Error 2FA - AD password and external OTP via RADIUS proxy
Hi I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
On Mar 11, 2020, at 7:21 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
Upgrade to 3.0.20. It has many bugs fixed. And no, you didn't follow that guide. The guide is pretty clear where the "if" statements go. It gives you filenames. The server configuration is well documented. You can't just add random things to random configuration files, and expect that they do what you want. Alan DeKok.
Thanks. Bug fixed. Can I configure radtest for a 2fa request ? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123 Received Access-Challenge Id 160 from 10.42.2.36:1812 to 0.0.0.0:0 length 56 State = 0x575a6b39676f34544332324f584d357a Reply-Message = "Please enter OTP» That is I don't understand if 2fa works or not
11 марта 2020 г., в 14:27, Alan DeKok <aland@deployingradius.com> написал(а):
On Mar 11, 2020, at 7:21 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
Upgrade to 3.0.20. It has many bugs fixed.
And no, you didn't follow that guide. The guide is pretty clear where the "if" statements go. It gives you filenames.
The server configuration is well documented. You can't just add random things to random configuration files, and expect that they do what you want.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
F2A test, add it to your ssh login and enable it and test it. Thats easy todo.. Just make sure you 2 ! Extra sessions logged in before you enable it. If your on debian/ubuntu. https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-... What is easy todo for a test. Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens ?????????????? ???????????????? ?????????????????? via Freeradius-Users Verzonden: woensdag 11 maart 2020 13:18 Aan: FreeRadius users mailing list CC: ?????????????? ???????????????? ?????????????????? Onderwerp: Re: Error 2FA - AD password and external OTP via RADIUS proxy
Thanks. Bug fixed. Can I configure radtest for a 2fa request ? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123 Received Access-Challenge Id 160 from 10.42.2.36:1812 to 0.0.0.0:0 length 56 State = 0x575a6b39676f34544332324f584d357a Reply-Message = "Please enter OTP» That is I don't understand if 2fa works or not
11 ?????????? 2020 ??., ?? 14:27, Alan DeKok <aland@deployingradius.com> ??????????????(??):
On Mar 11, 2020, at 7:21 AM, ?????????????? ???????????????? ?????????????????? via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I configure at
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Pr oxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
Upgrade to 3.0.20. It has many bugs fixed.
And no, you didn't follow that guide. The guide is pretty clear where the "if" statements go. It gives you filenames.
The server configuration is well documented. You can't just add random things to random configuration files, and expect that they do what you want.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ? 11 марта 2020 г., в 15:28, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> написал(а): F2A test, add it to your ssh login and enable it and test it. Thats easy todo.. Just make sure you 2 ! Extra sessions logged in before you enable it. If your on debian/ubuntu. https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-... What is easy todo for a test. Greetz, Louis -----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org<http://ius.org/>] Namens ?????????????? ???????????????? ?????????????????? via Freeradius-Users Verzonden: woensdag 11 maart 2020 13:18 Aan: FreeRadius users mailing list CC: ?????????????? ???????????????? ?????????????????? Onderwerp: Re: Error 2FA - AD password and external OTP via RADIUS proxy Thanks. Bug fixed. Can I configure radtest for a 2fa request ? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123 Received Access-Challenge Id 160 from 10.42.2.36:1812 to 0.0.0.0:0 length 56 State = 0x575a6b39676f34544332324f584d357a Reply-Message = "Please enter OTP» That is I don't understand if 2fa works or not 11 ?????????? 2020 ??., ?? 14:27, Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> ??????????????(??): On Mar 11, 2020, at 7:21 AM, ?????????????? ???????????????? ?????????????????? via Freeradius-Users <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> wrote: I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Pr oxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1 Upgrade to 3.0.20. It has many bugs fixed. And no, you didn't follow that guide. The guide is pretty clear where the "if" statements go. It gives you filenames. The server configuration is well documented. You can't just add random things to random configuration files, and expect that they do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ?
The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP. The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this: if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } } You will need to edit raddb/dictionary in order to define OTP-Password. This lets you use User-Password as normal to connect to LDAP, and authenticate the user. You can then check OTP-Password however you want. Alan DeKok.
participants (4)
-
Alan DeKok -
L.P.H. van Belle -
Клеусов Владимир Сергее вич -
Клеусов Владимир Сергеевич