chain two authentication modules together

madmatrix hailumeng at gmail.com
Sat Jun 18 15:57:24 CEST 2011 

Thanks a lot Alexander. Your thoughts help me a lot. I will utilize python
to get otp integrated and use its native lib. :)

I'm afraid our vpn client doesn't support otp. But when it passes
user/passwd to radius. I think vpn client or NAS really doesn't care about
your backend. I think for otp first, I must pass the user name with otp
password together to otp server. For second ldap auth, I may strip off the
user name prompt. It's a reverse version compared to usual AD/RSA way.

Another question for users file, for default users, should I put auth-type
as my python or ldap? I'm a little bit confused there. If I only put python
there, ldap module may not be executed.

Really appreciated your help. I feel more confident now for this project.

Thanks.

Lou
On Jun 18, 2011 6:11 AM, "Alexander Clouter [via FreeRadius]" <
ml-node+4501148-2134591798-220770 at n5.nabble.com> wrote:
>
>
> madmatrix <hailumeng at gmail.com> wrote:
>>
>> Thanks a lot Alexander. I'm familiar with python. So rlm_python might
>> a good choice for me. The main thing I want to do is to give remote
>> vpn client a two-factor authentication.
>>
> Depending on how your VPN works and what the clients can support, you
> could use the OTP to create the tunnel, and then EAP on the inside to
> authenticate (and VLAN assign) the user. It would complement any
> wireless/wired 802.1X solution you have on site perfectly too.
>
> Although a good plan, as the OTP being the first hop means your user
> credentials cannot be brute forced, your might find it complicated to
> pull off; at a first glance I am not sure how something like IPsec could
> be OTPised...maybe you will get more luck with OpenVPN.
>
>> Since freeradius, pam and all opensource otp solution are available, I
>> think free two-factor authentication is doable instead the expensive
>> RSA solution.
>>
> Always bear in mind, as long as the man hours you put in are less or
> roughly equal to the RSA solution (over a three year period), then
> that's a worthwhile approach. Also gives you something to present as a
> talk to other organisations. :)
>
>> So the first authentication is against our AD. If successful, the
>> system should generate one time password and send it to user through
>> SMS or the other ways. The user then put otp into the 2nd challenge
>> prompt. Freeradius authenticate this otp against otp server.
>>
>> I already tried using pam to authenticate against AD or OTP. I was
>> trying to use PAM stack to make this happen. But it's hard to put some
>> scripts to send password to user between the two PAM modules. So I
>> turned to FreeRadius to see if it can have some ways to do this.
>>
> For your initial version, I recommend when the user is prompted for a
> password, you get them to type "<otp> <password>" (RSA style). Check
> the OTP *first* and then validate the password. You RADIUS
> configuration will look like:
> ----
> authorize {
> ....
>
> your_python_otp_script
>
> ldap
>
> ....
> }
> ----
>
> 'your_python_otp_script' will *rewrite* User-Password so that when it
> gets to the ldap module it's as if the user just sent their password
> without the OTP. Of course if the OTP is incorrect,
> your_python_otp_script can return instantly reject giving you your two
> factor authentication.
>
>> So if I use rlm_python, I can utilize some existing executable files
>> (like ldapsearch, ldapcompare, otp_auth) to directly authenticate
>> against LDAP and OTP. To send OTP to user is much easier to do in
>> python too. Am I correct?
>>
> rlm_python will let you change how your OTP system functions quickly
> which is helpful as:
> * newer flexibility technologies come along you want to use
> * users fix the initial approach too complicated. As the brains is
> really all in a python script, you should find it trivial to
> change to meet their needs
>
> One word of warning, do *not* use system()/exec() or whatever python
> uses. Use a native LDAP module. Same with the OTP/SMS approach if
> possible. Calling OS commands like that, especially when there are
> native libraries, is generally a Bad Idea(tm) and the coding gods *will*
> smite you for your crimes.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Time as he grows old teaches all things.
> -- Aeschylus
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> _______________________________________________
> If you reply to this email, your message will be added to the discussion
below:
>
http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-together-tp4499333p4501148.html
>
> To unsubscribe from chain two authentication modules together, visit
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4499333&code=aGFpbHVtZW5nQGdtYWlsLmNvbXw0NDk5MzMzfC03NjIyMDI5NDM=


--
View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-together-tp4499333p4501373.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110618/3dd4f965/attachment.html>

More information about the Freeradius-Users mailing list