Freeradius with multiotp - but otp-pin is in username

blaster at vorsicht-bissig.de blaster at vorsicht-bissig.de
Tue May 23 00:41:36 CEST 2017 

Hello,

I put the policy on the top of the authorize section and it works as 
intendet.
Thank you very much, Alan DeKok for your advice!

Best regards
Gerald


On 22.05.2017 14:30, Alan DeKok wrote:
> On May 21, 2017, at 6:53 PM, blaster at vorsicht-bissig.de wrote:
>>    i'm trying to setup FreeRADIUS Version 3.0.13 with multiotp BUT I want
>>    to enter the information like this:
>>    "{Username}:{OTP-PIN}"   ==> f.e. "dani:955825"   (username in users
>>    file)
>>    "{Password}"                      ==> f.e. "blabla"  (password in users
>>    file)
>    That's a little unusual, but it should work, mostly.
>
>    But most people appoint the OTP to the password, not to the User-Name.
>
>>    I think this could be a way, to get some devices to work with 2 factor,
>>    which are not build for it.
>>    I successfully get an ok from multiotp, by regex'ing "{OTP-PIN}"
>>    from "{Username}:{OTP-PIN}",
>>    but PAP is failing, because I can't get PAP to look for "{Username}"
>>    (f.e. "dani").
>>    It always tries to look for "{Username}:{OTP-PIN}" (f.e. "dani:955825")
>>    in the authentication-section.
>    Because the default configuration looks up users by the contents of the User-Name attribute.
>
>    Sine you've modified the User-Name to contain the OTP key, that won't work.
>
>>    It would be nice if you could point me in the right direction.
>>    My apologies, if this question was already asked, and I didn't find it.
>>    Best regards
>>    Gerald
>>    remark - begin
>>    ------------
>>    I successfully did it with
>>    "{Username} "                  ==> f.e. "dani" (username in users file)
>>    "{Password}{OTP-PIN}"     ==> f.e. "blabla955825"  (password in users
>>    file)
>    Which is what most people use.
>
>>    But I think the
>>    "{Username}"
>>    "{Password}{OTP-PIN}"
>>    way, fails when it comes to MSCHAP (with ActiveDirectory), because
>>    Freeradius compares only password hashes and not plaintext, so it can't
>>    recongnise what's the OTP-PIN and what's the password.
>    Yes.
>
>>    --------------
>>    remark - end
>>    /usr/local/etc/raddb/users
>>    ####
>>    "dani"        Cleartext-Password := "blabla", MS-CHAP-Use-NTLM-Auth :=
>>    0
>>    ####
>>    /usr/local/etc/dictionary
>>    ####
>>    ATTRIBUTE       User-OTP                3000    string
>    You don't need that.
>
>>    ATTRIBUTE       User-Password-TMP       3001    string
>>    ####
>>    /usr/local/etc/raddb# cat policy.d/pol_usernamemultiotp
>>    #####
>>    pol_usernamemultiotp.authorize {
>>            if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) {
>>                    update request {
>>                            User-Password-TMP := "%{User-Password}"
>>                            User-OTP := "%{3}"
>>                            User-Password := "%{User-OTP}"
>    This isn't necessary.
>
>>                            User-Name := "%{1}"
>    You probably shouldn't re-write the User-Name.  Leave it alone.
>
>>                            Stripped-User-Name := "%{1}"
>    If Stripped-User-Name exists, the server uses it for lookups instead of User-Name.  So all you need to do is set Stripped-User-Name correctly.
>
>>    #####
>>    radiusd -X output - begin
>    Reading it carefully helps... the messages are useful.
>
>>    #####
>>    Ready to process requests
>>    (0) Received Access-Request Id 192 from 127.0.0.1:56491 to
>>    127.0.0.1:1842 length 81
>>    (0)   User-Name = "dani:955825"
>>    (0)   User-Password = "blabla"
>>    (0)   NAS-IP-Address = 127.0.0.1
>>    (0)   NAS-Port = 100
>>    (0)   Message-Authenticator = 0x0cc5e28430dea113b6b4fde2d1537388
>    That's the Access-Request...
>
>>    (0) custom_otp: Searching for user in group "vlan10"
>>    rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for
>>    76 seconds
>>    rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for
>>    76 seconds
>>    rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for
>>    76 seconds
>>    rlm_ldap (ldap): You probably need to lower "min"
>>    rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for
>>    76 seconds
>>    rlm_ldap (ldap): You probably need to lower "min"
>>    rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for
>>    76 seconds
>>    rlm_ldap (ldap): You probably need to lower "min"
>    Pay attention to those messages.  Either increase "idle_timeout", or lower "min".
>
>>    (0) custom_otp: EXPAND
>>    (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>>    (0) custom_otp:    --> (samaccountname=dani:955825)
>>    (0) custom_otp: Search returned no results
>    Note that it's looking up the User-Name attribute.  i.e. the name *before* any edits.
>
>>    rlm_ldap (ldap): Released connection (6)
>>    (0)     [ldap] = notfound
>>    (0)     [expiration] = noop
>>    (0)     [logintime] = noop
>>    (0)     policy pol_usernamemultiotp.authorize {
>    And AFTER you look up User-Name (the one with the OTP), you run the policy to fix the User-Name.
>
>    i.e. you have this reversed.
>
>   The solution is to put the re-write at the TOP of the "authorize" section. That way, the Stripped-User-Name attribute is seen by all modules.
>
>    And the policy you created is too complicated.  Just do this:
>
> 	if ( &User-Name =~ /^(.*):([0-9]{6})$/) {
> 		update request {
> 			Stripped-User-Name := "%{1}"
> 			User-OTP := "%{2}"
> 		}
> 	}
>
>    i..e. you don't need a "tmp" password. You don't need to re-write the password.  You don't need to match (:) in the regex.  Just matching : is good enough.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list