Configuring FreeRadius with LDAP and Google MFA

Quentin Rapin quentinrapin at gmail.com
Thu Oct 7 14:42:06 CEST 2021 

 > 3.0.23+ includes a TOTP module, which is compatible with google
authenticator.

Great, I checked it out, the example is clear. As said in the
documentation, the module takes no configuration items. Does that mean
that it is only compatible with google authenticator and knows where
to find the file ? I mean it's even not required to indicate the path
to the .google_authenticator file.

>  So the user information wasn't found in LDAP.  This has nothing to do with OTP issues.

> Try using "ldapsearch", as documented in mods-available/ldap

> Once that works, use the same configuration in FreeRADIUS.

Just did that, it works well. I can retrieve the information. What's
strange is that ldap authentication worked before I added the TOTP
config.

Le mar. 5 oct. 2021 à 17:06, Alan DeKok <aland at deployingradius.com> a écrit :
>
> On Oct 5, 2021, at 3:25 AM, Quentin Rapin <quentinrapin at gmail.com> wrote:
> > I'm trying to setup a freeradius v.3.0.20 server using LDAP with MFA
> > (Google authenticator).
>
>   3.0.23+ includes a TOTP module, which is compatible with google authenticator.
>
> > The LDAP part worked, however, since I added the MFA configuration, it
> > doesn't work anymore, it seems that the password are not even checked
> > against the ldap database (Windows AD).
> > I followed this tutorial to get it working:
> > https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/
>
>   That doesn't seem too bad.
>
> > Here is part of the logs :
> >
> > Ready to process requests
> > (0) Received Access-Request Id 67 from 127.0.0.1:46701 to
> > 127.0.0.1:1812 length 95
> > (0) User-Name = "my_user"
> > (0) User-Password = "Password831041"
>
>   That seems normal.
>
> > (0) policy filter_google_otp {
> > (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
> > (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) -> TRUE
> > (0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
> > (0) update request {
> > (0) EXPAND %{2}
> > (0) --> 831041
> > (0) &Google-Password := 831041
> > (0) EXPAND %{1}
> > (0) --> Password
> > (0) &User-Password := Password
>
>   That's good.
>
> > ...
> > rlm_ldap (ldap): Rebinding to URL
> > ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (0) ldap: User object found at DN "CN=test
> > ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan"
> > (0) ldap: Processing user attributes
> > (0) ldap: WARNING: No "known good" password added. Ensure the admin
> > user has permission to read the password attribute
> > (0) ldap: WARNING: PAP authentication will *NOT* work with Active
> > Directory (if that is what you were trying to configure)
> > rlm_ldap (ldap): Deleting connection (1) - Was referred to a different
> > LDAP server
>
>   So the user information wasn't found in LDAP.  This has nothing to do with OTP issues.
>
>   Try using "ldapsearch", as documented in mods-available/ldap
>
>   Once that works, use the same configuration in FreeRADIUS.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list