Error 2FA - AD password and external OTP via RADIUS proxy

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Mon Mar 16 13:34:51 CET 2020 

Configured as follows: 
One freeradius is configured like this: 
https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy

 The second freeradius is configured as follows: 
https://www.linotp.org/howtos/howto-radius.html

That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it

 The problem is that it doesn't work: 
Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP] 

 In other words, passwords are glued together.

I don 't understand how to configure it

>> The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:
>> 
>> 	if (User-Password =~ /^(......)(.*)$/)  {
>> 		update request {
>> 			User-Password := "%{2}"
>> 			OTP-Password := "%{1}"
>> 		}
>> 	}
>> 
>> You will need to edit raddb/dictionary in order to define OTP-Password.



> 12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <Kleusov.Vladimir at wildberries.ru> написал(а):
> 
> Thanks.
> In which file do I need to separate the LDAP and OTP password ? 
> How do I edit a dictionary ?
> 
>> 11 марта 2020 г., в 23:42, Alan DeKok <aland at deployingradius.com> написал(а):
>> 
>> On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> 
>>> In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
>>> First the request for a normal password and then the otp  2217287
>>> What's wrong ?
>> 
>> The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.
>> 
>> The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:
>> 
>> 	if (User-Password =~ /^(......)(.*)$/)  {
>> 		update request {
>> 			User-Password := "%{2}"
>> 			OTP-Password := "%{1}"
>> 		}
>> 	}
>> 
>> You will need to edit raddb/dictionary in order to define OTP-Password.
>> 
>> This lets you use User-Password as normal to connect to LDAP, and authenticate the user.
>> 
>> You can then check OTP-Password however you want.
>> 
>> Alan DeKok.
>> 
>

More information about the Freeradius-Users mailing list