FreeRadius TOTP authenticate fail passcode validation
João Miguel Regateiro
jmregateiro at gmail.com
Tue Jun 20 09:06:33 UTC 2023
Hello,
I am working on a TOTP authentication method setup with FreeRadius. For
starters I created the user “bob” on raddb/users and defined a password to
authenticate against the server
I have got it to work with just normal user and password but when I try to
configure the TOTP module and testing using radiusd -X it shows the
totp.authenticate the return fail. I have made sure that the date time is
the same UTC +00 on all the environments, and generate the TOTP token with
sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 =
JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token =
JBSWY3DPEHPK3PXP ]
This is the configuration file for sites-enable/default:
authorize{
#TOTP Authorize
if (User-Password !~ /^(.*)([0-9]{6})$/) {
reject
}
update request {
User-Password := "%{1}"
TOTP-Password := "%{2}"
}
#Example Use BOB
if (&User-Name == "bob") {
update control { TOTP-Secret :=
JJBFGV2ZGNCFARKIKBFTGUCYKA====== }
}
totp.authenticate
if (!ok) {
reject
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
This is the configuration file of clients.conf :
Client network-device {
ipaddr = 192.168.1.0/24
secret = testing123
}
Note: I have test to send the TOTP-Secret via update control or update
request, and that gave me different output when call TOTP.authenticate
returns fail or noop .
Radius client test:
radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123
output radiusd -X
Ready to process requests
(0) Received Access-Request Id 38 from 192.168.1.10:48110 to
192.168.1.10:1812 length 73
(0) User-Name = "bob"
(0) User-Password = "password"
(0) NAS-IP-Address = 192.168.1.10
(0) NAS-Port = 1812
(0) Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/
192.168.1.10/auth-detail-20230619
(0) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619
(0) auth_log: EXPAND %t
(0) auth_log: --> Mon Jun 19 16:05:09 2023
(0) [auth_log] = ok
(0) files: users: Matched entry bob at line 1
(0) files: EXPAND Hello %{User-Name} THE BUILDER :D
(0) files: --> Hello bob THE BUILDER :D
(0) [files] = ok
(0) if (User-Password !~ /^(.*)([0-9]{6})$/) {
(0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> TRUE
(0) if (User-Password !~ /^(.*)([0-9]{6})$/) {
(0) [reject] = reject
(0) } # if (User-Password !~ /^(.*)([0-9]{6})$/) = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> bob
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110
length 47
(0) Reply-Message = "Hello bob THE BUILDER :D "
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay
was reached
Ready to process requests
Please let me know if you can help me on this 🙂 Thank you!
Best regards,
Miguel
More information about the Freeradius-Users
mailing list