help with vpn login to privacyIDEA radius

345 views
Skip to first unread message

Stephen Horvath

unread,
Feb 5, 2016, 4:35:44 AM2/5/16
to privacyidea
Hi,
I need some help getting this to work
I have a PrivacyIDEA server (2.9-1) with the radius module
My aim is to auth as follows
clientVPN (ipsec) -> Firewall (aaa enabled pointing to privacyIDEA server) using AD credentials

I have set up the following
PrivacyIDEA:
Radius module installed and freeradius running on the same server (all set up using the package manager)
I have an LDAP resolver (AD) which works and pulls my users successfully from a samba4 active directory server
I have a policy using otppin-userstore so it uses the AD password
I have a Realm using the LDAP resolver
I have a token (TOTP) mapped to an AD user

when running radtest using the AD username ADpassword-OTPpin all works great

My issue is I now need my vpn users to connect to the firewall/vpn endpoint and get authed in the same way

When connecting via VPN the request goes through to the privacyIDEA freeradius server but get's rejected.
I'm assuming it's because it's using MSCHAP.

Any help getting this scenario to work would be really helpful

Cornelius Kölbel

unread,
Feb 5, 2016, 4:52:13 AM2/5/16
to priva...@googlegroups.com
Hi Stephan,

connecting the application, in this scenario the VPN via RADIUS, is
often the interesting part.

Especially with a VPN and RADIUS there are often difficulties which I
solve in remote sessions with the customers.

1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does not easily
work well with OTP.
2. Run freeradius in debug mode (-X)
3. Check the secrets.
4. Often VPN servers expect special attributes in the response to put
the users into certain groups.

Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


signature.asc

Stephen Horvath

unread,
Feb 5, 2016, 5:03:13 AM2/5/16
to Cornelius Kölbel, priva...@googlegroups.com
Thanks,
I was pretty excited to find privacyIDEA and it looked like it would do everything I wanted...
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?


Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---

Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
Registered in England and Wales: 8366747

You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.

Cornelius Kölbel

unread,
Feb 5, 2016, 5:09:47 AM2/5/16
to priva...@googlegroups.com
Hi Stephen,

you can use RADIUS, but only with PAP. With plain normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.

But you have the right setup:

* VPN-Server asks FreeRADIUS
* FreeRADIUS users rlm_perl/privacyidea to ask privacyIDEA.
* privacyIDEA finds user in AD
* privacyIDEA checks OTP value and responds to rlm_perl/FreeRADIUS

If you need detailed help on this, just drop me a note.

Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
signature.asc

Stephen Horvath

unread,
Feb 5, 2016, 5:12:09 AM2/5/16
to Cornelius Kölbel, priva...@googlegroups.com
It does work using pap but aren't there security concerns using pap?


Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---

Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
Registered in England and Wales: 8366747

Stephen Horvath

unread,
Feb 5, 2016, 5:16:24 AM2/5/16
to Cornelius Kölbel, priva...@googlegroups.com
I am able to auth with a freeradius server using ldap and mschapv2 which is a good solution but I wanted 2 factor auth hence the reason for looking into privacyIDEA.
Basically I have some users in the financial sector who want a 2-factor auth VPN. My options may be to go with something like RSA secureid or something similar but I'd really like to use something open source. Happy to pay. I'd rather contribute to open source than finance the tech giants.


Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---

Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
Registered in England and Wales: 8366747

Stephen Horvath

unread,
Feb 5, 2016, 5:19:18 AM2/5/16
to Cornelius Kölbel, priva...@googlegroups.com
Am I right in my assumption though that using pap with ipsec shouldn't be a security issue as it's done within the ipsec tunnel?
If so then pap is the answer


Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---

Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
Registered in England and Wales: 8366747

Cornelius Kölbel

unread,
Feb 5, 2016, 5:40:14 AM2/5/16
to priva...@googlegroups.com
The RADIUS protocol is plain text. Even MSCHAP transmits all other
information in plain text. You can get all information who is
successfully authenticating when.
So if you do not want to sniff anyone. Yes, use an encryption like a VPN
between the VPN and the RADIUS Server.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> To post to this group, send email to
> priva...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
> For more options, visit
> https://groups.google.com/d/optout.
>
>
>
>
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/CAAyQAQSi5DOYFXvg75gDzcneS2vAiAsCgDjVukNxUFY_iasXig%40mail.gmail.com.
signature.asc

Cornelius Kölbel

unread,
Feb 5, 2016, 5:41:38 AM2/5/16
to priva...@googlegroups.com
Hi Stephan,

good to hear this.

There are always security concerns. Only others.

With using PAP the password transmitted over the wire is encrypted using
the RADIUS secret. This is why you should choose a good RADIUS secret
which is at least as long as the usual passwords.

With MSCHAPv2 the password is not transmitted. But the password hash is
used. Usually this is ok, since the password is also hashed in active
directory. This way you can use the password from active directory.

Now comes the problem and thus the other security concerns:
If you are authenticating with two factors like:

<AD-Password> + <OTP>

Using MSCHAPv2 is not possible, since you would have to store the
password encrypted - not hashed.
Then privacyIDEA would have to READ the password from AD, decrypt it to
generate

HASH( ADpassword + OTP)

since

HASH(ADpassword + OTP) != HASH(ADPassword) + HASH(OTP)

But you DO NOT WANT to store the password in an encrypted way.

OK, if you are using privacyIDEA OTP PIN (not the AD password) like

<OTP PIN> + <OTP>

then you have the same thing. privacyIDEA can save the OTP PINs (which
are also passwords) in an encrypted a.k.a. decryptable way.
You may think about it, if you like it at this point.

But even if we do so, there is another only small problem:

We do not know, which hash was calculated by the client side:
The user could have entered either PIN + OTPvalue1 or PIN + OTPvalue2
oder PIN+OTPvalue3...

So we do not know which of the many possible hashes the user had used.
So the protocol gets a bit more complicated (complicated not
impossible).
This could be implemented but it is simply not implemented at the moment
(Please again note: You would have to store the passwords decrypteable)

The next security concern is, that you really really do not want to use
RSA SecurID ;-)
I do not elaborate on this ;-)

So the questions are:
* Do you want a really strong 2nd factor or only a weak one.
* Would you want to use AD-Password or OTP-PIN (which is also a
password)
* Are you more concerned about someone stealing the RADIUS Secret,
sniffing your network and getting the OTP PIN or about backdoors,
delivery chains of preseeded proprietary tokens etc. etc.

As mentioned, yes it is a security concern. But as always it is your
decision which risks you are willing to take and I can only point out
some details.

Finally:

If your VPN supports a two step authentication like
* first authenticating against one RADIUS and
* then against another

you can do it like:

1. Authenticate with AD-Password via MSCHAPv2 against NPS
2. Authenticate with OTP via PAP against FreeRADIUS

But then again a security concern: Some customers do not like their
users to use their LDAP password in the wild! Since the risk of shoulder
surfing (either by human eye or camera) when entering the AD password
could be seen as higher.

I hope I gave you some input on making up your mind.
Anyway: If you are really into MSCHAPv2 we can also talk about this.

I am looking forward to your response.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> +unsub...@googlegroups.com.
> To post to this group, send email to
> priva...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
> For more options, visit
> https://groups.google.com/d/optout.
>
>
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/CAAyQAQSg2ZnUsyE%
> 3DBy4m22Wh1PdZ_JetcGuH8b9F6Mck-6s-ug%40mail.gmail.com.
signature.asc

Stephen Horvath

unread,
Feb 5, 2016, 5:49:00 AM2/5/16
to Cornelius Kölbel, priva...@googlegroups.com
Hi,
I'm not concerned about security between AD, radius server. They are in a secure environment and (for now) we have no PCI requirement.
I just want to offer the end user 2-factor auth for remote client vpn and it must be secure of course.
They currently use IPSEC client to firewall -> freeradius server using ldap and ,mschap authing against active directory (samba4)
However, their clients are not happy with this and want them to use 2-factor auth. They really want the OTP feature added in.
If using IPSEC with a shared secret then using PAP to auth the user either using a pin or their AD password in addition to the OTP is as secure as what they are using with the added bonus of using a OTP then I'm happy to go ahead and use this.


Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---

Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
Registered in England and Wales: 8366747

To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.

Cornelius Kölbel

unread,
Feb 5, 2016, 6:01:16 AM2/5/16
to privacyidea
Go for it! :-)
signature.asc
Reply all
Reply to author
Forward
0 new messages