Hi, > On 14 Jul 2017, at 20.16, s.schw...@lumc.nl wrote: > > However once I do this, in my RADIUS server I receive the following error > once I try to authenticate. I figurd I’d test out LSA first, and once I have > that working I’d work on getting OTP’s working > > Mon Jul 10 03:36:41 2017: DEBUG: Packet dump: > *** Received from 172.16.0.3 port 55428 .... > Code: Access-Request > Identifier: 2 > Authentic: <212><215><195><163><28><225><128><240><145>U[<219><239>BdV > Attributes: > Service-Type = Voice > User-Name = "domain\username" > Called-Station-Id = "UserAuthType:PW" > MS-Machine-Name = "hostname.something" > MS-Network-Access-Server-Type = Terminal-Server-Gateway > NAS-Port-Type = Virtual > Proxy-State = > <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2> > > Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler > 'Client-Identifier = From_NPS', Identifier 'Default' > Mon Jul 10 03:36:41 2017: DEBUG: Deleting session for domain\username, > 172.16.0.3, > Mon Jul 10 03:36:41 2017: DEBUG: Handling with Radius::AuthLSA: > Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, Authentication > protocol Unknown not allowed by AuthenProto configuration parameter > Mon Jul 10 03:36:41 2017: INFO: Access rejected for domain\username: > Authentication protocol Unknown not allowed by AuthenProto configuration > parameter > Mon Jul 10 03:36:41 2017: DEBUG: Packet dump: > *** Sending to 172.16.0.3 port 55428 .... > Code: Access-Reject > Identifier: 2 > Authentic: <168><196>1<151><190>*<174><132><177>*l<209>\NT~ > Attributes: > Reply-Message = "Request Denied" > Proxy-State = > <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2> > > > I tried the following handler for LSA auth: > <Handler Client-Identifier = From_NPS> > Identifier Default > <AuthBy LSA> > Domain domainname > UsernameMatchesWithoutRealm > </AuthBy> > AuthLog Logfile_Dev > AcctLogFileName %L/Dev_detail_%Y-%m-%d.log > </Handler> > > Any pointers would be appreciated. > It should be possible, since for example this guide shows how to do it with > WikiD > http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/. > But I rather use 1 product instead of various products to achieve the same > result.. > > We do actually have Azure MFA which can be used for this, but I actually > don’t want to use it for this scenario. >
as the Access-Request does not contain any attribute carrying a password or a challenge-response, you will need to add following configuration options within AuthBy LSA: AuthenProto Unknown NoCheckPassword http://www.open.com.au/radiator/ref/AuthenProto.html#AuthenProto http://www.open.com.au/radiator/ref/NoCheckPassword.html#NoCheckPassword E.g. <AuthBy LSA> ... # Allow access requests without a password (required for Radiator 4.18 and later) AuthenProto Unknown # Do not try to check user’s password NoCheckPassword </AuthBy> BR -- Tuure Vartiainen <varti...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator