Not able to send a challenge

Alan DeKok aland at deployingradius.com
Fri Sep 6 18:48:01 CEST 2019



> On Sep 6, 2019, at 12:41 PM, ngoetz75 <ngoetz24 at gmail.com> wrote:
> 
>> I’m not sure what I am doing wrong.  I am trying to use eap-tls to authenticate users against active directory,

  EAP-TLS authenticates users by certificate.  It doesn't need / use AD.

  The most you could do is to check the username against the user ID in AD.  If the user exists, keep going with EAP-TLS.  Otherwise reject them.

>> and if it passes, I want to prompt the user to enter their OTP.

  EAP-TLS doesn't use passwords.  Therefore it doesn't use OTP.

  Maybe you mean TTLS?

>>  This is all working with PAP, but I want to use eap-tls since it is more secure.  Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
>> 
>> (6) ntlm_auth: Program executed successfully
>> (6)       [ntlm_auth] = ok
>> (6)       if (ok) {
>> (6)       if (ok)  -> TRUE
>> (6)       if (ok)  {
>> (6)         update reply {
>> (6)           Reply-Message := "Please enter OTP"
>> (6)         } # update reply = noop
>> (6)         policy challenge {
>> (6)           update control {
>> (6)             &Response-Packet-Type = Access-Challenge
>> (6)           } # update control = noop
>> (6)           [handled] = handled
>> (6)         } # policy challenge = handled
>> (6)       } # if (ok)  = handled
>> (6)     } # Auth-Type ntlm_auth = handled
>> (6) } # server inner-tunnel
>> (6) Virtual server sending reply
>> (6)   Reply-Message := "Please enter OTP"
>> (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.

  Yes.  EAP-TTLS has a fixed packet flow.  You can't just inject something new and expect it to work.

  If you want OTP challenge / response with EAP-TTLS, you have to use EAP-GTC in the inner tunnel.  PAP won't work.

  Alan DeKok.




More information about the Freeradius-Users mailing list