Not able to send a challenge
Alan DeKok
aland at deployingradius.com
Fri Sep 6 18:48:01 CEST 2019
> On Sep 6, 2019, at 12:41 PM, ngoetz75 <ngoetz24 at gmail.com> wrote:
>
>> I’m not sure what I am doing wrong. I am trying to use eap-tls to authenticate users against active directory,
EAP-TLS authenticates users by certificate. It doesn't need / use AD.
The most you could do is to check the username against the user ID in AD. If the user exists, keep going with EAP-TLS. Otherwise reject them.
>> and if it passes, I want to prompt the user to enter their OTP.
EAP-TLS doesn't use passwords. Therefore it doesn't use OTP.
Maybe you mean TTLS?
>> This is all working with PAP, but I want to use eap-tls since it is more secure. Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
>>
>> (6) ntlm_auth: Program executed successfully
>> (6) [ntlm_auth] = ok
>> (6) if (ok) {
>> (6) if (ok) -> TRUE
>> (6) if (ok) {
>> (6) update reply {
>> (6) Reply-Message := "Please enter OTP"
>> (6) } # update reply = noop
>> (6) policy challenge {
>> (6) update control {
>> (6) &Response-Packet-Type = Access-Challenge
>> (6) } # update control = noop
>> (6) [handled] = handled
>> (6) } # policy challenge = handled
>> (6) } # if (ok) = handled
>> (6) } # Auth-Type ntlm_auth = handled
>> (6) } # server inner-tunnel
>> (6) Virtual server sending reply
>> (6) Reply-Message := "Please enter OTP"
>> (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.
Yes. EAP-TTLS has a fixed packet flow. You can't just inject something new and expect it to work.
If you want OTP challenge / response with EAP-TTLS, you have to use EAP-GTC in the inner tunnel. PAP won't work.
Alan DeKok.
More information about the Freeradius-Users
mailing list