Apache2 auth_radius and OTP not working consistently

Jonathan Davis jonathan at prioritycolo.com
Wed Oct 6 14:48:34 CEST 2021 

You can't use Yubikey OTPs twice

> On Oct 6, 2021, at 8:25 AM, Steven Vacaroaia <stef97 at gmail.com> wrote:
> 
> Hi,
> 
> Thanks for taking the time to provide some guidance
> 
> I was talking about the comments here
> https://github.com/FreeRADIUS/mod_auth_radius
> 
> In the example I provided I tried to follow OTP workaround provided by you
> in the mod_auth_radius
> 
> The password mismatch issue seems to be related to Yubikey module
> complaining about REPLAYED_OTP ( I am using same password/username/key as
> few seconds ago when it worked)
> 
> many thanks
> Steven
> 
>> On Wed, 6 Oct 2021 at 06:00, <freeradius-users-request at lists.freeradius.org>
>> wrote:
>> 
>> Send Freeradius-Users mailing list submissions to
>>        freeradius-users at lists.freeradius.org
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
>> or, via email, send a message with subject or body 'help' to
>>        freeradius-users-request at lists.freeradius.org
>> 
>> You can reach the person managing the list at
>>        freeradius-users-owner at lists.freeradius.org
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Freeradius-Users digest..."
>> 
>> 
>> Today's Topics:
>> 
>>   1. Re: Authenticator -to- RADIUS connection (Alan DeKok)
>>   2. Apache2 auth_radius and OTP not working consistently
>>      (Steven Vacaroaia)
>>   3. Re: Apache2 auth_radius and OTP not working consistently
>>      (Alan DeKok)
>>   4. Re: Apache2 auth_radius and OTP not working consistently
>>      (Alan DeKok)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Tue, 5 Oct 2021 13:49:29 -0400
>> From: Alan DeKok <aland at deployingradius.com>
>> To: FreeRadius users mailing list
>>        <freeradius-users at lists.freeradius.org>
>> Subject: Re: Authenticator -to- RADIUS connection
>> Message-ID: <3FDAEFEE-1B4C-4F5D-87F1-FD5BC28B82EF at deployingradius.com>
>> Content-Type: text/plain;       charset=utf-8
>> 
>>> On Oct 5, 2021, at 1:00 PM, Turner, Randy <Randy.Turner at landisgyr.com>
>>> wrote:
>>> We are using a package called “hostapd” to talk to FreeRADIUS – in some
>> of the hostapd documentation they refer to hostapd as an 802.1x
>> “authenticator”
>> 
>>  Yes.  802.1X != RADIUS.  They use different terminology, because they
>> are different protocols, and do different (but related) things.
>> 
>>  And why not just say from the start that you're using hostap?  It's
>> *always* better to be precise.  Especially if you're not familiar with the
>> technology.
>> 
>>> This was the term I used in my original question which may have readers
>> thinking I meant the actual device that was trying to access the network.
>> 
>>  I didn't know what you meant.  Because as soon as someone uses the wrong
>> terminology, all bets are off.
>> 
>>> In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the
>> NAS-to-FreeRADIUS connection I was referring to.
>> 
>>  This is not "FreeRADIUS parlance".   The term "NAS" goes back to at
>> least 1993, and the first RADIUS standards.  A little bit of reading on the
>> basic terminology would help.
>> 
>>  So you're still confused about which things are involved, and what they
>> do.  I'm still not sure what you're asking.
>> 
>> The "NAS to FreeRADIUS" connection uses RADIUS.  You can't use any other
>> protocol there.
>> 
>>  The "end user to hostap" connection uses 802.1X, which includes EAP.
>> The EAP packets are then placed inside of RADIUS by the NAS, sent to
>> FreeRADIUS.
>> 
>>  EAP can carry many different kinds of authentication.  EAP-TLS,
>> EAP-TTLS, etc.
>> 
>>  All of this information is available on the net (including Wikipedia) if
>> you go look.
>> 
>>  What is frustrating here is not just using the wrong terminology, it's
>> also metering out of additional information all through the conversation.
>> It would have been very simple to say "I have a computer using WiFi, I have
>> hostap, and I want to authenticate the user device via FreeRADIUS".  That
>> would have given us *useful* information.
>> 
>>  Instead, it's a vague question using incorrect terms, followed by "Oh
>> yeah, I'm using this, too".  This is frustrating.
>> 
>>  Spend an hour or so reading the Wikipedia pages on RADIUS and EAP.  That
>> should clarify a lot of issues.  And PLEASE give useful information in
>> messages.  That helps enormously.
>> 
>>  Alan DeKok.
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Tue, 5 Oct 2021 16:55:40 -0400
>> From: Steven Vacaroaia <stef97 at gmail.com>
>> To: freeradius-users at lists.freeradius.org
>> Subject: Apache2 auth_radius and OTP not working consistently
>> Message-ID:
>>        <
>> CAJ4cwkN8acKC6p-ZAUHR1N2r_Jvs9SDudd5MkS+juk2_qtcdYQ at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>> 
>> Hi,
>> 
>> I am trying to get freeradius + AD + Yubikey as authentication mechanism
>> for some of our websites
>> 
>> It is working on and off which makes it very difficult to troubleshoot
>> 
>> I noticed some notes / comments in the module but apparently I am not able
>> to implement them properly although they seem pretty clear
>> 
>> It will be greatly appreciated if you can point me to what am I doing wrong
>> 
>> Example
>> folder protected
>>    /var/www/html/test/user
>> file needed to be used
>>    /var/www/html/test/user/index.php
>> I put another file named index.html containing a link to index.php in the
>> above folder
>> 
>> I can connect to it after authenticate but , when I am using the link I
>> created to index.php, I am asked again to authenticate which fails with
>> "password mismatched" error
>> 
>> I know I must be missing something really simple and I apologize for
>> wasting your time with this but I am a bit desperate to get it working
>> 
>> Thanks
>> Steven
>> 
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Tue, 5 Oct 2021 16:59:18 -0400
>> From: Alan DeKok <aland at deployingradius.com>
>> To: FreeRadius users mailing list
>>        <freeradius-users at lists.freeradius.org>
>> Subject: Re: Apache2 auth_radius and OTP not working consistently
>> Message-ID: <19B2E21E-CFEE-407E-A601-D4868B5E0765 at deployingradius.com>
>> Content-Type: text/plain;       charset=us-ascii
>> 
>>> On Oct 5, 2021, at 4:55 PM, Steven Vacaroaia <stef97 at gmail.com> wrote:
>>> I am trying to get freeradius + AD + Yubikey as authentication mechanism
>>> for some of our websites
>>> 
>>> It is working on and off which makes it very difficult to troubleshoot
>> 
>>  it's best to test these things with "radclient".  That way you test the
>> RADIUS / AD / Yubikey portion separately from the web site.
>> 
>>  TBH, most web server integration with RADIUS is pretty poor.
>> 
>>> I noticed some notes / comments in the module but apparently I am not
>> able
>>> to implement them properly although they seem pretty clear
>> 
>>  Which module?
>> 
>>> It will be greatly appreciated if you can point me to what am I doing
>> wrong
>>> 
>>> Example
>>> folder protected
>>>   /var/www/html/test/user
>>> file needed to be used
>>>   /var/www/html/test/user/index.php
>>> I put another file named index.html containing a link to index.php in the
>>> above folder
>> 
>>  That has nothing to do with FreeRADIUS.  We don't ship a web server, so
>> I have no idea how to fix anything here.
>> 
>>> I can connect to it after authenticate but , when I am using the link I
>>> created to index.php, I am asked again to authenticate which fails with
>>> "password mismatched" error
>>> 
>>> I know I must be missing something really simple and I apologize for
>>> wasting your time with this but I am a bit desperate to get it working
>> 
>>  Which were server are you using?
>> 
>>  Whatever web server it is, you need to consult its documentation for how
>> to configure RADIUS authentication.
>> 
>>  Once FreeRADIUS gets a packet, we can help you.  Until then, it's all
>> web server magic that we know very little about.
>> 
>>  Alan DeKok.
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> Message: 4
>> Date: Tue, 5 Oct 2021 17:01:05 -0400
>> From: Alan DeKok <aland at deployingradius.com>
>> To: FreeRadius users mailing list
>>        <freeradius-users at lists.freeradius.org>
>> Subject: Re: Apache2 auth_radius and OTP not working consistently
>> Message-ID: <19201DA5-F29D-45BF-8A59-A7560E7DDD9E at deployingradius.com>
>> Content-Type: text/plain;       charset=us-ascii
>> 
>>  Sorry... I missed the part about "Apache2", it's been a long day.
>> 
>>  If you're getting a "password mismatched" error, then run FR in debug
>> mode to see what it returns.  Check if the passwords are correct, that the
>> shared secrets are correct, etc.
>> 
>>  I'd say "run Apache in debug mode", but it's debug mode is essentially
>> useless.
>> 
>>  Alan DeKok.
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> Subject: Digest Footer
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
>> ------------------------------
>> 
>> End of Freeradius-Users Digest, Vol 198, Issue 14
>> *************************************************
>> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list