Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm" ksk2 at gmx.net
Tue Dec 4 13:37:08 CET 2018


   Hi Alan,

   this seems to do exactly what we want:

           # In any case: check the LDAP and local user-file first

           ldap
           files
           # Case 1: No script-user -> 2FA
           if(User-Name !~ /^sc_.+$/) {
                   # Case 1.1: LDAP-PW + Token
                   if(User-Password =~ /^(.+)([0-9]{6})$/) {
                           # LDAP-password in %{1}
                           # Token in %{2}
                           update request {
                                   User-Password := "%{1}"
                           }
                           # Check password and reject if incorrect
                           pap
                           pap.authenticate
                           update request {
                                   User-Password := "%{2}"
                           }
                           # Proxy the request to the SecurID-server
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
                   # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
                   elsif(State && User-Password =~ /^([0-9]{6})$/) {
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
           }
           # Case 2: script-user
           else {
                   pap
           }

   Is my elsif(State ...)-statement a robust way to check if this packet
   belongs to a challenge-response of this exact user? I want to avoid
   situations where a user might be able to authenticate with just a Token
   and no password.

   We are testing the configuration now. Thank you very much for your
   help!

   I'll check back in a few weeks regarding the password change / TACACS+
   feature I asked for in my initial mail. For the moment we'll do the
   password changes via a web-interface for the LDAP which is fine.

   Best wishes

   Michael

   Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr
   Von: "Alan DeKok" <aland at deployingradius.com>
   An: "FreeRadius users mailing list"
   <freeradius-users at lists.freeradius.org>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   Next-Token-Mode
   On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2 at gmx.net> wrote:
   > with your hints I managed to get this running:
   That's good.
   > I get the error in freeradius -X:
   >
   > (2) Found Auth-Type = PAP
   > (2) Found Auth-Type = Accept
   > (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
   >
   > Can I ignore this?
   Yes. If you upgrade to 3.0.17, the message will go away.
   > Only one more problem is to solve:
   >
   > In post-auth we have a Perl-script that relies on the groups that
   come
   > from LDAP to make user rights decisions. When we are in
   Next-Token-Mode
   > (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
   > to the Perl script.
   OK.
   > Is there a way to tell freeradius to cache the LDAP-groups from the
   > last request for case 1.1 and use them in 1.2?
   You can cache LDAP groups in the session-state list. But they're only
   cached for a series of challenge/ response packets.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list