Radius 2FA (LDAP + OTP)

[Raoul]

Hi,

I am currently looking into privacyIDEA and try to configure freeradius to get 2 factor authentication working. The current configuration makes use of the rlm_perl module and privacyidea_radius.pm

The applied policy in privacyIDEA is { "challenge_response": "totp", "otppin": "userstore" }. My current situation allows me to authenticate the client in the userstore as I can see in the debug logs that I receive a transaction_id. Next the client has to enter the OTP pin, but this request seems to be wrong, as the transaction_id is missing.

The second request does not differ from the first one, the parameters are for both client, pass, realm and user where in the first request the pass is my actual password and in the second request it is my pin. As what I understood from the REST API the transaction_id must be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made a wrong configuration in freeradius?

Many thanks,

Raoul

[Cornelius Kölbel]

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as state to
the next RADIUS request. If the RADIUS client does not do this, the
RADIUS server can not know, that this is a response to a challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with the
RADIUS protocol.

Kind regards
Cornelius

> -- 
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>  
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>  
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> --- 
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/privacyidea/3c8e3f5f-a300-402f-b488-
> 0dec0403b8fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Raoul]

Ok, now I understand. Currently I am using a perl script to do some testing. I should be able to modify this script, but is this kind of challenge supported by major vendors like Cisco, Fortinet or Palo Alto?

Regards,

Raoul

[Cornelius Kölbel]

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:
> Ok, now I understand. Currently I am using a perl script to do some
> testing. I should be able to modify this script, but is this kind of
> challenge supported by major vendors like Cisco, Fortinet or Palo
> Alto?
>
> Regards,
> Raoul
>

[Raoul]

I started debugging this morning with a VPN server which acts fine in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the attributes received from rlm_perl module:

  rlm_perl: return RLM_MODULE_HANDLED

  (1)  perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'raoul'

  (1)  perl : &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Sep 22 2016 12:01:57 CEST'

  (1)  perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password'

  (1)  perl : &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.1'

  (1)  perl : &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'please enter otp: '

  (1)  perl : &reply:Service-Type = $RAD_REPLY{'Service-Type'} -> 'Administrative-User'

  (1)  perl : &reply:Class = $RAD_REPLY{'Class'} -> '0x000000000000000000000000000000000000000000000000000000000000000'

  (1)  perl : &reply:State = $RAD_REPLY{'State'} -> '0000000000000000000'

  (1)  perl : &control:Response-Packet-Type = $RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge'

  (1)  perl : &control:Ldap-UserDn = $RAD_CHECK{'Ldap-UserDn'} -> 'uid=raoul,ou=users,dc=example,dc=com'

  (1)  perl : &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'

  (1)   [perl] = handled

  (1)  } # Auth-Type Perl = handled

  (1) Sending Access-Challenge packet to host 192.168.1.1 port 34786, id=196, length=0

  (1) Class = 0x000000000000000000000000000000000000000000000000000000000000000

  Sending Access-Challenge Id 196 from 192.168.1.1:1812 to 192.168.1.1:34786

  Class = 0x000000000000000000000000000000000000000000000000000000000000000

  (1) Finished request

  Waking up in 4.9 seconds.

  (1) Cleaning up request packet ID 196 with timestamp +24

  Ready to process requests

You can see that perl sends Class and State attributes, but only Class attribute is submitted. My access_challenge attributes file allows to send State and Reply-Message:

DEFAULT

EAP-Message =* ANY,

State =* ANY,

Message-Authenticator =* ANY,

Reply-Message =* ANY,

Proxy-State =* ANY,

Session-Timeout =* ANY,

Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,

Raoul

[Raoul]

Looks like my authentication is working now, but there is still one error message printed to the console:

(0)  ERROR: perl : Failed to create pair reply:privacyIDEA-Serial = TOTP0000A123

Do you have an idea about this?

[Cornelius Kölbel]

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
Cornelius

Am Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:
> Looks like my authentication is working now, but there is still one
> error message printed to the console:
> (0)  ERROR: perl : Failed to create pair reply:privacyIDEA-Serial =
> TOTP0000A123
>
> Do you have an idea about this?
>
>

[Raoul]

I got the documentation wrong, freeradius does not load all files from /usr/share/freeradius. I include now /usr/share/freeradius/dictionary.netknights and the attribute is sent to the client.

[Cornelius Kölbel]

Oh no. 
I ment your initial problem.
Kind regards
Cornelius

Am Montag, den 26.09.2016, 03:23 -0700 schrieb Raoul:
> I got the documentation wrong, freeradius does not load all files
> from /usr/share/freeradius. I include now
> /usr/share/freeradius/dictionary.netknights and the attribute is sent
> to the client.
>

[Raoul]

Oh, that one is not solved. Access-Challenge seems not possible with privacyidea. Il will look into other solutions for this at some later point.

[Raoul]

Putting back online my test server with privacyIdea and upgraded to 2.17 solved the issue with access-challenge / response.