2 Factor Authentication

Alan DeKok aland at deployingradius.com
Thu Jan 5 00:31:17 CET 2017

On Jan 4, 2017, at 6:05 PM, Dudás Péter <peter.pdudas at gmail.com> wrote:
> I would proxy the request, but needs 2 authentication - first the Duo, then
> AD auth (SSL=pap, L2TP=MSCHAPv2). Or first Ad then Duo.
> Is it possible to proxy the request to Duo and then have a second
> authentication on the same request depending on the result of the proxy
> answer?

  No.  We're fixing that in v4.

> Tried with just a module which runs a shell script which do nothing -
> except Exit 0
> Module has no output_pairs defined.
> And it has the same result - connection failed. No red lines in the debug -
> all fine.

  That's suspicious.

> I simply have no clue. Firewall log show authentication successful - but
> the devices are not connected (Windows10/Android/iPad).
> 99% that it is related with MPPE keys - I just simply have no clue what is
> the connection between the generated MPPE keys and a second authentication.

  The MPPE keys are automatically derived from the authentication method / credentials.  They change with every login.

> I'm not able to decrypt/use the MPPE keys - so cannot verify them.

  You don't decrypt them.  The debug log shows their real value.

> Firewall just needs the Filter-Id and access-accept, then grants the
> connection. So it is not firewall related issue.

  Well, if the firewall is not allowing the user online, then it is a firewall issue.

> PPP connection not established - that's why I think it can be related with
> the MPPE keys. But as you can see the keys are generated at the mschap
> authentication.

  Yes.  And if your script doesn't modify the MPPE keys, everything should be dine.

> Is it possible to cache the MPPE keys to be sure they are not changed
> during/because of the second authentication.

  Don't do that.

> "Since you've only given a non-working debug output and not a working
> one... no, we don't know what's going on."
> The debug contains 2 successful authentication and an Access-Accept answer.
> So it is a successful authentication - just have a problem somewhere.

  If FreeRADIUS returns Access-Accept and the user doesn't get online.. blame the NAS. 

  Alan DeKok.

More information about the Freeradius-Users mailing list