Freeradius and 2 Factor Authentication

Cornelius Kölbel cornelius.koelbel at netknights.it
Wed Jun 1 16:55:15 CEST 2016


Hello Aaron,

you are not the first to use FreeRADIUS with two factor authentication.
There are many installations of LinOTP and privacyIDEA using FreeRADIUS.
But the problem with OTP and MSCHAPv2 is MSCHAPv2.

Roughly: In MSCHAPv2 the the RADIUS server sends a challenge to the
client.
The client will hash the challenge and the user password. Problem: The
user password is usually combined out of <static password><OTP value>.

The RADIUS server receives a hash value of something, which it does not
know. I.e. it does not know the OTP value.
So the RADIUS server - or the linotp plugin - would have to try the
hashes of all possible OTP values. Since there could be a time skew in
TOTP or the user could have blank presses in HOTP.

But it gets worse: The password usually is not only the OTP value but
the concatenation of the users password or PIN and the OTP value. To be
able to calculate the hash of the users password and the dynamic OTP
value, the OTP server needs to know the users password in clear text,
since

  HASH( pw+otp) != HASH(pw) + HASH (otp)

This way the only way to implement MSCHAPv2 with OTP is, to store the
users passwords not hashed, but encrypted.
At this point you need to decide, if your users would like this.

Kind regards
Cornelius

Am Mittwoch, den 01.06.2016, 14:41 +0000 schrieb Aaron Smith:
> I've been working on setting up a Microsoft Routing and Remote Access server that uses Freeradius for Authentication.  Out of the box, it works fine with simple user entries in the "users" file.  This is with both the Ubuntu 14.04 apt-get installations of Freeradius (2.1.x) as well as a compiled from source version of Freeradius 2.2.9.  I run in to trouble when I try to add two factor authentication to the mix.  I'm trying to use LinOTP as a possible replacement of our CryptoCard Blackshield implementation.  The problem is that both products seem to only work with unencrypted passwords.  LinOTP has two options for Freeradius authentication.  There is a linotp2 module that can be compiled and installed along with Freeradius, and there is also a perl script that can be linked in with the rlm_perl module.  Looking at the perl script, it is expecting to find the attribute "User-Password" in the radius request, which it uses, along with the username, to go to a web URL on the LinOTP server to verify authentication.  I suspect that the linotp2 module works similarly.  The documentation provided by LinOTP says to set "DEFAULT Auth-Type := linotp2" if you're using the module or "DEFAULT Auth-Type := perl" if you're using the perl script in the freeradius users file.  Now, this will "work" for narrow authentication types like Microsoft's SSTP with an unencrypted password, but I'd like this solution to be more widely usable (Macs, iOS devices, etc) and use something like IKEv2, but that uses EAP-MSCHapv2.  If I try that, the authentication fails saying there is no password. 
> 
> My question is...am I tilting at windmills trying to make this work?  I feel like it *should* be possible to do 2 factor authentication without having to resort to PPTP/unecrypted password or microsoft's proprietary SSTP.  Is there a way to have freeradius pass the MSChapv2 password to a perl script or another module?  Or perhaps it's possible to modify the perl script so it can accept an encrypted password?  I feel like maybe there's a way to configure authentication in the "inner-tunnel" freeradius site that would make this possible.  EAP-MSChapv2 authentication works with a plain, unencrypted password in the users file, so it obviously HAS the password that the user sends in SOME fashion. 
> 
> A secondary question is that I imagine I can't be the first person to use Freeradius with 2 factor authentication.  I'd be curious to know how other folks have tackled this project and what products they used to accomplish it.
> 
> -----------------------------------
> Aaron Smith
> System Administrator  
> Information Services 
> Kalamazoo College
> 1200 Academy Street, Kalamazoo, MI 49006
> (269) 337-7496
>  Aaron.Smith at kzoo.edu
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Cornelius Kölbel
cornelius.koelbel at netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160601/158fadf3/attachment-0001.sig>


More information about the Freeradius-Users mailing list