Apache2 auth_radius and OTP not working consistently
Steven Vacaroaia
stef97 at gmail.com
Wed Oct 6 14:25:04 CEST 2021
Hi,
Thanks for taking the time to provide some guidance
I was talking about the comments here
https://github.com/FreeRADIUS/mod_auth_radius
In the example I provided I tried to follow OTP workaround provided by you
in the mod_auth_radius
The password mismatch issue seems to be related to Yubikey module
complaining about REPLAYED_OTP ( I am using same password/username/key as
few seconds ago when it worked)
many thanks
Steven
On Wed, 6 Oct 2021 at 06:00, <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Authenticator -to- RADIUS connection (Alan DeKok)
> 2. Apache2 auth_radius and OTP not working consistently
> (Steven Vacaroaia)
> 3. Re: Apache2 auth_radius and OTP not working consistently
> (Alan DeKok)
> 4. Re: Apache2 auth_radius and OTP not working consistently
> (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 5 Oct 2021 13:49:29 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Authenticator -to- RADIUS connection
> Message-ID: <3FDAEFEE-1B4C-4F5D-87F1-FD5BC28B82EF at deployingradius.com>
> Content-Type: text/plain; charset=utf-8
>
> On Oct 5, 2021, at 1:00 PM, Turner, Randy <Randy.Turner at landisgyr.com>
> wrote:
> > We are using a package called “hostapd” to talk to FreeRADIUS – in some
> of the hostapd documentation they refer to hostapd as an 802.1x
> “authenticator”
>
> Yes. 802.1X != RADIUS. They use different terminology, because they
> are different protocols, and do different (but related) things.
>
> And why not just say from the start that you're using hostap? It's
> *always* better to be precise. Especially if you're not familiar with the
> technology.
>
> > This was the term I used in my original question which may have readers
> thinking I meant the actual device that was trying to access the network.
>
> I didn't know what you meant. Because as soon as someone uses the wrong
> terminology, all bets are off.
>
> > In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the
> NAS-to-FreeRADIUS connection I was referring to.
>
> This is not "FreeRADIUS parlance". The term "NAS" goes back to at
> least 1993, and the first RADIUS standards. A little bit of reading on the
> basic terminology would help.
>
> So you're still confused about which things are involved, and what they
> do. I'm still not sure what you're asking.
>
> The "NAS to FreeRADIUS" connection uses RADIUS. You can't use any other
> protocol there.
>
> The "end user to hostap" connection uses 802.1X, which includes EAP.
> The EAP packets are then placed inside of RADIUS by the NAS, sent to
> FreeRADIUS.
>
> EAP can carry many different kinds of authentication. EAP-TLS,
> EAP-TTLS, etc.
>
> All of this information is available on the net (including Wikipedia) if
> you go look.
>
> What is frustrating here is not just using the wrong terminology, it's
> also metering out of additional information all through the conversation.
> It would have been very simple to say "I have a computer using WiFi, I have
> hostap, and I want to authenticate the user device via FreeRADIUS". That
> would have given us *useful* information.
>
> Instead, it's a vague question using incorrect terms, followed by "Oh
> yeah, I'm using this, too". This is frustrating.
>
> Spend an hour or so reading the Wikipedia pages on RADIUS and EAP. That
> should clarify a lot of issues. And PLEASE give useful information in
> messages. That helps enormously.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 5 Oct 2021 16:55:40 -0400
> From: Steven Vacaroaia <stef97 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Apache2 auth_radius and OTP not working consistently
> Message-ID:
> <
> CAJ4cwkN8acKC6p-ZAUHR1N2r_Jvs9SDudd5MkS+juk2_qtcdYQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi,
>
> I am trying to get freeradius + AD + Yubikey as authentication mechanism
> for some of our websites
>
> It is working on and off which makes it very difficult to troubleshoot
>
> I noticed some notes / comments in the module but apparently I am not able
> to implement them properly although they seem pretty clear
>
> It will be greatly appreciated if you can point me to what am I doing wrong
>
> Example
> folder protected
> /var/www/html/test/user
> file needed to be used
> /var/www/html/test/user/index.php
> I put another file named index.html containing a link to index.php in the
> above folder
>
> I can connect to it after authenticate but , when I am using the link I
> created to index.php, I am asked again to authenticate which fails with
> "password mismatched" error
>
> I know I must be missing something really simple and I apologize for
> wasting your time with this but I am a bit desperate to get it working
>
> Thanks
> Steven
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 5 Oct 2021 16:59:18 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Apache2 auth_radius and OTP not working consistently
> Message-ID: <19B2E21E-CFEE-407E-A601-D4868B5E0765 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Oct 5, 2021, at 4:55 PM, Steven Vacaroaia <stef97 at gmail.com> wrote:
> > I am trying to get freeradius + AD + Yubikey as authentication mechanism
> > for some of our websites
> >
> > It is working on and off which makes it very difficult to troubleshoot
>
> it's best to test these things with "radclient". That way you test the
> RADIUS / AD / Yubikey portion separately from the web site.
>
> TBH, most web server integration with RADIUS is pretty poor.
>
> > I noticed some notes / comments in the module but apparently I am not
> able
> > to implement them properly although they seem pretty clear
>
> Which module?
>
> > It will be greatly appreciated if you can point me to what am I doing
> wrong
> >
> > Example
> > folder protected
> > /var/www/html/test/user
> > file needed to be used
> > /var/www/html/test/user/index.php
> > I put another file named index.html containing a link to index.php in the
> > above folder
>
> That has nothing to do with FreeRADIUS. We don't ship a web server, so
> I have no idea how to fix anything here.
>
> > I can connect to it after authenticate but , when I am using the link I
> > created to index.php, I am asked again to authenticate which fails with
> > "password mismatched" error
> >
> > I know I must be missing something really simple and I apologize for
> > wasting your time with this but I am a bit desperate to get it working
>
> Which were server are you using?
>
> Whatever web server it is, you need to consult its documentation for how
> to configure RADIUS authentication.
>
> Once FreeRADIUS gets a packet, we can help you. Until then, it's all
> web server magic that we know very little about.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 5 Oct 2021 17:01:05 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Apache2 auth_radius and OTP not working consistently
> Message-ID: <19201DA5-F29D-45BF-8A59-A7560E7DDD9E at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> Sorry... I missed the part about "Apache2", it's been a long day.
>
> If you're getting a "password mismatched" error, then run FR in debug
> mode to see what it returns. Check if the passwords are correct, that the
> shared secrets are correct, etc.
>
> I'd say "run Apache in debug mode", but it's debug mode is essentially
> useless.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 198, Issue 14
> *************************************************
>
More information about the Freeradius-Users
mailing list