Not able to send a challenge

ngoetz75 ngoetz24 at gmail.com
Fri Sep 6 22:22:17 CEST 2019


> Thank you for your response.
> 
> You are correct, I meant to type ttls, not tls.
> 
> The Palo Alto firewall that I am using to authenticate against FreeRadius only supports the following types:
>    PEAP-MSCHAPv2
>    PEAP with GTC
>    EAP-TTLS with PAP
>    PAP
> 
> Since I am trying to do two-factor (AD and OTP), I need to be able to return a challenge response back to the firewall requesting the user to enter their token.  So far I have only gotten this to work properly with PAP.  Since PAP is very insecure, I was hopping to use one of the other types.  I was hopping that since PAP was working, I could do the same thing using PAP within a TTLS tunnel.  Since I am forwarding the second factor (OTP) to another radius servers (safenet), I am assuming the freeradius servers will need the OTP password  in clear text to forward to the safenet radius server.  I didn't think that the PEAP options would work because they send a hash value instead of the password.
> 
> I am fairly new at doing this, so my assumptions could be incorrect.
> 
> Thanks
> 
> <quote author='Alan DeKok-2'>
> 
> 
>>> On Sep 6, 2019, at 12:41 PM, ngoetz75 <ngoetz24 at gmail.com> wrote:
>>> 
>>> I’m not sure what I am doing wrong.  I am trying to use eap-tls to
>>> authenticate users against active directory,
> 
>  EAP-TLS authenticates users by certificate.  It doesn't need / use AD.
> 
>  The most you could do is to check the username against the user ID in AD. 
> If the user exists, keep going with EAP-TLS.  Otherwise reject them.
> 
>>> and if it passes, I want to prompt the user to enter their OTP.
> 
>  EAP-TLS doesn't use passwords.  Therefore it doesn't use OTP.
> 
>  Maybe you mean TTLS?
> 
>>> This is all working with PAP, but I want to use eap-tls since it is more
>>> secure.  Everything works fine with the windows authentication, but as
>>> soon as I uncomment out the “challenge” line in the code below, I get the
>>> following error:
>>> 
>>> (6) ntlm_auth: Program executed successfully
>>> (6)       [ntlm_auth] = ok
>>> (6)       if (ok) {
>>> (6)       if (ok)  -> TRUE
>>> (6)       if (ok)  {
>>> (6)         update reply {
>>> (6)           Reply-Message := "Please enter OTP"
>>> (6)         } # update reply = noop
>>> (6)         policy challenge {
>>> (6)           update control {
>>> (6)             &Response-Packet-Type = Access-Challenge
>>> (6)           } # update control = noop
>>> (6)           [handled] = handled
>>> (6)         } # policy challenge = handled
>>> (6)       } # if (ok)  = handled
>>> (6)     } # Auth-Type ntlm_auth = handled
>>> (6) } # server inner-tunnel
>>> (6) Virtual server sending reply
>>> (6)   Reply-Message := "Please enter OTP"
>>> (6) eap_ttls: No tunneled reply was found for request 6 , and the request
>>> was not proxied: rejecting the user.
> 
>  Yes.  EAP-TTLS has a fixed packet flow.  You can't just inject something
> new and expect it to work.
> 
>  If you want OTP challenge / response with EAP-TTLS, you have to use
> EAP-GTC in the inner tunnel.  PAP won't work.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> </quote>
> Quoted from: 
> http://freeradius.1045715.n5.nabble.com/Fwd-Not-able-to-send-a-challenge-tp5755782p5755783.html
> 
> 
> _____________________________________
> Sent from http://freeradius.1045715.n5.nabble.com
> 



More information about the Freeradius-Users mailing list