How to pass the new Radius-Attributes to my VPN-Server with RB 1.2.4
621 views
Skip to first unread message
Alexander Prinz
Mar 11, 2016, 9:34:09 AM3/11/16
to RCDevs Security Solutions - Technical
Hello,
i have updated to the lateste Version and now OPENOTP does not forward my REPLY-Data to my VPN-Server anymore.
What i have alredy done is to add the reply_attributes to the openotp.conf (but i dont know what to write behind it: reply_attributes=????????)
because the old parameter data_attibute = "Class" does not exist in 1.2.4 anymore.
Here are the radiusd debug outputs before and after the Update:
Befor:
rlm_openotp: Sending openotpNormalLogin request
rlm_openotp: OpenOTP Authentication succeeded
rlm_openotp: Reply message: Authentication success
rlm_openotp: Reply Data: Admins
rlm_openotp: Sending Access-Accept
++[openotp] = ok
+} # group authenticate = ok
Login OK: [xxx\000xxx] (from client any port 0)
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 178 to 10.10.1.2 port 34781
Reply-Message = "Authentication success"
Class = "Admins"
Finished request 0.
After:
rlm_openotp: Sending openotpNormalLogin request
rlm_openotp: OpenOTP Authentication succeeded
rlm_openotp: Reply message: Authentication success
rlm_openotp: Reply Data: Admins
rlm_openotp: Invalid Reply Data (value-pairs parse failed)
rlm_openotp: Sending Access-Accept
++[openotp] = ok
+} # group authenticate = ok
Login OK: [xxx\000xxx] (from client any port 0)
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 157 to 10.50.1.2 port 39637
Reply-Message = "Authentication success"
Finished request 0.
Regards Alexander.
i have updated to the lateste Version and now OPENOTP does not forward my REPLY-Data to my VPN-Server anymore.
What i have alredy done is to add the reply_attributes to the openotp.conf (but i dont know what to write behind it: reply_attributes=????????)
because the old parameter data_attibute = "Class" does not exist in 1.2.4 anymore.
Here are the radiusd debug outputs before and after the Update:
Befor:
rlm_openotp: Sending openotpNormalLogin request
rlm_openotp: OpenOTP Authentication succeeded
rlm_openotp: Reply message: Authentication success
rlm_openotp: Reply Data: Admins
rlm_openotp: Sending Access-Accept
++[openotp] = ok
+} # group authenticate = ok
Login OK: [xxx\000xxx] (from client any port 0)
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 178 to 10.10.1.2 port 34781
Reply-Message = "Authentication success"
Class = "Admins"
Finished request 0.
After:
rlm_openotp: Sending openotpNormalLogin request
rlm_openotp: OpenOTP Authentication succeeded
rlm_openotp: Reply message: Authentication success
rlm_openotp: Reply Data: Admins
rlm_openotp: Invalid Reply Data (value-pairs parse failed)
rlm_openotp: Sending Access-Accept
++[openotp] = ok
+} # group authenticate = ok
Login OK: [xxx\000xxx] (from client any port 0)
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 157 to 10.50.1.2 port 39637
Reply-Message = "Authentication success"
Finished request 0.
Regards Alexander.
Colin
Mar 12, 2016, 1:45:29 PM3/12/16
to RCDevs Security Solutions - Technical
What version did you upgrade from?
There were some substantial changes made in later versions of Radius Bridge.
I had to do the following:
- Remove my openotp.conf file and replace it with the latest that came with radius bridge (rename openotp.conf.default to openotp.conf)
- Remove radiusd.conf and replace with radiusd.conf.default
- Don't touch attributes in openotp.conf, instead add them to the "RADIUS Attributes" section under "OpenOTP" application settings on either the group (suggested) or the user.
Here's what I get back when I authenticate:
Enter password: ********
Result: Challenge
Session: 64653434653565666231366163373138
Enter your TOKEN one-time password: 724074
Result: Success
Reply-Message: "Authentication success"
Cisco-AVPair: "shell:priv-lvl=15"
Class: 0x61646d696e73
Administrators
Mar 12, 2016, 1:53:22 PM3/12/16
to RCDevs Security Solutions - Technical
Exact: the RADIUS reply attributes' mechanism was simplified in the latest version of OpenOTP & RB.
Now you only need to set "RADIUS Attributes" in the OpenOTP user or group settings.
And there is no additional configuration needed in the RB configurations.
Spyridon Gouliarmis (RCDevs)
Mar 23, 2016, 9:03:07 AM3/23/16
to RCDevs Security Solutions - Technical
Hello Alexander,
for you setup to work, I would expect something like data_is_vps=yes in openotp.conf and a reply data like Class="Admin". My guess is you've been using data_attribute=Class instead so you could just have a reply data of "Admin" before. What is your openotp.conf like? We can contact you privately if you're worried about leaking data.
Reply all
Reply to author
Forward
0 new messages