freeradius proxying directions..
Dear Freeradius community professional. i am a noob in the freeradius business and really need some basic guidance. i was following an article: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy and it worked fine. now my goal is to support push notification on mobile devices. (the freeradius should proxy the request without waiting for OTP input from the authenticating user.) instead the freeradius should, after successful LDAP bind, send username + p for password, to the OTP radius. that will trigger a push notification on the mobile device. could anyone point me in the right direction on where and what to change? Thank you very much and keep up the good work. Cheers, Tom
On Jan 6, 2019, at 10:16 AM, Tom Mustaki <tom@mustaki.com> wrote:
i am a noob in the freeradius business and really need some basic guidance. i was following an article: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
and it worked fine.
That's good.
now my goal is to support push notification on mobile devices. (the freeradius should proxy the request without waiting for OTP input from the authenticating user.) instead the freeradius should, after successful LDAP bind, send username + p for password, to the OTP radius. that will trigger a push notification on the mobile device.
could anyone point me in the right direction on where and what to change?
The server can't do proxying *and* local authentication at the same time. But with a bit of minor configuration, it should work. The simple solution is to *not* set Auth-Type = LDAP. You should be able to do something like: authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... } Alan DeKok.
Alan, Thank you for the information. sadly i couldn't accomplish it. i have played a little with the configuration and got it partially working. i noticed a bug, in which, even if radius server is down, access is granted.. can someone identify the bug for me and explain how to modify the script to correct it? authorize { if (!State) { if (&User-Password) { # If !State and User-Password (PAP), then force LDAP: update control { Ldap-UserDN := "%{User-Name}@domain.com" Auth-Type := LDAP } } else { reject } } else { # If State, then proxy request: update control { Proxy-To-Realm := "proxy-test" } } } authenticate { Auth-Type LDAP { # Attempt authentication with a direct LDAP bind: ldap if (ok) { update request { User-Password := p } update control { Proxy-To-Realm := "proxy-test" } accept } } } pre-proxy { # Enable pre-proxy to filter State attribute from proxied requests: attr_filter.pre-proxy } } On Mon, Jan 7, 2019 at 3:39 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 6, 2019, at 10:16 AM, Tom Mustaki <tom@mustaki.com> wrote:
i am a noob in the freeradius business and really need some basic guidance. i was following an article: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
and it worked fine.
That's good.
now my goal is to support push notification on mobile devices. (the freeradius should proxy the request without waiting for OTP input from the authenticating user.) instead the freeradius should, after successful LDAP bind, send username + p for password, to the OTP radius. that will trigger a push notification on the mobile device.
could anyone point me in the right direction on where and what to change?
The server can't do proxying *and* local authentication at the same time. But with a bit of minor configuration, it should work.
The simple solution is to *not* set Auth-Type = LDAP. You should be able to do something like:
authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom@mustaki.com> wrote:
Alan, Thank you for the information. sadly i couldn't accomplish it.
What does that mean? What error did you get when you tried my suggestion? Saying "stuff didn't work" is not overly helpful.
i have played a little with the configuration and got it partially working. i noticed a bug, in which, even if radius server is down, access is granted..
Because you told it to do that.
can someone identify the bug for me and explain how to modify the script to correct it? ... authenticate { Auth-Type LDAP { # Attempt authentication with a direct LDAP bind: ldap if (ok) { update request { User-Password := p } update control { Proxy-To-Realm := "proxy-test" }
That won't work. The server EITHER runs the "authenticate" section, OR it proxies. It can't do both.
accept
That's an unconditional "accept the user". Which is why it unconditionally accepts the user. My suggestion should work:
authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... }
That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase. That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication. If that doesn't work, say WHY it doesn't work. Show the debug output. Alan DeKok.
Alan, it worked just like you said it would. You are the man! Thank you. my config : authorize { update control { Ldap-UserDN := "%{User-Name}@domain.com" } ldap.authenticate # run user authentication by LDAP bind if (ok) { update request { # Trigger push notification by sending 'p' for password value User-Password := p } update control { # send to SafeNet Authentication Service Proxy-To-Realm := "proxy-test" } } } authenticate { } pre-proxy { # Enable pre-proxy to filter State attribute from proxied requests: attr_filter.pre-proxy } On Wed, Jan 9, 2019 at 5:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom@mustaki.com> wrote:
Alan, Thank you for the information. sadly i couldn't accomplish it.
What does that mean? What error did you get when you tried my suggestion?
Saying "stuff didn't work" is not overly helpful.
i have played a little with the configuration and got it partially working. i noticed a bug, in which, even if radius server is down, access is granted..
Because you told it to do that.
can someone identify the bug for me and explain how to modify the script to correct it? ... authenticate { Auth-Type LDAP { # Attempt authentication with a direct LDAP bind: ldap if (ok) { update request { User-Password := p } update control { Proxy-To-Realm := "proxy-test" }
That won't work. The server EITHER runs the "authenticate" section, OR it proxies. It can't do both.
accept
That's an unconditional "accept the user". Which is why it unconditionally accepts the user.
My suggestion should work:
authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... }
That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase. That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication.
If that doesn't work, say WHY it doesn't work. Show the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Tom Mustaki