2 Factor Authentication
Alan DeKok
aland at deployingradius.com
Wed Jan 4 23:30:40 CET 2017
On Jan 4, 2017, at 4:50 PM, Dudás Péter <peter.pdudas at gmail.com> wrote:
> I'm trying to integrate Duo auth proxy (2.4.19) and Freeradius 3.0.12 on
> Ubuntu 16.04 to have 2 Factor Authentication on VPN radius requests via Duo
> security.
What's "duo auth" ?
> Active directory intergation done via Samba4 (winbindd).
>
> VPN authentication can be SSLVPN or L2TP. Both works - SSL uses pap
> authentication against the AD, L2TP uses MSCHAPv2 against the AD.
> SSL sends back only the Filter-Id, L2TP sends Filter-Id and MPPE keys.
>
> To have 2 Factor Authentication I created a module for Duo authentication
> which calls an external script with the user variables and the script
> writes them to a text file which is the input file for a radclient in the
> following way:
> /usr/bin/radclient -f /opt/duoauthproxy/packet -c 1 -r 2 -t 30 -x
> 127.0.0.1:1645 auth secret -x
That works only for PAP. And why run "radclient" manually? The server can proxy RADIUS packets. Why not do that?
> Radclient connects to the Duo Auth Proxy on the localhost and doing the
> authentication via Duo services (push/phone/otp code).
> After the authentication the module returns the Exit code 0 or Exit code 1
> (depending on the authentication result).
Proxying RADIUS packets would be a lot easier.
> With the SSLVPN it works fine - simply put the Duo authorization before the
> AD auth in authorize section and works perfectly.
> With the L2TP it is not working at all. I see the successful authentication
> (both: Duo and Mschap), MPPE keys and Filter-Id returned, firewall grants
> the access - and the devices are just not connects.
Blame the L2TP gateway then. If the attributes returned by FreeRADIUS are the same for both Duo and non-duo cases, then the NAS should behave the same in both situations.
> I don't see any errors, and as also the firewall grants the access I have
> no clue what could this be.
Look at the firewall logs to see what it's doing. You can't debug the firewall by looking at the FreeRADIUS logs.
> I've tried to run the duo auth ant the Authorize, post auth sections - no
> matter where it is, the connection is not successful.
You're looking at the wrong thing.
Look at the debug log and Access-Accept packets for both the "with duo" and "without duo" cases. If the Access-Accepts are the same, then the firewall should behave the same in both situations.
> Do you maybe know what change with this second authentication which blocks
> the L2TP VPN connection?
Since you've only given a non-working debug output and not a working one... no, we don't know what's going on.
> If I comment out the DUO - then L2TP VPN connects without problem.
>
> I don't find any difference in the Reply packets (chacked with Wireshark
> too).
Then blame the firewall.
Alan DeKok.
More information about the Freeradius-Users
mailing list