Apache Auth via User/OTP fails

Matthew Newton mcn at freeradius.org
Mon Nov 27 13:04:10 UTC 2023 


On 27/11/2023 12:38, Vogt, Andreas wrote:
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   Auth-Type OTP_OWA {
> (0)     update control {
> (0)       Executing: /usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} :
> (0)       EXPAND --username=%{User-Name}
> (0)          --> --username=USER.NAME
> (0)       Program returned code (0) and output SECRET
> (0)       SECRET := SECRET
> (0)       Executing: /usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}:
> (0)       EXPAND --username=%{User-Name}
> (0)          --> --username= USER.NAME
> (0)       Program returned code (0) and output 12346
> (0)       LAST_USED_PIN := 12346
> (0)       Executing: /bin/bash /freeradius_scripts/getPin %{control:SECRET}:
> (0)       EXPAND %{control:SECRET}
> (0)          --> SECRET
> (0)       Program returned code (0) and output 12346
> (0)       PIN := 12346
> (0)       PIN_FROM_USER := %{User-Password}
> (0)       Executing: /usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}:
> (0)       EXPAND --username=%{User-Name}
> (0)          --> --username= USER.NAME
> (0)       Program returned code (0) and output '0'
> (0)       ATTEMPTS := 0
> (0)       Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:
> (0)       EXPAND --username=%{User-Name}
> (0)          --> --username= USER.NAME
> (0)       EXPAND --pin=%{control:PIN}
> (0)          --> --pin=12346
> (0)       EXPAND --pin_from_user=%{User-Password}
> (0)          --> --pin_from_user=12346
> (0)       EXPAND --last_used_pin=%{control:LAST_USED_PIN}
> (0)          --> --last_used_pin=64321
> (0)       EXPAND --attempts=%{control:ATTEMPTS}
> (0)          --> --attempts=0
> (0)       Program returned code (0) and output 'Accept'
> (0)       Auth_Type_LOG := Accept
> (0)       Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:

I hope this is only a toy server for playing around. Running that number 
of external scripts must make this the most inefficient configuration 
I've seen in years.

> (0)       Program returned code (0) and output 'Accept'
> (0)       Auth-Type := Accept
> (0)     } # update control = noop
> (0)     update reply {
> (0)       Reply-Message := Accept
> (0)     } # update reply = noop
> (0)   } # Auth-Type OTP_OWA = noop

Your Auth-Type section is returning "noop", not "ok". It's too late to 
set Auth-Type here - you do that in the authorize section.

> (0) Failed to authenticate the user
> 
> So my .php Script checks the OTP-PIN ans returns “Accept”, but the freeradius answers Accept-Reject… Why?

Return "ok" from the authenticate section. You can do that with an "if" 
to test the response from the hundreds of scripts.

   if (whatever) {
     ok
   }

-- 
Matthew

More information about the Freeradius-Users mailing list