2 Factor Authentication
Alan DeKok
aland at deployingradius.com
Thu Jan 5 00:31:17 CET 2017
On Jan 4, 2017, at 6:05 PM, Dudás Péter <peter.pdudas at gmail.com> wrote:
> I would proxy the request, but needs 2 authentication - first the Duo, then
> AD auth (SSL=pap, L2TP=MSCHAPv2). Or first Ad then Duo.
> Is it possible to proxy the request to Duo and then have a second
> authentication on the same request depending on the result of the proxy
> answer?
No. We're fixing that in v4.
> Tried with just a module which runs a shell script which do nothing -
> except Exit 0
> Module has no output_pairs defined.
> And it has the same result - connection failed. No red lines in the debug -
> all fine.
That's suspicious.
> I simply have no clue. Firewall log show authentication successful - but
> the devices are not connected (Windows10/Android/iPad).
> 99% that it is related with MPPE keys - I just simply have no clue what is
> the connection between the generated MPPE keys and a second authentication.
The MPPE keys are automatically derived from the authentication method / credentials. They change with every login.
> I'm not able to decrypt/use the MPPE keys - so cannot verify them.
You don't decrypt them. The debug log shows their real value.
> Firewall just needs the Filter-Id and access-accept, then grants the
> connection. So it is not firewall related issue.
Well, if the firewall is not allowing the user online, then it is a firewall issue.
> PPP connection not established - that's why I think it can be related with
> the MPPE keys. But as you can see the keys are generated at the mschap
> authentication.
Yes. And if your script doesn't modify the MPPE keys, everything should be dine.
> Is it possible to cache the MPPE keys to be sure they are not changed
> during/because of the second authentication.
Don't do that.
> "Since you've only given a non-working debug output and not a working
> one... no, we don't know what's going on."
> The debug contains 2 successful authentication and an Access-Accept answer.
> So it is a successful authentication - just have a problem somewhere.
If FreeRADIUS returns Access-Accept and the user doesn't get online.. blame the NAS.
Alan DeKok.
More information about the Freeradius-Users
mailing list