Using OTP authentication with Freeradius 2
I am trying to migrate from freeradius 1.1.7 to freeradius 2.0.5 and I cannot get the OTP module to work. Basically it instantiates, but when I specify "Auth-Type = OTP" in a users file entry, it complains that this is not a valid value for that attribute. This worked fine under 1.1.7 . I have been Googling, grepping the source code and reading the wiki for a couple of days now without finding anything that directly pertains to this problem. I don't know if I messed up compiling the code or configuring the server. If this is documented somewhere, please forgive me, as I have been unable to find it. Here are the relevant snippets from the -X output; the full output is attached: including configuration file /usr/local/etc/raddb/modules/otp [...] including configuration file /usr/local/etc/raddb/otp.conf [...] Module: Linked to module rlm_otp Module: Instantiating otp otp { otpd_rp = "/var/run/otpd/socket" challenge_prompt = "Challenge: %s Response: " challenge_length = 6 challenge_delay = 30 allow_sync = yes allow_async = no mschapv2_mppe = 2 mschapv2_mppe_bits = 2 mschap_mppe = 2 mschap_mppe_bits = 2 } And then it craps out at the end with: /usr/local/etc/raddb/users[4]: Parse error (check) for entry DEFAULT: Unknown value otp for attribute Auth-Type Errors reading /usr/local/etc/raddb/users The entry that worked under 1.1.7 (and which results in the above error under 2.0.5) is: DEFAULT Auth-Type = OTP Fall-Through = No Thanks for any pointers; I am pretty much dead in the water in my migration at this point. --Greg
Do you have that Auth-Type defined in the authenticate section? Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Greg Woods" <woods@ucar.edu> piše:
I am trying to migrate from freeradius 1.1.7 to freeradius 2.0.5 and I cannot get the OTP module to work. Basically it instantiates, but when I specify "Auth-Type = OTP" in a users file entry, it complains that this is not a valid value for that attribute. This worked fine under 1.1.7 . I have been Googling, grepping the source code and reading the wiki for a couple of days now without finding anything that directly pertains to this problem. I don't know if I messed up compiling the code or configuring the server. If this is documented somewhere, please forgive me, as I have been unable to find it.
Here are the relevant snippets from the -X output; the full output is attached:
including configuration file /usr/local/etc/raddb/modules/otp [...] including configuration file /usr/local/etc/raddb/otp.conf [...] Module: Linked to module rlm_otp Module: Instantiating otp otp { otpd_rp = "/var/run/otpd/socket" challenge_prompt = "Challenge: %s Response: " challenge_length = 6 challenge_delay = 30 allow_sync = yes allow_async = no mschapv2_mppe = 2 mschapv2_mppe_bits = 2 mschap_mppe = 2 mschap_mppe_bits = 2 }
And then it craps out at the end with:
/usr/local/etc/raddb/users[4]: Parse error (check) for entry DEFAULT: Unknown value otp for attribute Auth-Type Errors reading /usr/local/etc/raddb/users
The entry that worked under 1.1.7 (and which results in the above error under 2.0.5) is:
DEFAULT Auth-Type = OTP Fall-Through = No
Thanks for any pointers; I am pretty much dead in the water in my migration at this point.
--Greg
On Tue, 2008-07-01 at 23:57 +0100, Ivan Kalik wrote:
Do you have that Auth-Type defined in the authenticate section?
That question is a little less obvious to answer under 2.0.5 than it was under 1.1.7 . In my /etc/raddb/sites-enabled/default file, I did add "otp" to both the authorize {} and authenticate {} sections. Is there something else besides that which I might have missed? --Greg
Greg Woods wrote:
In my /etc/raddb/sites-enabled/default file, I did add "otp" to both the authorize {} and authenticate {} sections. Is there something else besides that which I might have missed?
Where did you have "otp" listed in 1.1.7? Put it in the same sections in 2.0.5. The sites-enabled/default file is just a cut & paste of the authorize/authenticate/etc sections from radiusd.conf. The sections have *moved* with minor edits. They haven't fundamentally changed form or function. Alan DeKok.
Try adding it to inner-tunnel as well (you won't be using it there, but it won't hurt). It looks like inner-tunnel is loaded before default in your configuration (my 2.0.5 loads default first). Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Greg Woods" <woods@ucar.edu> piše:
On Tue, 2008-07-01 at 23:57 +0100, Ivan Kalik wrote:
Do you have that Auth-Type defined in the authenticate section?
That question is a little less obvious to answer under 2.0.5 than it was under 1.1.7 .
In my /etc/raddb/sites-enabled/default file, I did add "otp" to both the authorize {} and authenticate {} sections. Is there something else besides that which I might have missed?
--Greg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2008-07-02 at 09:23 +0100, Ivan Kalik wrote:
Try adding it to inner-tunnel as well (you won't be using it there, but it won't hurt). It looks like inner-tunnel is loaded before default in your configuration (my 2.0.5 loads default first).
Thank you! That was it! First major hurdle overcome. Now I have to figure out why it doesn't authenticate. "otpauth" does work, so I know otpd is doing the right thing, but when I run "radtest", I see a bunch of Access-Request packets sent and no response. The debug output looks like: rad_recv: Access-Request packet from host 128.117.64.240 port 33485, id=190, len gth=57 User-Name = "woods" User-Password = "##########" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "woods", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry DEFAULT at line 4 ++[files] returns ok rlm_otp: otp_pwe_present: password attributes 2, 2 ++[otp] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type otp auth: type "otp" +- entering group authenticate rlm_otp: otp_pwe_present: password attributes 2, 2 I cannot see from there why the server is not responding. I thought maybe it was a firewall issue, so I made sure to try again after turning off iptables, but the result is the same. --Greg
User-Name = "woods" User-Password = "##########" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "woods", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry DEFAULT at line 4 ++[files] returns ok rlm_otp: otp_pwe_present: password attributes 2, 2 ++[otp] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type otp auth: type "otp" +- entering group authenticate rlm_otp: otp_pwe_present: password attributes 2, 2
How sure are you that your auth script works? I can't see that it produces any result. You should debug the script when run by the server and see where it gets stuck. Ivan Kalik Kalik Informatika ISP
On Wed, 2008-07-02 at 17:15 +0100, Ivan Kalik wrote:
How sure are you that your auth script works?
I'm not using a script. Under 1.1.7 at least, when "otp" is invoked, it communicates with otpd using a socket. This is known as the "rendezvous point" and is specified in otpd.conf as "otpd_rp = /var/run/otpd/socket". This is documented in the config file comments for 2.0.5, so I assume it is supposed to work the same way. I am sure that otpd is working, because the "otpauth" program that comes with otpd, and bypasses freeradius to communicate directly with otpd via the socket, is working fine. --Greg
On Wed, 2008-07-02 at 12:33 -0600, Greg Woods wrote:
On Wed, 2008-07-02 at 17:15 +0100, Ivan Kalik wrote:
How sure are you that your auth script works?
I'm not using a script. Under 1.1.7 at least, when "otp" is invoked, it communicates with otpd using a socket.
I've got more on this; I'm now wondering if I should file a bug report. First, otpauth always works, both before and after trying it with freeradius. So I really believe the problem is not with otpd. What happens when I run radtest is, the first time, it always produces an Access-Reject response, whether or not I provide the correct passcode. The second time I run radtest, it sends radiusd into an infinite loop. No debugging output is produced after the first authentication attempt, and that looks like this: rlm_otp: otp_pwe_present: password attributes 2, 2 ++[otp] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type otp auth: type "otp" +- entering group authenticate rlm_otp: otp_pwe_present: password attributes 2, 2 Note that it says that otp returned ok, but it still sends an Access-Reject response. I ran radiusd under 'strace', and it shows that it is going into an infinite loop trying to write to the otpd socket, and getting a "Broken pipe" error. It will continue to do this, racking up CPU time, until I kill it. Does anybody have OTP authentication working with freeradius 2.0.5? Could something in my configuration be causing this problem, or is it more likely a bug? --Greg
Greg Woods wrote:
What happens when I run radtest is, the first time, it always produces an Access-Reject response, whether or not I provide the correct passcode. The second time I run radtest, it sends radiusd into an infinite loop. ... I ran radiusd under 'strace', and it shows that it is going into an infinite loop trying to write to the otpd socket, and getting a "Broken pipe" error. It will continue to do this, racking up CPU time, until I kill it.
I've committed a fix to CVS head. EPIPE means that the pipe is closed, and any further writes to it are impossible. The code *was* trying to write after EPIPE, which was likely wrong. It might still *not* work. But it should no longer hang.
Does anybody have OTP authentication working with freeradius 2.0.5? Could something in my configuration be causing this problem, or is it more likely a bug?
I don't use the OTP code, sorry. Alan DeKok.
participants (3)
-
Alan DeKok -
Greg Woods -
Ivan Kalik