2-step auth LDAP + Proxy

Sat Dec 30 10:41:25 CET 2017

> On 28 Dec 2017, at 03:47, Mathias Sundman <mathias at nilings.se> wrote:
> 
> 
>> On 27 Dec 2017, at 16:51, Alan DeKok <aland at deployingradius.com> wrote:
>> 
>> On Dec 27, 2017, at 10:09 AM, Mathias Sundman <mathias at nilings.se> wrote:
>>> However, he now wants to first authenticate the user with username/AD-password via LDAP against their AD, and if successful, the user should be prompted for the OTP code as a second step. This is currently not possible with the Gemalto SAS solution, so I’m therefor trying to deploy a FreeRADIUS (v3.0.13 on CentOS7) server in between and have FR perform the AD auth, return an Access-Challenge and then proxy the second Access-Request with the OTP code to Gemalto RADIUS.
>> 
>>  That's possible, but it takes a bit of tweaking.  But it requires an understanding of how Access-Challenge works.
> 
> I also had to enable attr_filter.pre-proxy in the pre-proxy section to filter out the State and Reply-Message attributes before the second Access-Request was proxied to Gemalto, otherwise the request was rejected as that server did not expect a request with a state.

Just in case someone else is searching for the same problem, I’ve cleaned up the logic to make it work with multiple virtual servers where I manually force proxying to a specific Realm, instead of relying on the suffix/realm module to enable the proxying. This is now what I ended up with:

authorize {
        if (!State) {
                ldap
                if (ok) {
                        update control {
                                Auth-Type := LDAP
                        }
                }
                else {
                        reject
                }
        }
        else {
                update control {
                        Proxy-To-Realm := "test"
                }
        }
}

authenticate {
        Auth-Type LDAP {
                ldap
                if (ok) {
                        update session-state {
                                Tmp-Integer-0 := "%{randstr:n}"
                        }
                        update reply {
                                Reply-Message := "Please enter OTP"
                        }
                        challenge
                }
        }
}

pre-proxy {
        attr_filter.pre-proxy
}

If you believe the logic is still flawed in any way, please let me know, otherwise I thank you again Alan for the quick reply and consider the problem solved.