LDAP + OTP

Jon Gerdes gerdesj at blueloop.net
Fri Jun 7 01:31:59 UTC 2024 

Dear all

(FreeRADIUS 3.0.26 on Ubuntu 22.04)

I am trying to get a MFA setup working with an initial LDAP direct bind against Microsoft AD (MAD) and then a second
pass with the same username and a OTP.  I can get both the LDAP and OTP working fine individually.

I am using the wiki Howto: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy as a model.  This howto
uses "State" to determine which Auth-Type it is at in the process.  At the end of the howto there is a section that
describes filtering out the State attribute for Pre-Proxy and I think this is where I am getting things wrong.

I'm not sure what "State" is.  I am unable to find docs about it but it is the only input difference I can see when
running "freeradius -fX" so I think I need to filter it out.  I'm not sure why I should filter it out either!

If attr_filter is what I should do to get this to work, I'd be grateful for some help.  I've also deviated from the
howto example by trying to decompose "challenge" into what it actually does:

update control {
    Response-Packet-Type := Access-Challenge
{

With the site-enabled config below, the debug logs show that the initial user/pass against LDAP works fine and State
gets set to a 16 random char.  Then it tries to do a second pass and I can see the username and password (which is now
the PIN for the OTP) passed through and so is the "State" that got set by stage one.  This second pass fails and when I
compare the logs against just the OTP method that works, "State" is the only additional input. 

Cheers
Jon



# LDAP with direct bind as the user logging in - Active Directory
# then prompt for a PIN, and pass that to PrivacyIdea
# JG 04 Jun 2024

server active-directory {

    listen {
        type    = auth
        ipaddr  = 10.77.10.10
        port    = 1812
        clients = external
    }

    authorize {
        if (!State) {
            if (&User-Password) {
                update control {
                    Ldap-UserDN := "%{User-Name}@blueloop.net"
                    Auth-Type := AD
                }
            }
            else {
                reject
            }
        }
        else {
####        attr_filter.access_challenge ?  #################### I think this is where I am going wrong
            perl-privacyidea
            if (ok || updated) {
                update control {
                Auth-Type := Perl
                }
            }
        }
    }

    authenticate {
        Auth-Type AD {
            ldap
            if (ok) {
                update reply {
                    State := "%{randstr:aaaaaaaaaaaaaaaa}"
                    Reply-Message := "Please enter PIN"
                }
                update control {
                    Response-Packet-Type := Access-Challenge
                }
            }
        }
        Auth-Type Perl {
            perl-privacyidea
        }
    }
}

More information about the Freeradius-Users mailing list