Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
"michael böhm"
ksk2 at gmx.net
Tue Dec 4 13:37:08 CET 2018
Hi Alan,
this seems to do exactly what we want:
# In any case: check the LDAP and local user-file first
ldap
files
# Case 1: No script-user -> 2FA
if(User-Name !~ /^sc_.+$/) {
# Case 1.1: LDAP-PW + Token
if(User-Password =~ /^(.+)([0-9]{6})$/) {
# LDAP-password in %{1}
# Token in %{2}
update request {
User-Password := "%{1}"
}
# Check password and reject if incorrect
pap
pap.authenticate
update request {
User-Password := "%{2}"
}
# Proxy the request to the SecurID-server
update control {
Proxy-To-Realm := "securid"
}
}
# Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
elsif(State && User-Password =~ /^([0-9]{6})$/) {
update control {
Proxy-To-Realm := "securid"
}
}
}
# Case 2: script-user
else {
pap
}
Is my elsif(State ...)-statement a robust way to check if this packet
belongs to a challenge-response of this exact user? I want to avoid
situations where a user might be able to authenticate with just a Token
and no password.
We are testing the configuration now. Thank you very much for your
help!
I'll check back in a few weeks regarding the password change / TACACS+
feature I asked for in my initial mail. For the moment we'll do the
password changes via a web-interface for the LDAP which is fine.
Best wishes
Michael
Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr
Von: "Alan DeKok" <aland at deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2 at gmx.net> wrote:
> with your hints I managed to get this running:
That's good.
> I get the error in freeradius -X:
>
> (2) Found Auth-Type = PAP
> (2) Found Auth-Type = Accept
> (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
>
> Can I ignore this?
Yes. If you upgrade to 3.0.17, the message will go away.
> Only one more problem is to solve:
>
> In post-auth we have a Perl-script that relies on the groups that
come
> from LDAP to make user rights decisions. When we are in
Next-Token-Mode
> (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
> to the Perl script.
OK.
> Is there a way to tell freeradius to cache the LDAP-groups from the
> last request for case 1.1 and use them in 1.2?
You can cache LDAP groups in the session-state list. But they're only
cached for a series of challenge/ response packets.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html
References
1. http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list