Help to increment freeradius wait timeout in
Kamal Majaiti
kamal.majaiti at gmail.com
Fri Jul 28 10:28:49 UTC 2023
Problem:
Good morning, I am trying to perform a 2FA after a correct validation with
MSCHAP against active directory, the postauth executes a script that sends
an email with a link to confirm and authorize access, when the link is
clicked, access is authorized based on data meanwhile the script with a
while waits for the access to be confirmed but freeradius doesn't wait and
gives me the following error:
(0) Executing: /bin/bash /etc/freeradius/3.0/otp/enviar2FA.sh
%{User-Name}:
(0) EXPAND %{User-Name}
(0) --> xxx
Child PID 17681 is taking too much time: forcing failure and killing child.
(0) ERROR: Failed to read from child output
Debug output:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=xxx
(0) mschap: mschap1: 76
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=7698262ed349f8f8
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: -->
--nt-response=d3ad349cc72bd9f1e9e835f73294102da06097b5f6158d4c
(0) mschap: Program returned code (0) and output 'NT_KEY:
D0ACA7FDF078A8FEBD326F3E18523349'
(0) mschap: adding MS-CHAPv1 MPPE keys
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) update control {
(0) Session-Timeout := 7200
(0) Executing: /bin/bash /etc/freeradius/3.0/otp/enviar2FA.sh
%{User-Name}:
(0) EXPAND %{User-Name}
(0) --> xxx
Child PID 17593 is taking too much time: forcing failure and killing child.
(0) ERROR: Failed to read from child output
(0) } # update control = fail
(0) } # post-auth = fail
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> xxx
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
Config section:
# Post-Authentication once we KNOW that the user has been authenticated,
there are additional steps we can take.and get timeout error.
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
Session-Timeout := 7200
}
}
update {
&reply: += &session-state:
}
-sql
exec
update control {
Session-Timeout := 7200
Auth-Type := `/bin/bash
/etc/freeradius/3.0/otp/enviar2FA.sh %{User-Name}`
}
remove_reply_message_if_eap
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an
EAP-Message
remove_reply_message_if_eap
}
#
# Filter access challenges.
#
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
Post-Auth-Type Client-Lost {
}
if (EAP-Key-Name && &reply:EAP-Session-Id) {
update reply {
&EAP-Key-Name := &reply:EAP-Session-Id
}
}
}
Regards, Kamal
More information about the Freeradius-Users
mailing list