Freeradius second auth factor

Anton Kiryushkin swood at fotofor.biz
Fri Dec 20 18:23:18 CET 2019


пт, 20 дек. 2019 г. в 16:16, Alan DeKok <aland at deployingradius.com>:

> On Dec 20, 2019, at 8:48 AM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> > Nice to get an answer from you.
> > The First factor is password stored in DB.
> > Second is SMS.
> >
> > No, it is not for wifi; it is for VPN.
>
>   OK,  that's good.
>
> > As far as I understand, Cisco ASA
> > sends the request to the radius with the final data: login, password,
> > OTP-code.
>
>   How?  That matters.
>

Now I see the next message from ASA:

Fri Dec 20 15:21:41 2019 : Debug: (2)   User-Name = "Jon_Snow"
Fri Dec 20 15:21:41 2019 : Debug: (2)   User-Password =
"xZ\202\002\280<\206у\n\323y\261\357\471%y"
Fri Dec 20 15:21:41 2019 : Debug: (2)   NAS-Port = 249856
Fri Dec 20 15:21:41 2019 : Debug: (2)   Called-Station-Id = "55.444.33.2"
Fri Dec 20 15:21:41 2019 : Debug: (2)   Calling-Station-Id = "44.66.77.8"
Fri Dec 20 15:21:41 2019 : Debug: (2)   NAS-Port-Type = Virtual
Fri Dec 20 15:21:41 2019 : Debug: (2)   Tunnel-Client-Endpoint:0 =
"44.66.77.8"
Fri Dec 20 15:21:41 2019 : Debug: (2)   NAS-IP-Address = 10.2.3.4
Fri Dec 20 15:21:41 2019 : Debug: (2)   Cisco-AVPair =
"ip:source-ip=44.66.77.8"
Fri Dec 20 15:21:41 2019 : Debug: (2)   ASA-TunnelGroupName = "VPN"
Fri Dec 20 15:21:41 2019 : Debug: (2)   ASA-ClientType =
AnyConnect-Client-SSL-VPN

I'm not sure about the second password and where it should be.


>
>   Usually, people use login name, and then take the 6 digit OTP, and add
> it to the password, e.g.
>
> User-Name = "bob"
> User-Password = "123456my_secret_password"
>
>
How to parse it in FreeRadius?


> > The only possible way to auth with the OTP is to generate it via
> > phone application like Google Authenticator.
> > My question is, does it possible to send an SMS instead of using the
> > application.
>
>   FreeRADIUS doesn't send SMSs directly.  It has to use a third-party
> application to send SMSs.
>
>
Yes, correctly, but FreeRadius can run some script to generate OTP and send
it. However, I can't understand how to do it before authorisation. Or wait
for this process during authorisation. Probably I am wrong.


>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Best regards,
Anton Kiryushkin


More information about the Freeradius-Users mailing list