Radius Proxy Client Policy not being applied
12 views
Skip to first unread message
Max DiOrio
Feb 26, 2024, 2:02:00 AMFeb 26
to RCDevs Security
Hi,
I have a Client Policy defined with a name Gateway. In this policy, I specified some enforced settings:
OpenOTP.LoginMode=LDAPOTP
OpenOTP.OTPType=TOKEN
OpenOTP.ChallengeMode=No
OpenOTP.OTPType=TOKEN
OpenOTP.ChallengeMode=No
My radiusd config is set:
client_attribute = "NAS-Identifier"
In my Radius test client, I am passing the Nas-Identifier=Gatway, and that can be seen in the radius logs:
(7) Received Access-Request Id 9 from 10.85.128.22:53518 to 10.85.136.11:1812 length 75
(7) User-Name = "a-username"
(7) User-Password = "PasswordToken"
(7) NAS-Identifier = "Gatway"
(7) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini
(7) authorize {
(7) eap: No EAP-Message, not doing EAP
(7) [eap] = noop
(7) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(7) pap: WARNING: Authentication will fail unless a "known good" password is available
(7) [pap] = noop
(7) [openotp] = ok
(7) } # authorize = ok
(7) Found Auth-Type = OTP
(7) # Executing group from file /opt/radiusd/lib/radiusd.ini
(7) Auth-Type OTP {
rlm_openotp: Found client ID attribute with value "Gatway"
rlm_openotp: Found client IP attribute with value "10.85.128.22"
rlm_openotp: Sending openotpSimpleLogin request
rlm_openotp: OpenOTP authentication failed
rlm_openotp: Reply message: Invalid username or password
rlm_openotp: Sending Access-Reject
(7) [openotp] = reject
(7) } # Auth-Type OTP = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Login incorrect: [a-username] (from client Gateway port 0)
(7) Sent Access-Reject Id 9 from 10.85.136.11:1812 to 10.85.128.22:53518 length 50
(7) Reply-Message := "Invalid username or password"
(7) Error-Cause := 23460896
(7) Finished request
(7) User-Name = "a-username"
(7) User-Password = "PasswordToken"
(7) NAS-Identifier = "Gatway"
(7) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini
(7) authorize {
(7) eap: No EAP-Message, not doing EAP
(7) [eap] = noop
(7) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(7) pap: WARNING: Authentication will fail unless a "known good" password is available
(7) [pap] = noop
(7) [openotp] = ok
(7) } # authorize = ok
(7) Found Auth-Type = OTP
(7) # Executing group from file /opt/radiusd/lib/radiusd.ini
(7) Auth-Type OTP {
rlm_openotp: Found client ID attribute with value "Gatway"
rlm_openotp: Found client IP attribute with value "10.85.128.22"
rlm_openotp: Sending openotpSimpleLogin request
rlm_openotp: OpenOTP authentication failed
rlm_openotp: Reply message: Invalid username or password
rlm_openotp: Sending Access-Reject
(7) [openotp] = reject
(7) } # Auth-Type OTP = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Login incorrect: [a-username] (from client Gateway port 0)
(7) Sent Access-Reject Id 9 from 10.85.136.11:1812 to 10.85.128.22:53518 length 50
(7) Reply-Message := "Invalid username or password"
(7) Error-Cause := 23460896
(7) Finished request
However, in the webadm.log file, it doesn't appear like it's actually using the policy. You can see the following, which still has ChallengeMode=Yes.
Found 50 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
What may I be missing here?
Thanks!
Benoît Jager (RCDevs)
Feb 26, 2024, 2:06:24 AMFeb 26
to RCDevs Security
Hello,
It seems that you are missing a “e” in sent client ID: Gatway instead of Gateway, so this is not matched by OpenOTP.
Reply all
Reply to author
Forward
0 new messages