Best/fastest method to query external radius OTP
Hello dear users. Could you help ? We have a freeradius 3.0.x configuration working - Authorization with LDAP - Authentication with LDAP, backup to files Now trying to get validation from OTP provider Needs to send a radius request with User-Name="myusername", User-Password="push" (this one is always "push", not the original pwd). The "push" words triggers a push notification on mobile that needs to be answered, and then OTP provider radius answers with accept or reject. I have tried radclient (working in console mode) with exec module, but having some issues to move it to rlm_exec module (piping data I think). So far reached exec myotp { input_pairs = request wait = yes timeout = 30 program = "/bin/echo \"User-Name=$USER_NAME,User-Password=push\" | /bin/radclient -r 1 -t 20 xx.xx.xx.xx:1812 auth mysecret" } Of course still missing the testing of what the command returns. But this does not work. Seems piping is not working and I can not push two commands there. An idea where is the issue ? Is there a better or fastest way ? thanks nash35
Never used the exec module, but I guess it's not a shell interpreter, so pipes won't work. You could run it as 'sh -c "my_command_with_pipes"' Cheers, Alex El 18/6/20 a las 10:35, Dominique Wille escribió:
Hello dear users. Could you help ? We have a freeradius 3.0.x configuration working - Authorization with LDAP - Authentication with LDAP, backup to files
Now trying to get validation from OTP provider
Needs to send a radius request with User-Name="myusername", User-Password="push" (this one is always "push", not the original pwd). The "push" words triggers a push notification on mobile that needs to be answered, and then OTP provider radius answers with accept or reject.
I have tried radclient (working in console mode) with exec module, but having some issues to move it to rlm_exec module (piping data I think).
So far reached
exec myotp { input_pairs = request wait = yes timeout = 30 program = "/bin/echo \"User-Name=$USER_NAME,User-Password=push\" | /bin/radclient -r 1 -t 20 xx.xx.xx.xx:1812 auth mysecret" } Of course still missing the testing of what the command returns.
But this does not work. Seems piping is not working and I can not push two commands there. An idea where is the issue ?
Is there a better or fastest way ?
thanks
nash35 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice
On Jun 18, 2020, at 4:35 AM, Dominique Wille <dominique.wille@plantformance.com> wrote:
Hello dear users. Could you help ? We have a freeradius 3.0.x configuration working - Authorization with LDAP - Authentication with LDAP, backup to files
Now trying to get validation from OTP provider
Needs to send a radius request with User-Name="myusername", User-Password="push" (this one is always "push", not the original pwd). The "push" words triggers a push notification on mobile that needs to be answered, and then OTP provider radius answers with accept or reject.
I have tried radclient (working in console mode) with exec module, but having some issues to move it to rlm_exec module (piping data I think).
Why not just proxy the packet? You can re-write the password in the "pre-proxy" section. That's what it's for. Alan DeKok.
participants (3)
-
Alan DeKok -
Alejandro Perez-Mendez -
Dominique Wille