LinOTP + freeRADIUS step by step: how to link?

[Henry Dyck]

I'm trying to setup the 2.7 LinOTP as a  VMware VM using stock Linux distribution packages.

Primary reason: the VM offered by LinOTP for download was raising the Heartbleed flag...

http://www.linotp.org/howtos-virtualimage.html

Goal: replacing the RSA SecureID server with LinOTP.

To be queried by a Cisco ASA firewall using RADIUS protocol.

Starting with Debian (since this is what the virtual appliance from LSE is built upon).

Picking version 7 (Wheezy). Downloading the DVD. Installing the basic configuration (adding SSH server).

The documentation is a bit uneven - needs cleanup with the move to 2.7 and open-sourcing.

1. Installing python packages (needed repository update)

http://linotp.org/doc/latest/part-installation/server-installation/deb_install.html

2. Adding the linotp repo, importing gpg and installing LinOTP.

No Apache at this point. Trying to make work the most basic configuration.

deb http://linotp.org/apt/debian wheezy linotp

gpg --search-keys 913DFF12F86258E5
gpg --export 913DFF12F86258E5 | apt-key add -

apt-get update
apt-get install linotp
apt-get install linotp-useridresolver
apt-get install linotp-smsprovider
apt-get install linotp-adminclient
apt-get install libpam-linotp

apt-get install python-qrcode

3. Downloading the source of freeRADIUS 2.1.12.

And the master.zip file from GitHub (for rlm_linotp2)

https://github.com/LinOTP/LinOTP

Adding gcc and libraries for compilation.

Following the how-to 5.2 in the documentation (adding rlm_linotp2 to freeRADIUS). Compiling and installing

http://www.linotp.org/doc/2.6/part-installation/auth-modules/index.html#enabling-radius-authentication-with-rlm-linotp2

4. Basic testing.

paster serve /etc/linotp2/linotp.ini

Browser connects to http://<IPaddress>/manage and allows creation of realms, tokens (Google Authenticator).

Also can assign those tokens to users.

By browsing to http://(IPaddress>/auth/index checking the username/OTPpassword (with PIN).

Everything works!

Basic freeRADIUS testing also confirms working fine (but this testing doesn't include linotp)

http://freeradius.org/features/simple.html

And this is where the simplicity ends.

I can't figure out (or find in the documentation) how to make freeRADIUS consult LinOTP when being queried.

I try authenticating to a Cisco ASA box using a username/OTP pair that is sent by the ASA to freeRADIUS.

The username/OTP pair worked on http://(IPaddress>/auth/index but doesn't pass the ASA.

I suspect something is missing in configuring freeRADIUS talking to linotp. But don'tr know what.

Any pointers would be appreciated.

[James]

Hi,

I come back to this old thread because I got the same issue, I don't really find on the documentation how freeradius consult LinOTP. My FreeRadius working with a local user, when testing my user on LinOTP http://(IPaddress>/auth/index my user is authenticate.
When trying both I got :
rlm_perl: Added pair Reply-Message = LinOTP server denied access!
rlm_perl: Added pair Auth-Type = perl
++[perl] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request

Any help will appreciated.

Thanks,

[Mirko Ahnert]

Hi James,

did you configure your setup according to our how-to at http://www.linotp.org/howtos/howto-radius.html? 

Best regards,

Mirko