Using privacyIDEA to authenticate to WiFi with 2FA/Token

Muenz, Michael m.muenz at spam-fetish.org
Mon Nov 28 11:06:16 CET 2016 

Am 26.11.2016 um 16:33 schrieb Alan DeKok:
>
>> I played around with ttls and md or gtc, inserted perl in authorized section and so on, nothing worked.
>    Trying random things isn't a good way to solve problems.  It's best to understand how things work.
>
>    In this case, the EAP module handles the outer tunnel.  If the inner-tunnel authentication contains PAP, you can put the "perl" module into the authenticate section, as:
>
> authenticate {
> 	...
>
> 	Auth-Type PAP {
> 		perl
> 	}
>
> 	...
> }
>
>    Which is probably the simplest thing to do.  EAP-GTC will work, too, but why do that when you have PAP?

Thanks for your explanations! I set this on the inner-tunnel but it 
still doesn't work.
Now I can see the password (OTP Key) but still doesn't get forwarded to 
the perl plugin.

# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         User-Name = "user"
         User-Password = "123456"
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
         User-Name = "user"
         User-Password = "123456"
         FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
rlm_perl: Added pair User-Name = user
rlm_perl: Added pair User-Password = 123456
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
++[perl] = ok
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 14 to 81.24.74.3 port 42084
         EAP-Message = 0x04040004
         Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 5 ID 10 with timestamp +31



I've added Freeradius for Beginners book to my Safari Queue :)
The "problem" with Freeradius is, that you search for a problem, add the 
related part and it works for ages.
So there was no reason to dive into the insights, but this one seems to 
be quite more complex.

Really appreciate your help, thank you!

Michael


>    As for the other authentication methods, see:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>    You just cannot use anything other than PAP with Perl.  At least, in the way you want to do.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
www.muenz-it.de
- Cisco, Linux, Networks

More information about the Freeradius-Users mailing list