Freeradius second auth factor
Hello. I want to configure the second authorisation factor with EAP-type, and md5 hashed password saved in MySQL. I found several modules and services like MultiOTP and Smsotp, but I can't understand how to provide the SMS before the authorisation or how to ask FreeRadius to wait for the process sends SMS? Could you please explain this to me? -- Best regards, Anton Kiryushkin
On Dec 20, 2019, at 6:53 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
I want to configure the second authorisation factor with EAP-type, and md5 hashed password saved in MySQL. I found several modules and services like MultiOTP and Smsotp, but I can't understand how to provide the SMS before the authorisation or how to ask FreeRadius to wait for the process sends SMS?
You need to configure a module to send the SMS. How that works depends on how the SMS is sent. And only you know that.
Could you please explain this to me?
What kind of 2 factor auth do you want to do? To be honest, the only thing that's going to work is TTLS + PAP. Since passwords are stored in MD5 format in the DB, nothing else will work. But... if this is for WiFi, users will be *very* unhappy if they have to enter a new OTP every time they switch access points. That's just not going to work. Alan DeKok.
Hi Alan. Nice to get an answer from you. The First factor is password stored in DB. Second is SMS. No, it is not for wifi; it is for VPN. As far as I understand, Cisco ASA sends the request to the radius with the final data: login, password, OTP-code. The only possible way to auth with the OTP is to generate it via phone application like Google Authenticator. My question is, does it possible to send an SMS instead of using the application. Again, I don't ask the ready solution. I try to figure out the process at this point. пт, 20 дек. 2019 г. в 13:40, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2019, at 6:53 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
I want to configure the second authorisation factor with EAP-type, and
md5
hashed password saved in MySQL. I found several modules and services like MultiOTP and Smsotp, but I can't understand how to provide the SMS before the authorisation or how to ask FreeRadius to wait for the process sends SMS?
You need to configure a module to send the SMS. How that works depends on how the SMS is sent. And only you know that.
Could you please explain this to me?
What kind of 2 factor auth do you want to do?
To be honest, the only thing that's going to work is TTLS + PAP. Since passwords are stored in MD5 format in the DB, nothing else will work.
But... if this is for WiFi, users will be *very* unhappy if they have to enter a new OTP every time they switch access points. That's just not going to work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin
On Dec 20, 2019, at 8:48 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Nice to get an answer from you. The First factor is password stored in DB. Second is SMS.
No, it is not for wifi; it is for VPN.
OK, that's good.
As far as I understand, Cisco ASA sends the request to the radius with the final data: login, password, OTP-code.
How? That matters. Usually, people use login name, and then take the 6 digit OTP, and add it to the password, e.g. User-Name = "bob" User-Password = "123456my_secret_password"
The only possible way to auth with the OTP is to generate it via phone application like Google Authenticator. My question is, does it possible to send an SMS instead of using the application.
FreeRADIUS doesn't send SMSs directly. It has to use a third-party application to send SMSs. Alan DeKok.
пт, 20 дек. 2019 г. в 16:16, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2019, at 8:48 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Nice to get an answer from you. The First factor is password stored in DB. Second is SMS.
No, it is not for wifi; it is for VPN.
OK, that's good.
As far as I understand, Cisco ASA sends the request to the radius with the final data: login, password, OTP-code.
How? That matters.
Now I see the next message from ASA: Fri Dec 20 15:21:41 2019 : Debug: (2) User-Name = "Jon_Snow" Fri Dec 20 15:21:41 2019 : Debug: (2) User-Password = "xZ\202\002\280<\206у\n\323y\261\357\471%y" Fri Dec 20 15:21:41 2019 : Debug: (2) NAS-Port = 249856 Fri Dec 20 15:21:41 2019 : Debug: (2) Called-Station-Id = "55.444.33.2" Fri Dec 20 15:21:41 2019 : Debug: (2) Calling-Station-Id = "44.66.77.8" Fri Dec 20 15:21:41 2019 : Debug: (2) NAS-Port-Type = Virtual Fri Dec 20 15:21:41 2019 : Debug: (2) Tunnel-Client-Endpoint:0 = "44.66.77.8" Fri Dec 20 15:21:41 2019 : Debug: (2) NAS-IP-Address = 10.2.3.4 Fri Dec 20 15:21:41 2019 : Debug: (2) Cisco-AVPair = "ip:source-ip=44.66.77.8" Fri Dec 20 15:21:41 2019 : Debug: (2) ASA-TunnelGroupName = "VPN" Fri Dec 20 15:21:41 2019 : Debug: (2) ASA-ClientType = AnyConnect-Client-SSL-VPN I'm not sure about the second password and where it should be.
Usually, people use login name, and then take the 6 digit OTP, and add it to the password, e.g.
User-Name = "bob" User-Password = "123456my_secret_password"
How to parse it in FreeRadius?
The only possible way to auth with the OTP is to generate it via phone application like Google Authenticator. My question is, does it possible to send an SMS instead of using the application.
FreeRADIUS doesn't send SMSs directly. It has to use a third-party application to send SMSs.
Yes, correctly, but FreeRadius can run some script to generate OTP and send it. However, I can't understand how to do it before authorisation. Or wait for this process during authorisation. Probably I am wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin
On Dec 20, 2019, at 12:23 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Now I see the next message from ASA:
Fri Dec 20 15:21:41 2019 : Debug: (2) User-Name = "Jon_Snow" Fri Dec 20 15:21:41 2019 : Debug: (2) User-Password = "xZ\202\002\280<\206у\n\323y\261\357\471%y"
The shared secret is wrong. Reading the debug output will tell you that.
Usually, people use login name, and then take the 6 digit OTP, and add it to the password, e.g.
User-Name = "bob" User-Password = "123456my_secret_password"
How to parse it in FreeRadius?
With a regular expression. if (User-Password =~ /^(......)(.*)$/) { ... %{1} is OTP . ... %{2} is password }
Yes, correctly, but FreeRadius can run some script to generate OTP and send it. However, I can't understand how to do it before authorisation. Or wait for this process during authorisation. Probably I am wrong.
You can run scripts via the 'exec' module. see mods-available/exec Alan DeKok.
пт, 20 дек. 2019 г. в 17:39, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2019, at 12:23 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Now I see the next message from ASA:
Fri Dec 20 15:21:41 2019 : Debug: (2) User-Name = "Jon_Snow" Fri Dec 20 15:21:41 2019 : Debug: (2) User-Password = "xZ\202\002\280<\206у\n\323y\261\357\471%y"
The shared secret is wrong. Reading the debug output will tell you that.
Usually, people use login name, and then take the 6 digit OTP, and add it to the password, e.g.
User-Name = "bob" User-Password = "123456my_secret_password"
How to parse it in FreeRadius?
With a regular expression.
if (User-Password =~ /^(......)(.*)$/) { ... %{1} is OTP . ... %{2} is password }
Yes, correctly, but FreeRadius can run some script to generate OTP and send it. However, I can't understand how to do it before authorisation. Or wait for this process during authorisation. Probably I am wrong.
You can run scripts via the 'exec' module. see mods-available/exec
Yes, I can, but you didn't answer the question: does it possible to run exec and use generated code during the authorisation?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin
On Dec 20, 2019, at 12:55 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
You can run scripts via the 'exec' module. see mods-available/exec
Yes, I can, but you didn't answer the question: does it possible to run exec and use generated code during the authorisation?
I did answer the question. Please pay attention. You can run the "exec" module anywhere. Just list it in the "authorize" section. That's done for ANY module. Alan DeKok.
пт, 20 дек. 2019 г. в 17:58, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2019, at 12:55 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
You can run scripts via the 'exec' module. see mods-available/exec
Yes, I can, but you didn't answer the question: does it possible to run exec and use generated code during the authorisation?
I did answer the question. Please pay attention.
You can run the "exec" module anywhere. Just list it in the "authorize" section. That's done for ANY module.
Yes, again, but I can't trigger it in advance in order to send the OTP code. I hoped on a miracle. Merry Christmas!
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin
Am Fr, 20.12.2019 um 18:05 schrieb Anton Kiryushkin <swood@fotofor.biz>:
Yes, I can, but you didn't answer the question: does it possible to run exec and use generated code during the authorisation?
I did answer the question. Please pay attention.
You can run the "exec" module anywhere. Just list it in the "authorize" section. That's done for ANY module.
Yes, again, but I can't trigger it in advance in order to send the OTP code. I hoped on a miracle. Merry Christmas!
I don't think that's possible. When you see a packet in FR the ASA already sent the auth-request so you can't have the just created SMS TAN in it -- so the first request hast to fail somehow, tell the ASA to ask again, now hopefully with the correct TAN in the password. I wouldn't like such a solution :). There should be some outband-way to request a TAN. Also your SMS-solution might by easily abused but just sending many auth-requests to the VPN. /Steffen -- Steffen Klemer E-Mail: steffen.klemer@gwdg.de Tel: +49 551 201 2170 ------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen Service-Hotline: Tel: +49 551 201-1523 E-Mail: support@gwdg.de Kontakt: Tel: 0551 201-1510 Fax: 0551 201-2150 E-Mail: gwdg@gwdg.de WWW: https://www.gwdg.de ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen, Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
participants (3)
-
Alan DeKok -
Anton Kiryushkin -
Steffen Klemer