Hello Hugh,
it seems better (no crashes) with versione 4.21, but still not working
Library version is
ii libdbi-perl 1.631-3+b1
libdbd-oracle-perl-11.2.0.4 1.74-2
I attach the configuration file, where there is an option to
authenticate in LDAP (which works) or TOTP.
I plan to combine this, but after simple OTP authentication is working.
I launch:
radpwtst -s 127.0.0.1 -secret FakeKey -auth_port 1812 -acct_port 1813
-nas_ip_address 1.1.4.6 -user [email protected] -password '123456'
And in the log file we see:
Tue Jul 31 10:29:24 2018: DEBUG: Handling request with Handler
'NAS-IP-Address= /1.1.4.6/', Identifier ''
Tue Jul 31 10:29:24 2018: DEBUG: Deleting session for
[email protected], 1.1.4.6, 1234
Tue Jul 31 10:29:24 2018: DEBUG: Connecting to 'DBI:Oracle:db105.dbc
Connection id: 0-00000'
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'delete from RADONLINE where
NASIDENTIFIER='1.1.4.6' a
nd NASPORT=01234':
Tue Jul 31 10:29:25 2018: DEBUG: Handling with Radius::AuthLDAP2:
Tue Jul 31 10:29:25 2018: INFO: Connecting to ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: INFO: Connected to ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: INFO: Attempting to bind to LDAP server
ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got result with filter
(&([email protected])(vpnactive=1)(mmactive=1)) for DN
[email protected],emplo
yeeNumber=removed,ou=people,o=cineca,c=it
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got vpnGroup: DSET
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got userPassword: removed
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthLDAP2 looks for match with
[email protected] [[email protected]]
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password: [email protected] [[email protected]]
Tue Jul 31 10:29:25 2018: DEBUG: AuthBy LDAP2 result: REJECT, Bad
Encrypted password
Tue Jul 31 10:29:25 2018: DEBUG: Handling with Radius::AuthSQLTOTP:
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthSQLTOTP looks for match
with [email protected] [[email protected]]
Tue Jul 31 10:29:25 2018: DEBUG: Query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'select secret, active, pin, digits,
bad_logins, accessed, las
t_timestep, algorithm, timestep, timestep_origin from totpkeys where
username='[email protected]'':
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'update totpkeys set accessed=sysdate,
bad_logins=12, last_
timestep=0 where username='[email protected]''':
Tue Jul 31 10:29:25 2018: ERR: do failed for 'update totpkeys set
accessed=sysdate, bad_logins=12, last_timestep=0 where
username='[email protected]''
': ORA-01756: quoted string not properly terminated (DBD ERROR:
OCIStmtPrepare)
Tue Jul 31 10:29:25 2018: DEBUG: Connecting to 'DBI:Oracle:db105.dbc
Connection id: 0-00000'
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'update totpkeys set accessed=sysdate,
bad_logins=12, last_
timestep=0 where username='[email protected]''':
Tue Jul 31 10:29:25 2018: ERR: do failed for 'update totpkeys set
accessed=sysdate, bad_logins=12, last_timestep=0 where
username='[email protected]''
': ORA-01756: quoted string not properly terminated (DBD ERROR:
OCIStmtPrepare)
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthSQLTOTP IGNORE: Database
update failed: [email protected] [[email protected]]
Tue Jul 31 10:29:25 2018: DEBUG: AuthBy SQLTOTP result: IGNORE, Database
update failed
Tue Jul 31 10:29:25 2018: DEBUG: Access ignored for [email protected]:
Database update failed
Tue Jul 31 10:29:29 2018: DEBUG: Packet dump:
then we see a successful accounting.
Thank you in advance and best regards.
Il 31/07/2018 08:15, Hugh Irvine ha scritto:
Hello Denis -
The first thing to do is upgrade to the latest Radiator 4.21 and test again to
verify that there is still a problem.
After that, we need to see a copy of your configuration file together with a
complete trace 4 debug showing what is happening.
It would also be useful to know what versions of PERL modules you are using for
DBI, DBD-Oracle, etc.
regards
Hugh
On 31 Jul 2018, at 00:43, Denis PAVANI <[email protected]> wrote:
Hello,
I am trying to setup totp authentication using google authenticator.
We use Oracle as a backend DB, which is perfectly working for accounting. When
using totp, I got errors, an accounting failure and then radiator crashes (test
instance, Radiator 4.16)
Last line in the log is
Mon Jul 30 15:33:26 2018: DEBUG: Query to 'DBI:Oracle:db105.dbc': 'select
secret, active, pin, digits, bad_logins, accessed, last_timestep, timestep,
algorithm, timestep_origin from totpkeys where username='user'':
The same query done on commandline using sqlplus works.
Could you share any suggestion?
Best regards.
--
*******************************************************************
Ing. Denis Pavani
DSET - Gruppo Tecnologie
CINECA
via Raffaello Sanzio 4 20090 SEGRATE MI
Tel: +39 02 26995.348
skype: d.pavani.at.cineca
“In my experience there is no such thing as luck.” – Obi-Wan Kenobi
*******************************************************************
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
--
*******************************************************************
Ing. Denis Pavani
DSET - Gruppo Tecnologie
CINECA
via Raffaello Sanzio 4 20090 SEGRATE MI
Tel: +39 02 26995.348
skype: d.pavani.at.cineca
“In my experience there is no such thing as luck.” – Obi-Wan Kenobi
*******************************************************************
LogDir /var/log/radius
DbDir /etc/radiator
LogFile %L/radius.log
Trace 5
AuthPort 1812
AcctPort 1813
DictionaryFile /etc/radiator/dictionary
<Client DEFAULT>
Secret secret
DupInterval 0
</Client>
<SessionDatabase SQL>
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
</SessionDatabase>
<Handler Acct-Status-Type=/(Stop|Start)/>
<AuthBy SQL>
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable ACCOUNTING%Y
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,formatted-date,to_date('%e %m %Y
%H:%M','DD MM YYYY hh24:mi')
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,Called-Station-Id
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
# You can arrange to log accounting to a file if the
# SQL insert fails with AcctFailedLogFileName
# That way you could recover from a broken SQL
# server
AcctFailedLogFileName %L/missedaccounting
</AuthBy>
</Handler>
# VPN anyconnect
<Handler NAS-IP-Address= /1.1.4.6/>
AuthByPolicy ContinueWhileReject
<AuthBy LDAP2>
NoDefault
Version 3
Host ldap.cineca.it
AuthDN cn=radius,ou=system-user,o=cineca,c=it
AuthPassword RadiatoreNonTermosifone
BaseDN o=CINECA,c=IT
#ServerChecksPassword
UsernameAttr mail
EncryptedPasswordAttr userPassword
SearchFilter (&(mail=%n)(vpnactive=1)(mmactive=1))
AuthAttrDef vpngroup,Class,reply
#AuthAttrDef departmentnumber,pool,request
# AddToReply
cisco-avpair="ipsec:addr-pool=%{pool}",cisco-avpair="ipsec:dns-servers=130.186.1.53
130.186.84.244"
</AuthBy>
# Per debugging e prove
#<AuthBy FILE>
# Filename /etc/radiator/users.vpn
# </AuthBy>
<AuthBy SQLTOTP>
# Authenticate access to the TOTP token database.
# These need to match the values used when creating the TOTP
token database
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
AuthSelect select secret, active, pin, digits, bad_logins, accessed,
last_timestep, algorithm, timestep, timestep_origin from totpkeys where
username=%0
# UpdateQuery is an SQL query that updates the TOTP data in the
SQL database
# After a successful authentication
# It will be passed the
# bad login count in %0
# the username in %1
# the last_timestep in %2
# The default works with the sample database schema provided
# in goodies/totp.sql
UpdateQuery update totpkeys set accessed=sysdate, bad_logins=%0,
last_timestep=%2 where username=%1'
# If Require2Factor is set, then the user must provide their
static password
# as a prefix to their TOTP one-time-password. The correct
static password
# is retrieved from 4th field returned by AuthSelect.
# If this flag is not set, but the user provides a static
password prefix,
# then the static password will be checked anyway
#Require2Factor 1
# DefaultDigits specifies the number of TOTP digits to use if
the user record
# does not define digits. Defaults to 6.
DefaultDigits 6
# MaxBadLogins specifies how many consecutive bad PINs or bad
TOTP codes
# will be tolerated in the last BadLoginWindow seconds. If more
than
# MaxBadLogins bad authentication attempts (according to field
5
# from AuthSelect occurs and if the last one is
# within the last BadLoginWindow seconds (according to field 6
# from AuthSelect), the authentication attempt
# will be rejected. The user must wait at least BadLoginWindow
# seconds before attempting to authenticate again.
# MaxBadLogins defaults to 10.
# BadLoginWindow defaults to 10 seconds.
# MaxBadLogins 10
# BadLoginWindow 10
# DelayWindow is the maximum number of timeslots time
difference that can be
# permitted between the client and server. Defaults to 1
# (the value recommended by the TOTP specification).
# DelayWindow 1
# TimeStep is the size of the time step in seconds. Defaults to
30 seconds
# (the value recommended by the TOTP specification).
# TimeStep 30
# TimeStepOrigin the Unix epoch time of the first time step.
Defaults to 0 seconds
# (Jan 1, 1970) the value recommended by the TOTP
specification).
# TimeStepOrigin 0
# You can also support EAP-OTP and/or EAP-GTC, besides PAP
EAPType OTP GTC
#EAPType GTC OTP
</AuthBy>
</Handler>
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
