FreeRadius TOTP authenticate fail passcode validation

João Miguel Regateiro jmregateiro at gmail.com
Tue Jun 20 09:41:32 UTC 2023 

I apologize but the previous logs were incorrect, it was an output log
using just username + password. This is the output from radiusd -X when
using username + password + passcode:

Ready to process requests
(0) Received Access-Request Id 105 from 192.168.1.10:45091 to
192.168.1.10:1812 length 73
(0)   User-Name = "bob"
(0)   User-Password = "mypassword002434"
(0)   NAS-IP-Address = 192.168.1.10
(0)   NAS-Port = 1812
(0)   Message-Authenticator = 0x4877740bffa9041ce041994eb5764c90
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0) files: users: Matched entry bob at line 1
(0) files: EXPAND Hello %{User-Name} THE BUILDER :D
(0) files:    --> Hello bob THE BUILDER :D
(0)     [files] = ok
(0)     if (User-Password !~ /^(.*)([0-9]{6})$/) {
(0)     if (User-Password !~ /^(.*)([0-9]{6})$/)  -> FALSE
(0)     update request {
(0)       EXPAND %{1}
(0)          --> mypassword
(0)       User-Password := mypassword
(0)       EXPAND %{2}
(0)          --> 002434
(0)       TOTP-Password := 002434
(0)     } # update request = noop
(0)     if (&User-Name == "bob") {
(0)     if (&User-Name == "bob")  -> TRUE
(0)     if (&User-Name == "bob")  {
(0)       update control {
(0)         TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA======
(0)       } # update control = noop
(0)     } # if (&User-Name == "bob")  = noop
(0)     update reply {
(0)       reply-Message := TOTP-Password -> '002434'
(0)       No attributes updated for RHS TOTP-Secret
(0)       reply-Message := User-Password -> 'mypassword'
(0)     } # update reply = noop
(0)     [totp.authenticate] = fail
(0)   } # authorize = fail
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> bob
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 105 from 192.168.1.10:1812 to 192.168.1.10:45091
length 32
(0)   Reply-Message := "mypassword"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 105 with timestamp +38 due to
cleanup_delay was reached
Ready to process requests

Thank you!

João Miguel Regateiro <jmregateiro at gmail.com> escreveu no dia terça,
20/06/2023 à(s) 10:06:

> Hello,
>
> I am working on a TOTP authentication method setup with FreeRadius. For
> starters I created the user “bob” on raddb/users and defined a password to
> authenticate against the server
> I have got it to work with just normal user and password but when I try to
> configure the TOTP module and testing using radiusd -X it shows the
> totp.authenticate the return fail. I have made sure that the date time is
> the same UTC +00 on all the environments, and generate the TOTP token with
> sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 =
> JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token =
> JBSWY3DPEHPK3PXP ]
>
> This is the configuration file for sites-enable/default:
>
> authorize{
>         #TOTP Authorize
>         if (User-Password !~ /^(.*)([0-9]{6})$/) {
>                 reject
>         }
>
>         update request {
>                 User-Password := "%{1}"
>                 TOTP-Password := "%{2}"
>         }
>         #Example Use BOB
>         if (&User-Name == "bob") {
>                 update control { TOTP-Secret :=
> JJBFGV2ZGNCFARKIKBFTGUCYKA====== }
>         }
>         totp.authenticate
>         if (!ok) {
>                 reject
>         }
>         pap
> }
>
> authenticate {
>         Auth-Type PAP {
>                 pap
>         }
> }
>
> This is the configuration file of clients.conf :
> Client network-device {
>         ipaddr          = 192.168.1.0/24
>         secret          = testing123
> }
>
> Note: I have test to send the TOTP-Secret via update control or update
> request, and that gave me different output when call TOTP.authenticate
> returns fail or noop .
>
>
> Radius client test:
> radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123
>
> output radiusd -X
>
> Ready to process requests
> (0) Received Access-Request Id 38 from 192.168.1.10:48110 to
> 192.168.1.10:1812 length 73
> (0)   User-Name = "bob"
> (0)   User-Password = "password"
> (0)   NAS-IP-Address = 192.168.1.10
> (0)   NAS-Port = 1812
> (0)   Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d
> (0) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0) auth_log: EXPAND
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log:    --> /var/log/radius/radacct/
> 192.168.1.10/auth-detail-20230619
> (0) auth_log:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619
> (0) auth_log: EXPAND %t
> (0) auth_log:    --> Mon Jun 19 16:05:09 2023
> (0)     [auth_log] = ok
> (0) files: users: Matched entry bob at line 1
> (0) files: EXPAND Hello %{User-Name} THE BUILDER :D
> (0) files:    --> Hello bob THE BUILDER :D
> (0)     [files] = ok
> (0)     if (User-Password !~ /^(.*)([0-9]{6})$/) {
> (0)     if (User-Password !~ /^(.*)([0-9]{6})$/)  -> TRUE
> (0)     if (User-Password !~ /^(.*)([0-9]{6})$/)  {
> (0)       [reject] = reject
> (0)     } # if (User-Password !~ /^(.*)([0-9]{6})$/)  = reject
> (0)   } # authorize = reject
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> bob
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110
> length 47
> (0)   Reply-Message = "Hello bob THE BUILDER :D "
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 38 with timestamp +3 due to
> cleanup_delay was reached
> Ready to process requests
>
> Please let me know if you can help me on this 🙂 Thank you!
>
> Best regards,
> Miguel
>

More information about the Freeradius-Users mailing list