2 Factor Authentication

Dudás Péter peter.pdudas at gmail.com
Wed Jan 4 22:50:54 CET 2017 

Hello!

I'm trying to integrate Duo auth proxy (2.4.19) and Freeradius 3.0.12 on
Ubuntu 16.04 to have 2 Factor Authentication on VPN radius requests via Duo
security.
Active directory intergation done via  Samba4 (winbindd).

VPN authentication can be SSLVPN or L2TP. Both works - SSL uses pap
authentication against the AD, L2TP uses MSCHAPv2 against the AD.
SSL sends back only the Filter-Id, L2TP sends Filter-Id and MPPE keys.

To have 2 Factor Authentication I created a module for Duo authentication
which calls an external script with the user variables and the script
writes them to a text file which is the input file for a radclient in the
following way:
/usr/bin/radclient -f /opt/duoauthproxy/packet -c 1 -r 2 -t 30 -x
127.0.0.1:1645 auth secret -x

Radclient connects to the Duo Auth Proxy on the localhost and doing the
authentication via Duo services (push/phone/otp code).
After the authentication the module returns the Exit code 0 or Exit code 1
(depending on the authentication result).

With the SSLVPN it works fine - simply put the Duo authorization before the
AD auth in authorize section and works perfectly.
With the L2TP it is not working at all. I see the successful authentication
(both: Duo and Mschap), MPPE keys and Filter-Id returned, firewall grants
the access - and the devices are just not connects.

I don't see any errors, and as also the firewall grants the access I have
no clue what could this be.
Now duo auth happens at post auth section - but it can be anywhere - just
not working.
Here is the debug:

(0) Received Access-Request Id 203 from 10.101.168.3:59819 to
10.148.64.67:1812 length 161
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "Peter Dudas"
(0)   NAS-IP-Address = 89.212.168.XYZ
(0)   NAS-Port = 0
(0)   MS-CHAP-Challenge = 0x5556c20e9277af608a7ba5335955d181
(0)   MS-CHAP2-Response =
0x32006b1c6f8f39c8c7049a9b365ac86156e90000000000000000f7a54abdb5fa7c889557a2729d2234117d36cd4a203ed4ac
(0)   Proxy-State = 0xfe80000000000000953e77ad63f094ba000000cb
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0)     if (User-Name != ""){
(0)     if (User-Name != "") -> TRUE
(0)     (User-Name != "") { ... } # empty sub-section is ignored
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/freeradius/radacct/
10.101.168.3/auth-detail-20170104
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/auth-detail-20170104
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Jan  4 22:35:44 2017
(0)     [auth_log] = ok
(0)     if (User-Name != "" && Service-Type !* "") {
(0)     if (User-Name != "" && Service-Type !* "")  -> FALSE
(0)     else {
(0)       if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") {
(0)       if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "")  -> TRUE
(0)       if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "")  {
(0)         if (NAS-IP-Address == "89.212.168.XZY" && Framed-Protocol ==
"PPP") {
(0)         if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol ==
"PPP")  -> TRUE
(0)         if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol ==
"PPP")  {
(0)           if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" ) {
(0)           EXPAND Packet-Type
(0)              --> Access-Request
(0)           if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" )  -> TRUE
(0)           if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" )  {
(0)             if (MS-CHAP-Challenge != ""  && NAS-PORT == "0" ) {
(0)             if (MS-CHAP-Challenge != ""  && NAS-PORT == "0" )  -> TRUE
(0)             if (MS-CHAP-Challenge != ""  && NAS-PORT == "0" )  {
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)               [mschap] = ok
(0)               if (ok) {
(0)               if (ok)  -> TRUE
(0)               if (ok)  {
(0)                 update reply {
(0)                   Filter-Id := "L2TP-Users"
(0)                 } # update reply = noop
(0)               } # if (ok)  = noop
(0)             } # if (MS-CHAP-Challenge != ""  && NAS-PORT == "0" )  = ok
(0)           } # if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" )  = ok
(0)         } # if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol
== "PPP")  = ok
(0)       } # if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "")  = ok
(0)     } # else = ok
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Auth-Type mschap {
(0) mschap: Creating challenge hash with username: Peter Dudas
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{request:User-Name} --domain=site.domain.local
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
--require-membership-of=site.domain.local\l2tp-users:
(0) mschap: EXPAND --username=%{request:User-Name}
(0) mschap:    --> --username=Peter Dudas
(0) mschap: Creating challenge hash with username: Peter Dudas
(0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(0) mschap:    --> --challenge=397e282f44bc0581
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(0) mschap:    -->
--nt-response=f7a54abdb5fa7c889557a2729d2234117d36cd4a203ed4ac
(0) mschap: Program returned code (0) and output 'NT_KEY:
A1A055BBCC2133B2E1FCD8213C6B03FE'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0)     [mschap] = ok
(0)   } # Auth-Type mschap = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0)   post-auth {
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log:    --> /var/log/freeradius/radacct/
10.101.168.3/reply-detail-20170104
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104
(0) reply_log: EXPAND %t
(0) reply_log:    --> Wed Jan  4 22:35:44 2017
(0)     [reply_log] = ok
(0) duo: Executing: /usr/bin/radclient -f /etc/freeradius/packet -c 1 -r 1
-t 45 127.0.0.1:1645 auth secret -x:
(0) duo: Program returned code (0) and output 'Sent Access-Request Id 49
from 0.0.0.0:52464 to 127.0.0.1:1645 length 75         Packet-Type =
Access-Request    Service-Type = Framed-User      Framed-Protocol = PPP
 User-Name = "Peter Dudas"       User-Password = "push"  NAS-IP-Address =
89.212.168.XYZ         NAS-Port = 0    Cleartext-Password = "push" Received
Access-Accept Id 49 from 127.0.0.1:1645 to 0.0.0.0:0 length 48
 Reply-Message = "Success. Logging you in..."'
(0) duo: Program executed successfully
(0)     [duo] = ok
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log:    --> /var/log/freeradius/radacct/
10.101.168.3/reply-detail-20170104
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104
(0) reply_log: EXPAND %t
(0) reply_log:    --> Wed Jan  4 22:35:44 2017
(0)     [reply_log] = ok
(0)     [exec] = noop
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log:    --> /var/log/freeradius/radacct/
10.101.168.3/reply-detail-20170104
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104
(0) reply_log: EXPAND %t
(0) reply_log:    --> Wed Jan  4 22:35:44 2017
(0)     [reply_log] = ok
(0)   } # post-auth = ok
(0) Login OK: [Peter Dudas/<via Auth-Type = mschap>] (from client dc1 port
0)
(0) Sent Access-Accept Id 203 from 10.148.64.67:1812 to 10.101.168.3:59819
length 0
(0)   Filter-Id := "L2TP-Users"
(0)   MS-CHAP2-Success =
0x32533d34413036444345313735434538323544364344333939363634303638424345343738453634383132
(0)   MS-MPPE-Recv-Key = 0x8e2b496673e4be264ff378973bfc4f0a
(0)   MS-MPPE-Send-Key = 0x3d999c39dd3234adb646ff83015329da
(0)   MS-MPPE-Encryption-Policy = Encryption-Required
(0)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0)   Proxy-State = 0xfe80000000000000953e77ad63f094ba000000cb
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 203 with timestamp +18

I've tried to run the duo auth ant the Authorize, post auth sections - no
matter where it is, the connection is not successful.

Do you maybe know what change with this second authentication which blocks
the L2TP VPN connection?
If I comment out the DUO - then L2TP VPN connects without problem.

I don't find any difference in the Reply packets (chacked with Wireshark
too).

Thank you!

Peter Dudas

More information about the Freeradius-Users mailing list