Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
"michael böhm"
ksk2 at gmx.net
Mon Dec 3 15:37:32 CET 2018
Hi Alan,
with your hints I managed to get this running:
# Case 1: No script-user -> 2FA
if(User-Name !~ /^sc_.+$/) {
# Case 1.1: LDAP-PW + Token
if(User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{1}"
}
ldap
files
pap
pap.authenticate
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}
}
# Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
elsif(State && User-Password =~ /^([0-9]{6})$/) {
update control {
Proxy-To-Realm := "securid"
}
}
}
# Case 2: script-user
else {
ldap
files
pap
}
I get the error in freeradius -X:
(2) Found Auth-Type = PAP
(2) Found Auth-Type = Accept
(2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this?
Only one more problem is to solve:
In post-auth we have a Perl-script that relies on the groups that come
from LDAP to make user rights decisions. When we are in Next-Token-Mode
(case 1.2) we do not query LDAP, so freeradius cannot pass the groups
to the Perl script.
Is there a way to tell freeradius to cache the LDAP-groups from the
last request for case 1.1 and use them in 1.2? If there is no easy way
I would delete Case 1.2 and tell the user to type in the LDAP-password
again followed by the next Token.
Thanks and best wishes
Michael
Gesendet: Montag, 03. Dezember 2018 um 14:11 Uhr
Von: "Alan DeKok" <aland at deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2 at gmx.net> wrote:
> we've decided to use the Radius-interface of the SecurID-server and
not
> the proprietary protocol.
OK.
> Now I need unlang to make the access decision:
>
> LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
> ACCEPT to NAS
>
> I tried it like that in the authorize-section but it did not work:
See the FAQ for "it doesn't work".
> filter_username
> preprocess
>
> # %{1} = ldap-password
> # %{2} = Token
>
> if (User-Password =~ /^(.+)([0-9]{6})$/) {
> update request {
> User-Password := "%{2}"
> }
> update control {
> Proxy-To-Realm := "securid"
> }
>
> update request {
> User-Password := "%{1}"
> }
>
> ldap
> }
>
> pap
>
> The proxying itself is working fine but not the correlation of the
two
> results.
What does that mean?
> Could you please give me a minimal example of how to create this
> and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA
if it passed.
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
# get the "known good" password from LDAP
ldap
# check the users password
# if this fails, the user will be automatically rejected
pap.authenticate
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
}
else {
... do stuff for non-RSA users ...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html
References
1. http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list