Freeradius with multiotp - but otp-pin is in username
blaster at vorsicht-bissig.de
blaster at vorsicht-bissig.de
Mon May 22 00:53:59 CEST 2017
Hi guys,
i'm trying to setup FreeRADIUS Version 3.0.13 with multiotp BUT I want
to enter the information like this:
"{Username}:{OTP-PIN}" ==> f.e. "dani:955825" (username in users
file)
"{Password}" ==> f.e. "blabla" (password in users
file)
I think this could be a way, to get some devices to work with 2 factor,
which are not build for it.
I successfully get an ok from multiotp, by regex'ing "{OTP-PIN}"
from "{Username}:{OTP-PIN}",
but PAP is failing, because I can't get PAP to look for "{Username}"
(f.e. "dani").
It always tries to look for "{Username}:{OTP-PIN}" (f.e. "dani:955825")
in the authentication-section.
It would be nice if you could point me in the right direction.
My apologies, if this question was already asked, and I didn't find it.
Best regards
Gerald
remark - begin
------------
I successfully did it with
"{Username} " ==> f.e. "dani" (username in users file)
"{Password}{OTP-PIN}" ==> f.e. "blabla955825" (password in users
file)
.
But I think the
"{Username}"
"{Password}{OTP-PIN}"
way, fails when it comes to MSCHAP (with ActiveDirectory), because
Freeradius compares only password hashes and not plaintext, so it can't
recongnise what's the OTP-PIN and what's the password.
--------------
remark - end
/usr/local/etc/raddb/users
####
"dani" Cleartext-Password := "blabla", MS-CHAP-Use-NTLM-Auth :=
0
####
/usr/local/etc/dictionary
####
ATTRIBUTE User-OTP 3000 string
ATTRIBUTE User-Password-TMP 3001 string
####
/usr/local/etc/raddb# cat policy.d/pol_usernamemultiotp
#####
pol_usernamemultiotp.authorize {
if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) {
update request {
User-Password-TMP := "%{User-Password}"
User-OTP := "%{3}"
User-Password := "%{User-OTP}"
User-Name := "%{1}"
Stripped-User-Name := "%{1}"
}
multiotp
if (ok) {
update request {
User-Name := "%{1}"
User-Password := "%{User-Password-TMP}"
}
update control {
Auth-Type := PAP
}
}
else {
reject
}
}
}
#####
radiusd -X output - begin
#####
Ready to process requests
(0) Received Access-Request Id 192 from 127.0.0.1:56491 to
127.0.0.1:1842 length 81
(0) User-Name = "dani:955825"
(0) User-Password = "blabla"
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Port = 100
(0) Message-Authenticator = 0x0cc5e28430dea113b6b4fde2d1537388
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/custom_otp
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: -->
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20170521
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dani:955825", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) custom_otp: Searching for user in group "vlan10"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for
76 seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for
76 seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for
76 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for
76 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for
76 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending
slots used
rlm_ldap (ldap): Connecting to ldap://testdc.test.apa.lan:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(0) custom_otp: EXPAND
(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) custom_otp: --> (samaccountname=dani:955825)
(0) custom_otp: Search returned no results
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending
slots used
rlm_ldap (ldap): Connecting to ldap://testdc.test.apa.lan:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) custom_otp: Searching for user in group "vlan99"
rlm_ldap (ldap): Reserved connection (5)
(0) custom_otp: EXPAND
(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) custom_otp: --> (samaccountname=dani:955825)
(0) custom_otp: Waiting for search result...
(0) custom_otp: Search returned no results
rlm_ldap (ldap): Released connection (5)
(0) [custom_otp] = noop
rlm_ldap (ldap): Reserved connection (6)
(0) ldap: EXPAND
(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (samaccountname=dani:955825)
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (6)
(0) [ldap] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) policy pol_usernamemultiotp.authorize {
(0) if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) {
(0) if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) -> TRUE
(0) if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) {
(0) update request {
(0) EXPAND %{User-Password}
(0) --> blabla
(0) User-Password-TMP := blabla
(0) EXPAND %{3}
(0) --> 955825
(0) User-OTP := 955825
(0) EXPAND %{User-OTP}
(0) --> 955825
(0) User-Password := 955825
(0) EXPAND %{1}
(0) --> dani
(0) User-Name := dani
(0) EXPAND %{1}
(0) --> dani
(0) Stripped-User-Name := dani
(0) } # update request = noop
(0) multiotp: EXPAND %{User-Name}
(0) multiotp: --> dani
(0) multiotp: EXPAND %{User-Password}
(0) multiotp: --> 955825
(0) multiotp: EXPAND -src=%{Packet-Src-IP-Address}
(0) multiotp: --> -src=127.0.0.1
(0) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}
(0) multiotp: --> -chap-challenge=
(0) multiotp: EXPAND -chap-password=%{CHAP-Password}
(0) multiotp: --> -chap-password=
(0) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}
(0) multiotp: --> -ms-chap-challenge=
(0) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}
(0) multiotp: --> -ms-chap-response=
(0) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}
(0) multiotp: --> -ms-chap2-response=
(0) multiotp: Program returned code (0) and output ''
(0) multiotp: Program executed successfully
(0) [multiotp] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update request {
(0) EXPAND %{1}
(0) --> dani
(0) User-Name := dani
(0) EXPAND %{User-Password-TMP}
(0) --> blabla
(0) User-Password := blabla
(0) } # update request = noop
(0) update control {
(0) Auth-Type := PAP
(0) } # update control = noop
(0) } # if (ok) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) = ok
(0) } # policy pol_usernamemultiotp.authorize = ok
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = PAP
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/custom_otp
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: No password configured for the user. Cannot do authentication
(0) [pap] = fail
(0) } # Auth-Type PAP = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/custom_otp
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> dani
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 192 from 127.0.0.1:1842 to 127.0.0.1:56491
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 192 with timestamp +76
Ready to process requests
#####
radiusd -X output - end
More information about the Freeradius-Users
mailing list