Hey all, ive set up a radius daemon to verify OTPs. It's all working just fine, except for the log entries on failure to give the correct OTP. Here is the virtual server ive set up: server oath { client XXXXXXXX { secret = XXXXXXXXXX shortname = oath } listen { type = auth ipaddr = * port = 4000 } listen { type = acct ipaddr = * port = 4001 } authorize { preprocess if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) { update control { Auth-Type := Reject } } else { files } } accounting { radutmp exec } post-auth { exec } } The actual OTP script is run from the users file, as per the directions of the script author. DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/sbin/multiotp -log %{User-Name} %{User-Password}", Reply-Message = "Hello, %{User-Name}" This works fine. If I give the correct pin+OTP I can login, and wrong one I cant. Freeradius -X on wrong OTP says: server oath { # Executing section authorize from file /etc/freeradius/sites-enabled/oath +- entering group authorize {...} ++[preprocess] returns ok ++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) expand: %{request:User-Password} -> 1234383980 ?? Evaluating ("%{request:User-Password}" =~ /^[0-9]{10,10}$/) -> TRUE ? Converting !TRUE -> FALSE ++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) -> FALSE ++- entering else else {...} [files] users: Matched entry DEFAULT at line 203 [files] expand: /usr/sbin/multiotp -log %{User-Name} %{User-Password} -> /usr/sbin/multiotp -log cor XXXXXXXX [files] expand: Hello, %{User-Name} -> Hello, cor +++[files] returns ok ++- else else returns ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [cor] (from client oath port 10) # Executing section post-auth from file /etc/freeradius/sites-enabled/oath +- entering group post-auth {...} Exec-Program output: Exec-Program: returned: 26 [exec] Login incorrect (external check said so) ++[exec] returns reject } # server oath Sending Access-Reject of id 151 to 194.109.42.42 port 42619 Reply-Message = "Hello, cor" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 151 with timestamp +6 Im using 'exec' in post-auth to use the return code of the script to reject the login. I dont know of another way to do this. Unfortunately this does mean that im seeing this in syslog: Jul 17 20:55:58 otpauth1 freeradius[24891]: Login OK: [cor] (from client oath port 10) Is there a way to have freeradius properly give a login rejected msg in syslog? Regards, Cor
Hmm yes, pretty out of date way of doing things, the problem is you're explicitly forcing authentication to succeed, and calling the exec module really late... Get rid of the files call, or just use it to set the reply message i.e. Don't use Auth-Type = Accept. See here for a guide: http://wiki.freeradius.org/multiOTP+HOWTO If you're using FR 2.1.11 just remove '${policy.multiotp_prefix}' from regexp in the authorize section If you're using a version lower than FR 2.1.11, please upgrade. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
Hey Arran,
Hmm yes, pretty out of date way of doing things, the problem is you're explicitly forcing authentication to succeed, and calling the exec module really late...
Yeah, the author of multiotp doesnt seem to know about the out of date method, his docs still mention the old method.
See here for a guide: http://wiki.freeradius.org/multiOTP+HOWTO
If you're using FR 2.1.11 just remove '${policy.multiotp_prefix}' from regexp in the authorize section If you're using a version lower than FR 2.1.11, please upgrade.
Im still using 2.1.10, it's the current version for debian squeeze. But with your pointers I was able to adapt your example to work in 2.1.10 and now everything works perfect. Thanks, much appreciated Cor
participants (2)
-
Arran Cudbard-Bell -
Cor Bosman