Problem with challenge response authentication with rlm_linotp2
lassi...@gmail.com
I installed linotp2 on top of fresh Ubuntu 12.04 64-bit installation from launchpad. Then I downloaded rlm_linotp2 sources and created freeradius packages with make deb and installed necessary ones. At this point, I have a working installation of linotp2 with Apache. Added useridresolver using LDAPS and added a couple of TOTP tokens. Everything works as expected, I can authenticate to simplecheck url.
What I really want, is to have a challenge response authentication where the first step would be against AD (LDAPS connection) and then the server would sen challenge asking for (PIN+)OTP and after that user will be authenticated.
I found out that this is possible setting a couple of policies.
Here's what I have atm:
[OTP_PIN_variants]
realm = MYREALM
action = otppin=1
client = 192.168.222.0/24
user = *
time = ""
active = True
scope = authentication
[DetailsOnValidation]
realm = MYREALM
active = True
client = 192.168.222.0/24
user = *
time = ""
action = detail_on_fail
scope = authorization
[ChallengeResponse]
realm = MYREALM
active = True
client = 192.168.222.0/24
user = *
time = ""
action = challenge_response=HMAC TOTP PW
scope = authentication
If I have understood this correctly, the two policies (OTP_PIN_variants and ChallengeResponse) are the ones needed to achieve what I want to do.
Okay, I tested it with web browser entering the URL: https://mylinotpinstallation.com/validate/check?user=USERNAME&pass=PASSWORD
I get this:
{
"detail": {
"transactionid": "587491502871",
"message": "Please enter your otp value: ",
"error": "challenge created"
},
"version": "LinOTP 2.7",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"id": 0
}
Okay, then I respond to challenge like this:
https://mylinotpinstallation.com/validate/check?user=USERNAME&pass=467350&transactionid=587491502871
And it is a success:
{
"version": "LinOTP 2.7",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": true
},
"id": 0
}
So it is working. Awesome!
Then to the problem. I have a Sonicwall firewall(s) and I use SSL-VPN feature. I have set up the authentication so that firewalls RADIUS client forwards username and password to FreeRADIUS which is running on the same machine as linotp2. FreeRADIUS gets username and password correctly but gets rejected:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.222.35 port 2585, id=0, length=62
User-Name = "USERNAME"
User-Password = "PASSWORD"
NAS-IP-Address = 192.168.222.35
NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/linotp
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 50
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = linotp2
# Executing group from file /etc/freeradius/sites-enabled/linotp
+- entering group authenticate {...}
rlm_linotp: getting client ip now.
got a IPv4 client address
found PW_PACKET_SRC_IP_ADDRESS
rlm_linotp: something
rlm_linotp: got client ip: 192.168.222.35.
rlm_linotp: Doing curl_easy_init
rlm_linotp: creating the URL.
entering createUrl4Post.
[0] user=USERNAME
[1] pass=PASSWORD
[2] client=192.168.222.35
allocating 57 chars
freeing escaped value for user
freeing escaped value for pass
freeing escaped value for client
rlm_linotp: LinOTPd on https://mylinotpinstallation.com/validate/check returned '{ "version": "LinOTP 2.7", "jsonrpc": "2.0", "result": { "status": true, "value": false }, "id": 0 }'
rlm_linotp: Rejecting fall-through 'USERNAME'
++[linotp2] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/linotp
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> USERNAME
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.222.35 port 2585
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +23
Ready to process requests.
Also I noticed that while my password is correct in rad_recv line, it is not correct in rlm_linotp line. I use dots and commas and at least comma is printed as %2C or ...? But I also tried with a password without special characters, didn't help.
linotp2 log doesn't show anything specially interesting other than this: [linotp.lib.token][finish_check_TokenList #1397] [__checkTokenList] user u'USERNAME'@u'MYREALM' failed to authenticate.
Thanks for your help!
- Lassi Kojo
lassi...@gmail.com
But I cannot still authenticate:
rlm_linotp: LinOTPd on https://mylinotpinstallation.com/validate/check returned '{ "version": "LinOTP 2.7.0.2", "jsonrpc": "2.0", "result": { "status": true, "value": true }, "id": 0 }'
rlm_linotp: Rejecting fall-through 'USERNAME'
++[linotp2] returns reject
Failed to authenticate the user.
So even though LinOTP2 authenticates the user properly and gives success, it is a reject?
- Lassi
Kay Winkler
the problem might be, that rlm_linotp proves the existence
of the user on the system (which then might be an fault on
our side :-( )
But could you first check if this might be the case?
Best regards,
Kay
Kay Winkler (Software Development), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 6151 - 86086 262, Fax: 299, Mobil: +49 1515 4294 800
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
lassi...@gmail.com
Thank you for replying.
I'm not quite sure what you mean but I am 100% sure that the user exists in LDAP and is active. I have also tried with two other users, same results.
I also tried the Perl module to see if there is any difference but no:
Found Auth-Type = perl
+- entering group authenticate {...}
rlm_perl: Default URL https://mylinotpinstallation.com/validate/check
rlm_perl: RAD_REQUEST: User-Name = lassi.kojo
rlm_perl: RAD_REQUEST: User-Password = 9370773409
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.222.116
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://mylinotpinstallation.com/validate/check
rlm_perl: User: USERNAME
rlm_perl: urlparam client = 192.168.222.116
rlm_perl: urlparam pass = 9370773409
rlm_perl: urlparam realm = MYREALM
rlm_perl: urlparam user = USERNAME
rlm_perl: Content { "version": "LinOTP 2.7.0.2", "jsonrpc": "2.0", "result": { "status": true, "value": true }, "id": 0 }
rlm_perl: return RLM_MODULE_REJECT
rlm_perl: Added pair User-Name = USERNAME
rlm_perl: Added pair User-Password = 9370773409
rlm_perl: Added pair NAS-IP-Address = 192.168.222.116
rlm_perl: Added pair Reply-Message = LinOTP server denied access!
rlm_perl: Added pair Auth-Type = perl
++[perl] returns reject
Going to the next request
Reply-Message = "LinOTP server denied access!"
If you need anything else - logs or such - just let me know!
- Lassi
Kay Winkler
sorry for beeing unclear - i think, the rlm_perl checks if
the user exist on the local system - thus on your linotp
server - which not realy makes sense in every case :-(
So test it:
create a local user on you linotp system
and if this goes well, you can patch the rlm_perl
and submit the patch to me ;-)
best regards,
Kay
Am 14.08.2014 14:42, schrieb lassi...@gmail.com:
> Hello Kay!
>
> Thank you for replying.
>
> I'm not quite sure what you mean but I am 100% sure that the user exists in LDAP and is active. I have also tried with two other users, same results.
>
> I also tried the Perl module to see if there is any difference but no:
>
> Found Auth-Type = perl
> +- entering group authenticate {...}
> rlm_perl: RAD_REQUEST: User-Password = 9370773409
> rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.222.116
> rlm_perl: Auth-Type: perl
> rlm_perl: Url: https://mylinotpinstallation.com/validate/check
> rlm_perl: User: USERNAME
> rlm_perl: urlparam client = 192.168.222.116
> rlm_perl: urlparam pass = 9370773409
> rlm_perl: urlparam realm = MYREALM
> rlm_perl: urlparam user = USERNAME
> rlm_perl: Content { "version": "LinOTP 2.7.0.2", "jsonrpc": "2.0", "result": { "status": true, "value": true }, "id": 0 }
> rlm_perl: return RLM_MODULE_REJECT
> rlm_perl: Added pair User-Name = USERNAME
> rlm_perl: Added pair User-Password = 9370773409
> rlm_perl: Added pair NAS-IP-Address = 192.168.222.116
> rlm_perl: Added pair Reply-Message = LinOTP server denied access!
> rlm_perl: Added pair Auth-Type = perl
> Going to the next request
> Reply-Message = "LinOTP server denied access!"
>
> If you need anything else - logs or such - just let me know!
>
> - Lassi
>
> torstai, 14. elokuuta 2014 11.37.16 UTC+3 Kay Winkler kirjoitti:
lassi...@gmail.com
Created an account with the same credentials, no difference.
Thanks for looking into this!
- Lassi
Kay Winkler
just guessing - hav to look deeper - soory
Kay Winkler
sorry - for beeing blind - of couse you have to use the
https://authenticator.jmjping.fi/validate/simplecheck
As you can see in the headers it's checking
my $LIN_OK = ":-)";
my $LIN_REJECT = ":-(";
my $LIN_FAIL = ":-/";
So give it one more try ;-)
Best regards,
Kay
lassi...@gmail.com
Yes, you are correct. With simplecheck the Perl plugin works.
So I have to use simplecheck also with rlm_linotp2?
If so, can I achieve what I really want with simplecheck (authenticate with LDAP and if success then challenge asks for PIN)?
Also I really would like to know what is wrong with the original setup because I would like to use rlm_linotp2 over Perl plugin.
I'll harass you again tomorrow :^)
- Lassi
Kay Winkler
simplecheck is to be used in all auth modules, so it should be fine
with your rlm_linotp2 module as well.
In case of challenge response you send
>> username + ldappass
ldappass is named in the context of LinOTP PIN, which is the fixed part.
This requires you to hav defined the otppin policy.
You will get a reply with as challenge, that is displayed to you
Then you have to reply with
>> usrname + otp
otp is in the context of LinOTP the dynamic part, which will change per
request.
But first of all you have to activate for your token to support
challenge response.
In case of you have problems with this be nice and contact our support
;-) as thees are the professional parts
sunil....@gmail.com
Can you please guide me on how to configure linotp for ldap password + otp value authentication.
I had configured linotp but it only accepts the otp value i had even tried setting the policy optpin=1. but still the validate/check and validate/simplecheck doest passthrough only passes with otp value
Any help would highly appreciated.
regards,
Sunil Nagmal
okke...@gmail.com
Did you ever manage to get this to work? First LDAP and second OTP?
Thnx
Op vrijdag 13 maart 2015 17:40:06 UTC+1 schreef sunil....@gmail.com: