FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
Hello everyone we are successfully using FreeRADIUS for some time now. Now we have two more requirements: 1) Password change in OpenLDAP via FreeRADIUS FreeRADIUS is connected to an OpenLDAP via the LDAP-module. We also have Cisco-Devices connected to a tac_plus-Server (http://www.pro-bono-publico.de/projects/tac_plus.html) also using OpenLDAP as backend. In this setup the users can change their LDAP-password via the router's login-prompt after successful authentication with the old password. Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature? 2) Next-Token-Mode for RSA SecurID We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case. Is there a way to handle this in FreeRADIUS? It would be great if you could point me in the right direction for both use cases and tell me what modules or unlang-statements we could try out to solve this. Thanks and best wishes Michael
On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2@gmx.net> wrote:
we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
1) Password change in OpenLDAP via FreeRADIUS ... Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?
It's only TACACS+. The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again.
2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work. Alan DeKok.
we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
1) Password change in OpenLDAP via FreeRADIUS ... Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature? It's only TACACS+. The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again. 2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS? Sure. There's an rlm_securid module in the server. That should work. Alan DeKok.
Hi Alan, thanks for your reply. Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have some that are Radius-only. I did not find the rlm_securid-module in my installation. Do I have to compile it myself? Is there a documentation somewhere? Does the module use the proprietary protocol from RSA or Radius? Thank you and best wishes Michael Gesendet: Freitag, 30. November 2018 um 15:51 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Nov 30, 2018, at 10:24 AM, michael böhm <ksk2@gmx.net> wrote:
Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have some that are Radius-only.
It means that *FreeRADIUS* can do TACACS+.
I did not find the rlm_securid-module in my installation.
It isn't included with any pre-built packages.
Do I have to compile it myself?
Yes.
Is there a documentation somewhere? Does the module use the proprietary protocol from RSA or Radius?
It links to the SecurID libraries. It's documented in src/modules/rlm_securid/ in the source tree. Alan DeKok.
Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have some that are Radius-only. It means that *FreeRADIUS* can do TACACS+. I did not find the rlm_securid-module in my installation. It isn't included with any pre-built packages. Do I have to compile it myself? Yes. Is there a documentation somewhere? Does the module use the proprietary protocol from RSA or Radius? It links to the SecurID libraries. It's documented in src/modules/rlm_securid/ in the source tree. Alan DeKok.
Hi Alan we've decided to use the Radius-interface of the SecurID-server and not the proprietary protocol. Now I need unlang to make the access decision: LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) = ACCEPT to NAS I tried it like that in the authorize-section but it did not work: filter_username preprocess # %{1} = ldap-password # %{2} = Token if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" } update request { User-Password := "%{1}" } ldap } pap The proxying itself is working fine but not the correlation of the two results. Could you please give me a minimal example of how to create this and-logic in unlang? Thanks and best wishes Michael Gesendet: Freitag, 30. November 2018 um 16:26 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Nov 30, 2018, at 10:24 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2@gmx.net> wrote:
we've decided to use the Radius-interface of the SecurID-server and not the proprietary protocol.
OK.
Now I need unlang to make the access decision:
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) = ACCEPT to NAS
I tried it like that in the authorize-section but it did not work:
See the FAQ for "it doesn't work".
filter_username preprocess
# %{1} = ldap-password # %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" }
update request { User-Password := "%{1}" }
ldap }
pap
The proxying itself is working fine but not the correlation of the two results.
What does that mean?
Could you please give me a minimal example of how to create this and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA if it passed. if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } # get the "known good" password from LDAP ldap # check the users password # if this fails, the user will be automatically rejected pap.authenticate update control { Proxy-To-Realm := "securid" } update request { User-Password := "%{1}" } } else { ... do stuff for non-RSA users ... } Alan DeKok.
we've decided to use the Radius-interface of the SecurID-server and not the proprietary protocol. OK. Now I need unlang to make the access decision:
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) = ACCEPT to NAS
I tried it like that in the authorize-section but it did not work: See the FAQ for "it doesn't work". filter_username preprocess
# %{1} = ldap-password # %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" }
update request { User-Password := "%{1}" }
ldap }
pap
The proxying itself is working fine but not the correlation of the two results. What does that mean? Could you please give me a minimal example of how to create this and-logic in unlang? My $0.02 is to check the users password *first*, and then proxy to RSA if it passed. if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } # get the "known good" password from LDAP ldap # check the users password # if this fails, the user will be automatically rejected pap.authenticate update control { Proxy-To-Realm := "securid" } update request { User-Password := "%{1}" } } else { ... do stuff for non-RSA users ... } Alan DeKok.
Hi Alan, with your hints I managed to get this running: # Case 1: No script-user -> 2FA if(User-Name !~ /^sc_.+$/) { # Case 1.1: LDAP-PW + Token if(User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{1}" } ldap files pap pap.authenticate update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" } } # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode elsif(State && User-Password =~ /^([0-9]{6})$/) { update control { Proxy-To-Realm := "securid" } } } # Case 2: script-user else { ldap files pap } I get the error in freeradius -X: (2) Found Auth-Type = PAP (2) Found Auth-Type = Accept (2) ERROR: Warning: Found 2 auth-types on request for user '<user>' Can I ignore this? Only one more problem is to solve: In post-auth we have a Perl-script that relies on the groups that come from LDAP to make user rights decisions. When we are in Next-Token-Mode (case 1.2) we do not query LDAP, so freeradius cannot pass the groups to the Perl script. Is there a way to tell freeradius to cache the LDAP-groups from the last request for case 1.1 and use them in 1.2? If there is no easy way I would delete Case 1.2 and tell the user to type in the LDAP-password again followed by the next Token. Thanks and best wishes Michael Gesendet: Montag, 03. Dezember 2018 um 14:11 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2@gmx.net> wrote:
with your hints I managed to get this running:
That's good.
I get the error in freeradius -X:
(2) Found Auth-Type = PAP (2) Found Auth-Type = Accept (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this?
Yes. If you upgrade to 3.0.17, the message will go away.
Only one more problem is to solve:
In post-auth we have a Perl-script that relies on the groups that come from LDAP to make user rights decisions. When we are in Next-Token-Mode (case 1.2) we do not query LDAP, so freeradius cannot pass the groups to the Perl script.
OK.
Is there a way to tell freeradius to cache the LDAP-groups from the last request for case 1.1 and use them in 1.2?
You can cache LDAP groups in the session-state list. But they're only cached for a series of challenge/ response packets. Alan DeKok.
with your hints I managed to get this running: That's good. I get the error in freeradius -X:
(2) Found Auth-Type = PAP (2) Found Auth-Type = Accept (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this? Yes. If you upgrade to 3.0.17, the message will go away. Only one more problem is to solve:
In post-auth we have a Perl-script that relies on the groups that come from LDAP to make user rights decisions. When we are in Next-Token-Mode (case 1.2) we do not query LDAP, so freeradius cannot pass the groups to the Perl script. OK. Is there a way to tell freeradius to cache the LDAP-groups from the last request for case 1.1 and use them in 1.2? You can cache LDAP groups in the session-state list. But they're only cached for a series of challenge/ response packets. Alan DeKok.
Hi Alan, this seems to do exactly what we want: # In any case: check the LDAP and local user-file first ldap files # Case 1: No script-user -> 2FA if(User-Name !~ /^sc_.+$/) { # Case 1.1: LDAP-PW + Token if(User-Password =~ /^(.+)([0-9]{6})$/) { # LDAP-password in %{1} # Token in %{2} update request { User-Password := "%{1}" } # Check password and reject if incorrect pap pap.authenticate update request { User-Password := "%{2}" } # Proxy the request to the SecurID-server update control { Proxy-To-Realm := "securid" } } # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode elsif(State && User-Password =~ /^([0-9]{6})$/) { update control { Proxy-To-Realm := "securid" } } } # Case 2: script-user else { pap } Is my elsif(State ...)-statement a robust way to check if this packet belongs to a challenge-response of this exact user? I want to avoid situations where a user might be able to authenticate with just a Token and no password. We are testing the configuration now. Thank you very much for your help! I'll check back in a few weeks regarding the password change / TACACS+ feature I asked for in my initial mail. For the moment we'll do the password changes via a web-interface for the LDAP which is fine. Best wishes Michael Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Dec 4, 2018, at 7:37 AM, michael böhm <ksk2@gmx.net> wrote:
Is my elsif(State ...)-statement a robust way to check if this packet belongs to a challenge-response of this exact user?
It's: a) the user specified in the User-Name, and b) a response to a previous Access-Challenge.
I want to avoid situations where a user might be able to authenticate with just a Token and no password.
Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.
We are testing the configuration now. Thank you very much for your help!
You're welcome. Alan DeKok.
Hi, regarding the LDAP-password change (question in my initial mail) I managed to create this configuration: authorize { filter_username preprocess # empty password which triggers password-change if (User-Password =~ /^$/ && !State) { update reply { Reply-Message := "Old Password: " # Setting the Prompt via radius did not work here, instead this had to be configured on the Cisco-Router # radius-server challenge-noecho Prompt := No-Echo } update session-state { Tmp-String-0 := "Old-Password-Phase" } challenge } # password-change, query for new password elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^Old-Password-Phase$/ && State) { ldap pap pap.authenticate update reply { Reply-Message := "New Password: " Prompt := No-Echo } update session-state { Tmp-String-0 := "New-Password-Phase-1" } challenge } # password-change, query for new password again elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-1$/ && State) { update reply { Reply-Message := "New Password (repeat): " Prompt := No-Echo } update session-state { Tmp-String-1 := User-Password Tmp-String-0 := "New-Password-Phase-2" } challenge } # compare both and write it to LDAP elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-2$/ && State) { if(User-Password != &session-state:Tmp-String-1) { update reply { Reply-Message := "Passwords do not match.\n" } reject } # Call a script that finally writes the new password to LDAP (tbd) perl } else { ldap pap } } Which creates these prompts on a Cisco-router: root@dn-aaa-rad1:~# ssh user@cisco-router Password: Old Password: New Password: New Password (repeat): This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP? Best wishes Michael Gesendet: Dienstag, 04. Dezember 2018 um 13:43 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 4, 2018, at 7:37 AM, michael böhm <ksk2@gmx.net> wrote:
Is my elsif(State ...)-statement a robust way to check if this packet belongs to a challenge-response of this exact user?
It's: a) the user specified in the User-Name, and b) a response to a previous Access-Challenge.
I want to avoid situations where a user might be able to authenticate with just a Token and no password.
Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.
We are testing the configuration now. Thank you very much for your help!
You're welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?
You can hack it in today using v3.0.x and ldap.post-auth. There's not really a password change action/section, but this does seem like a useful feature, so maybe add a ticket on the GitHub issue tracker. -Arran
Opened: https://github.com/FreeRADIUS/freeradius-server/issues/2371 I hope that I put all necessary information in. Best wishes Michael Gesendet: Mittwoch, 12. Dezember 2018 um 15:11 Uhr Von: "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?
You can hack it in today using v3.0.x and ldap.post-auth. There's not really a password change action/section, but this does seem like a useful feature, so maybe add a ticket on the GitHub issue tracker. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
"michael böhm" -
Alan DeKok -
Arran Cudbard-Bell