Two-Factor Auth using FreeRADIUS

Sat Mar 17 20:57:38 CET 2012

Good afternoon, Alan; Thank you for your reply! I have spent some time ruminating on this and You have given me some leads to follow, for which I am very grateful! I intend to follow up on this again after I experiment more this afternoon and evening, but first a few quick replies to some of your points:

>It's easy to avoid "flames".  Be honest, be clear, and follow instructions.

Understood! I don't want to waste anyone's time beating horses that have long since expired; I also did not mean to intimate that anyone on the list goes out of their way to 'haze' people!

>You can't create an Access-Challenge packet in jradius.  You can only create a reply.  If the user isn't accepted, the reply is automatically a reject.

Okay, I believe that this is where some of my confusion came from. 

A friend of mine who went to the Navy Nuclear School said that the instructors marked their papers with "GCE" for "Gross Conceptual Error" whenever they got something terribly wrong on an assignment. I believe this may be my first of many GCEs here. I think that I took the JRadius API at face value; I was doing something like this (again, this was in the "authorize" stage):

RadiusPacketreq =request.getRequestPacket();
RadiusPacketrep=request.getReplyPacket();

RadiusPacketresponse =newAccessChallenge();

To this I would add the 'State' and 'Reply-Message' attributes, copy the packet ID, and then later:

request.setReplyPacket(reply );

 My thinking was that FreeRADIUS would take this at face value; After all, the difference between a Access-Challenge and another RADIUS packet is merely the ID. So from what you say above, may I infer that the only thing that FreeRADIUS takes from the reply are the different attributes assigned to it, and it handles the "type" of packet itself? 

> You need to set the "request->reply->code = PW_ACCESS_CHALLENGE" for challenges to work.  See rlm_example.

Thank you!

>It's just not set up to do manually created challenges.  The reason is that 99.9999% of people get it wrong, and it's not necessary.

Here's to hoping that I can be part of the 00.0001%, maybe in income one day, as well as in FreeRADIUS packet manipulation! In this case, I cannot find another auth method that allows a flow with the aspects that the use case requires. Most other OTP schemes have something where the server knows the value ahead of time, and the user has a device that displays it i.e. RSA SecurID or Gemalto's equivalent (both of which I believe are implemented as RADIUS protocol implementations as well). The Access-Challenge method also allows us to give users multiple retries.

> Does the SSL-VPN even support Access-Challenge?  Some don't.

As a matter of fact, it does. I absolutely would not have set off on this, much less posted to this list had I not done an Extensive POC with TinyRADIUS (A wonderful little tool for quick mock-ups). Obviously in choosing to attempt it in FreeRADIUS I got in a little over my head!

>  There are many cases where you can send an Access-Challenge. HOWEVER... most of them are mandated by the authentication method.  EAP, MS-CHAP, etc.

Thank you again. So it seems that what I want to do doesn't really fit into any of the current authentication methods. I will continue digging, you have given me some seriously great education and help here; Thank you so much. I will follow up with my experiences!

> See rlm_example.

Thanks!

Ryon D.