2-step auth LDAP + Proxy

Alan DeKok aland at deployingradius.com
Wed Dec 27 16:51:11 CET 2017

On Dec 27, 2017, at 10:09 AM, Mathias Sundman <mathias at nilings.se> wrote:
> However, he now wants to first authenticate the user with username/AD-password via LDAP against their AD, and if successful, the user should be prompted for the OTP code as a second step. This is currently not possible with the Gemalto SAS solution, so I’m therefor trying to deploy a FreeRADIUS (v3.0.13 on CentOS7) server in between and have FR perform the AD auth, return an Access-Challenge and then proxy the second Access-Request with the OTP code to Gemalto RADIUS.

   That's possible, but it takes a bit of tweaking.  But it requires an understanding of how Access-Challenge works.

> I’ve successfully managed to independently configure FR with the LDAP module to authenticate the username/password against their AD, or configure it as a proxy to send the requests to Gemalto, but I can’t really figure out how to chain these two auth methods together. After I enabled proxying of NULL realm, the first auth request is sent straight on to Gemalto.

  Then configure it to not do that...

  i.e. for the first packet, return Access-Challenge with a State and a Reply-Message (as a prompt to the user).  Then, the subsequent Access-Request should contain that same State attribute.  You can then check for the existence of State, and proxy only when it exists.

  Basically what you want is this.  You'll have to glue the pieces together yourself.

authorize {

	if (!State) {
		... set up for AD authentication ...
	} else {
		... set up for proxy to Gemalto ...

authenticate {
	Auth-Type LDAP {
		if (ok) {
			update reply {
				State = &User-Name  # should be random, but this should be fine..
				Reply-Message = "Please enter OTP

			update control {
				Response-Packet-Type := Access-Challenge

  That should give you the right direction.

  Alan DeKok.

More information about the Freeradius-Users mailing list