2-step auth LDAP + Proxy
Alan DeKok
aland at deployingradius.com
Sat Dec 30 15:04:44 CET 2017
On Dec 30, 2017, at 4:41 AM, Mathias Sundman <mathias at nilings.se> wrote:
>
>
> Just in case someone else is searching for the same problem, I’ve cleaned up the logic to make it work with multiple virtual servers where I manually force proxying to a specific Realm, instead of relying on the suffix/realm module to enable the proxying. This is now what I ended up with:
Updating a page on the Wiki would be nice, too. :)
> authorize {
> if (!State) {
> ldap
> if (ok) {
> update control {
> Auth-Type := LDAP
> }
That shouldn't be necessary. i.e. if you have a standards-compliant LDAP server, it can return the "known good" password, and the PAP module can check the password.
> authenticate {
> Auth-Type LDAP {
It's probably best to re-name this to something descriptive, like "two-factor"
> ldap
This should probably be the "pap" module.
> if (ok) {
> update session-state {
> Tmp-Integer-0 := "%{randstr:n}"
> }
Why are you updating the session-state here? That's not the State attribute. You should be updating the state attribute in the reply.
> update reply {
> Reply-Message := "Please enter OTP"
> }
> challenge
> }
> }
> }
>
> pre-proxy {
> attr_filter.pre-proxy
> }
>
> If you believe the logic is still flawed in any way, please let me know, otherwise I thank you again Alan for the quick reply and consider the problem solved.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list