Fwd: Not able to send a challenge
ngoetz75
ngoetz24 at gmail.com
Fri Sep 6 18:41:33 CEST 2019
> I’m not sure what I am doing wrong. I am trying to use eap-tls to authenticate users against active directory, and if it passes, I want to prompt the user to enter their OTP. This is all working with PAP, but I want to use eap-tls since it is more secure. Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
>
> (6) ntlm_auth: Program executed successfully
> (6) [ntlm_auth] = ok
> (6) if (ok) {
> (6) if (ok) -> TRUE
> (6) if (ok) {
> (6) update reply {
> (6) Reply-Message := "Please enter OTP"
> (6) } # update reply = noop
> (6) policy challenge {
> (6) update control {
> (6) &Response-Packet-Type = Access-Challenge
> (6) } # update control = noop
> (6) [handled] = handled
> (6) } # policy challenge = handled
> (6) } # if (ok) = handled
> (6) } # Auth-Type ntlm_auth = handled
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) Reply-Message := "Please enter OTP"
> (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.
> (6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
> (6) eap: Sending EAP Failure (code 4) ID 6 length 4
> (6) eap: Failed in EAP select
> (6) [eap] = invalid
> (6) } # Auth-Type eap = invalid
> (6) Failed to authenticate the user
> (6) Using Post-Auth-Type Reject
> (6) Post-Auth-Type sub-section not found. Ignoring.
>
>
> I only get this error when I try to send out a challenge. If I comment out the challenge line, then everything works, except then user does not get promted for their OTP and are allowed to authentice using only their domain password.
>
> Here is a copy of my inner-tunnel config:
>
>
> server inner-tunnel {
>
>
> listen {
> ipaddr = 127.0.0.1
> port = 18120
> type = auth
> }
>
>
> authorize {
> if (!State) {
> if (&User-Password) {
> update control {
> Auth-Type = ntlm_auth
> }
> }
> else {
> reject
> }
> }
> else {
> # If State, then proxy request:
> update control {
> Proxy-To-Realm := "otp"
> }
> }
> }
>
>
> authenticate {
>
> Auth-Type ntlm_auth {
> ntlm_auth
> if (ok) {
> update reply {
> # Create a random State attribute:
> # State := "%{randstr:aaaaaaaaaaaaaaaa}"
> Reply-Message := "Please enter OTP"
> }
> # Return Access-Challenge:
> # challenge
> }
> }
>
> }
>
> session {
> radutmp
> }
>
> post-auth {
>
> #if (0) {
> update reply {
> User-Name !* ANY
> Message-Authenticator !* ANY
> EAP-Message !* ANY
> Proxy-State !* ANY
> MS-MPPE-Encryption-Types !* ANY
> MS-MPPE-Encryption-Policy !* ANY
> MS-MPPE-Send-Key !* ANY
> MS-MPPE-Recv-Key !* ANY
> }
>
> update {
> &outer.session-state: += &reply:
> }
> #}
>
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
> update outer.session-state {
> &Module-Failure-Message := &request:Module-Failure-Message
> }
> }
> }
>
> pre-proxy {
> }
>
> post-proxy {
>
> eap
> }
>
> }
>
>
> Any help that someone could give me to point me in the right direction would be greatly appreciated.
>
> Thanks
More information about the Freeradius-Users
mailing list