2FA Challenge via Proxy Realm with valid State
Alan DeKok
aland at deployingradius.com
Thu Feb 13 17:00:46 CET 2020
On Feb 13, 2020, at 5:11 AM, Bill Noyce <billnoyce75 at gmail.com> wrote:
>
> Your advise was spot on. I moved/added the ldap.authenticate so that both
> steps use the Proxy-To-Realm and this meant the correct Access-Challenge
> response is sent during the first step.
Goos to hear.
> if (!State) {
> if (&User-Password) {
> # If !State and User-Password (PAP), then force LDAP:
> update control {
> Ldap-UserDN := "%{User-Name}@my-domain.com"
> Auth-Type := LDAP
You don't need "Auth-Type := LDAP" here. It can be deleted.
> }
> ldap.authenticate
> if (!ok) {
> reject
> }
> } else {
> reject
> }
> }
> update control {
> Proxy-To-Realm := "proxy-test"
> }
>
> I kept 2 rejects for both a missing User-Password and an invalid LDAP bind.
> the Proxy-To-Realm always fires off.
Good!
FreeRADIUS can do almost anything. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list