Error 2FA - AD password and external OTP via RADIUS proxy
Alan DeKok
aland at deployingradius.com
Wed Mar 11 21:42:31 CET 2020
On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
> First the request for a normal password and then the otp 2217287
> What's wrong ?
The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP.
The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this:
if (User-Password =~ /^(......)(.*)$/) {
update request {
User-Password := "%{2}"
OTP-Password := "%{1}"
}
}
You will need to edit raddb/dictionary in order to define OTP-Password.
This lets you use User-Password as normal to connect to LDAP, and authenticate the user.
You can then check OTP-Password however you want.
Alan DeKok.
More information about the Freeradius-Users
mailing list