Fwd: Error 2FA - AD password and external OTP via RADIUS proxy

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Wed Mar 18 09:27:44 CET 2020 

Perhaps I need to split passwords in a script and log in using a split password ?
 # If State, then proxy request:
                update control {
                Proxy-To-Realm := "proxy-test"
                Auth-Type := /bin/bash -f /etc/freeradius/3.0/scripts/otp.sh '%{User-Name}' '%{User-Password}'

    }



Начало переадресованного сообщения:

Отправитель: Владимир Клеусов <kleusov.vladimir at wildberries.ru<mailto:kleusov.vladimir at wildberries.ru>>
Тема: Ответ: Error 2FA - AD password and external OTP via RADIUS proxy
Дата: 16 марта 2020 г. в 15:34:51 GMT+3
Кому: FreeRadius users mailing list <Freeradius-Users at lists.freeradius.org<mailto:Freeradius-Users at lists.freeradius.org>>

Configured as follows:
One freeradius is configured like this:
https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy

The second freeradius is configured as follows:
https://www.linotp.org/howtos/howto-radius.html

That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it

The problem is that it doesn't work:
Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP]

In other words, passwords are glued together.

I don 't understand how to configure it

The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

if (User-Password =~ /^(......)(.*)$/)  {
update request {
User-Password := "%{2}"
OTP-Password := "%{1}"
}
}

You will need to edit raddb/dictionary in order to define OTP-Password.



12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <Kleusov.Vladimir at wildberries.ru> написал(а):

Thanks.
In which file do I need to separate the LDAP and OTP password ?
How do I edit a dictionary ?

11 марта 2020 г., в 23:42, Alan DeKok <aland at deployingradius.com> написал(а):

On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:

In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
First the request for a normal password and then the otp  2217287
What's wrong ?

The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.

The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

if (User-Password =~ /^(......)(.*)$/)  {
update request {
User-Password := "%{2}"
OTP-Password := "%{1}"
}
}

You will need to edit raddb/dictionary in order to define OTP-Password.

This lets you use User-Password as normal to connect to LDAP, and authenticate the user.

You can then check OTP-Password however you want.

Alan DeKok.

More information about the Freeradius-Users mailing list