Apache Auth via User/OTP fails

Vogt, Andreas Andreas.Vogt at invenio.net
Mon Nov 27 12:38:57 UTC 2023 

Hello,

I try to authenticate via my Apache Webserver to my freeradius Server.
The Apache connects successful, and provides User/OneTimePassword to the freeradius.

Here I use the following Config:
Auth-Type OTP_OWA {
update control {
           SECRET := `/usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} `
LAST_USED_PIN := `/usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}`
PIN := `/bin/bash /freeradius_scripts/getPin %{control:SECRET}`
PIN_FROM_USER := %{User-Password}
ATTEMPTS := `/usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}`
Auth-Type :=     `/usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}`
                }
     }

Unfortunately I receive an REJECT from the freeradius:
{DEBUG Output}:
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type OTP_OWA {
(0)     update control {
(0)       Executing: /usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} :
(0)       EXPAND --username=%{User-Name}
(0)          --> --username=USER.NAME
(0)       Program returned code (0) and output SECRET
(0)       SECRET := SECRET
(0)       Executing: /usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}:
(0)       EXPAND --username=%{User-Name}
(0)          --> --username= USER.NAME
(0)       Program returned code (0) and output 12346
(0)       LAST_USED_PIN := 12346
(0)       Executing: /bin/bash /freeradius_scripts/getPin %{control:SECRET}:
(0)       EXPAND %{control:SECRET}
(0)          --> SECRET
(0)       Program returned code (0) and output 12346
(0)       PIN := 12346
(0)       PIN_FROM_USER := %{User-Password}
(0)       Executing: /usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}:
(0)       EXPAND --username=%{User-Name}
(0)          --> --username= USER.NAME
(0)       Program returned code (0) and output '0'
(0)       ATTEMPTS := 0
(0)       Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:
(0)       EXPAND --username=%{User-Name}
(0)          --> --username= USER.NAME
(0)       EXPAND --pin=%{control:PIN}
(0)          --> --pin=12346
(0)       EXPAND --pin_from_user=%{User-Password}
(0)          --> --pin_from_user=12346
(0)       EXPAND --last_used_pin=%{control:LAST_USED_PIN}
(0)          --> --last_used_pin=64321
(0)       EXPAND --attempts=%{control:ATTEMPTS}
(0)          --> --attempts=0
(0)       Program returned code (0) and output 'Accept'
(0)       Auth_Type_LOG := Accept
(0)       Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:
(0)       EXPAND --username=%{User-Name}
(0)          --> --username= USER.NAME
(0)       EXPAND --pin=%{control:PIN}
(0)          --> --pin=12346
(0)       EXPAND --pin_from_user=%{User-Password}
(0)          --> --pin_from_user=12346
(0)       EXPAND --last_used_pin=%{control:LAST_USED_PIN}
(0)          --> --last_used_pin=64321
(0)       EXPAND --attempts=%{control:ATTEMPTS}
(0)          --> --attempts=0
(0)       Program returned code (0) and output 'Accept'
(0)       Auth-Type := Accept
(0)     } # update control = noop
(0)     update reply {
(0)       Reply-Message := Accept
(0)     } # update reply = noop
(0)   } # Auth-Type OTP_OWA = noop
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0)     update control {
(0)       Executing: /usr/bin/php /freeradius_scripts/write_in_log_win.php --username=%{User-Name} --auth_type=%{control:Auth_Type_LOG} --ip=%{Calling-Station-Id} --reply=Reject:
(0)       EXPAND --username=%{User-Name}
(0)          --> --username= USER.NAME
(0)       EXPAND --auth_type=%{control:Auth_Type_LOG}
(0)          --> --auth_type=Accept
(0)       EXPAND --ip=%{Calling-Station-Id}
(0)          --> --ip=
(0)       Program returned code (0) and output 'Reject'
(0)       LOG_EINTRAG := Reject
(0)     } # update control = noop
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> USER.NAME
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 117 from 10.1.56.3:1812 to 10.1.56.167:1026 length 28

So my .php Script checks the OTP-PIN ans returns “Accept”, but the freeradius answers Accept-Reject… Why?

Thanks for any response 😉

Andreas

More information about the Freeradius-Users mailing list