Name}' '%{User-Password}' } Начало переадресованного сообщения: Отправитель: Владимир Клеусов <kleusov.vladimir@wildberries.ru<mailto:kleusov.vladimir@wildberries.ru>> Тема: Ответ: Error 2FA - AD password and external OTP via RADIUS proxy Дата: 16 марта 2020 г. в 15:34:51 GMT+3 Кому: FreeRadius users mailing list <Freeradius-Users@lists.freeradius.org<mailto:Freeradius-Users@lists.freeradius.org>> Configured as follows: One freeradius is configured like this: https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy The second freeradius is configured as follows: https://www.linotp.org/howtos/howto-radius.html That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it The problem is that it doesn't work: Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP] In other words, passwords are glued together. I don 't understand how to configure it The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this: if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } } You will need to edit raddb/dictionary in order to define OTP-Password. 12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru> написал(а): Thanks. In which file do I need to separate the LDAP and OTP password ? How do I edit a dictionary ? 11 марта 2020 г., в 23:42, Alan DeKok <aland@deployingradius.com> написал(а): On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ? The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP. The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this: if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } } You will need to edit raddb/dictionary in order to define OTP-Password. This lets you use User-Password as normal to connect to LDAP, and authenticate the user. You can then check OTP-Password however you want. Alan DeKok.
On Mar 18, 2020, at 4:27 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Perhaps I need to split passwords in a script and log in using a split password ?
Check the previous replies. I said exactly how to do this. Alan DeKok.
participants (2)
-
Alan DeKok -
Клеусов Владимир Сергее вич