On 10.1.2022 14.50, Sagar Malam wrote:
Thanks for the help. I worked as expected after doing corrections. I
would like to have EAP support as well. Can you help me with enabling
that ?
Please see below a modifed version of the previous configuration.
Changes are:
- Add new global parameter that tells EAP to use State attribute
- Fix 'Identifier' spelling in AuthBy OTP
- Move State attribute to into the step where it's actually needed
- New Handler that takes care of EAP by converting EAP-GTC to PAP
- Updated <Handler State=auth-otp> to check that State ends with 'auth-otp'
- Leave EAPType enabled only within AuthBy that processes EAP
- ConsumePassword is set to empty to clear the password before OTP
Things to note: EAP-GTC is supported by converting it to PAP and then
doing the same steps that plain PAP would do. Some extra work is needed
to take care of State attribute that EAP also uses to track its state.
With EAP the message payload is not encrypted unless the EAP method
itself does this. EAP-GTC does not. You can configure the following to
avoid exposing the static password to Radiator DEBUG level logging (the
parameter allows multiple attribute names too)
PacketDumpOmitAttributes EAP-Message,User-Password
Care is also needed when EAP-GTC is transferred without secure tunneling
(EAP-TTLS, PEAP, IPsec, VPN or other method).
PEAP and other, typically Wi-Fi, methods are not supported by the
configuration. I took a look at the current Laptop and Wireless EAP
clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare.
OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.
Here's the updated configuration. Please let us know how it goes.
EAP_UseState 1
<AuthBy OTP>
Identifier otp-authby
PasswordPattern 99999
# Return undef from ChallengeHook to force reject if State
# already ends with 'auth-otp'. Now it will send a new SMS
# when empty string is entered by the end user.
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\
system('/usr/src/send_sms.sh','NNNNNNNNN',$context->{otp_password});\
$p->{rp}->add_attr('State', 'auth-otp') \
unless $p->get_attr('State') =~ m/auth-otp\z/s; \
return "OTP sent";}
VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
return $context->{otp_password} eq $submitted_pw ;}
</AuthBy>
<Handler ExistsInRequest=EAP-Message>
<AuthBy FILE>
EAPType GTC
Filename /dev/null
EAP_GTC_PAP_Convert
</AuthBy>
# EAP adds State. It's permissible to add more,
# such as AuthBy OTP State value, to the end.
PostProcessingHook sub { my $rp = ${$_[1]}; \
my @states = $rp->get_attr('State'); return if @states != 2; \
$rp->delete_attr('State'); \
$rp->add_attr('State', join('', reverse @states)); }
</Handler>
<Handler State=/auth-otp\z/>
AuthBy otp-authby
</Handler>
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
Host 192.168.0.45
AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com
AuthPassword XXXXX
BaseDN DC=XXXXXX,DC=XXXXX,DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
ConsumePassword
</AuthBy>
AuthBy otp-authby
</Handler>
On Fri, Jan 7, 2022 at 5:52 PM Heikki Vatiainen <[email protected]
<mailto:[email protected]>> wrote:
On 6.1.2022 14.31, Sagar Malam wrote:
> Thanks for the help. I tried the approach with authby OTP that you
> suggested but once Authby LDAP2 is processed , Authby OTP is not
getting
> executed instead Access-Accept is sent to client.
Thanks for the log and config. It seems I made a typo in my previous
reply:
> Config File :
>
> <AuthBy OTP>
> Identifer otp-authby
This should be 'Identifier'. One 'i' is missing. When this happens
there
are error and warning level log messages because of this and missing
reference from <Handler>. Remember to check the startup log messages
too
when troubleshooting.
> EAPType One-Time-Password,Generic-Token
I'd also remove EAPType parameters for now. If you need to support EAP,
then it should be tested separately to see that the processing works
with EAP and see what updates might be needed.
Note that there's also EAPType in AuthBy LDAP2 clause below.
> <Handler>
> AuthByPolicy ContinueWhileAccept
> <AuthBy LDAP2>
> Host 192.168.0.45
> EAPType One-Time-Password,Generic-Token
> AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com
> AuthPassword XXXXX
> BaseDN DC=XXXXXX,DC=XXXXX,DC=com
> ServerChecksPassword
> UsernameAttr sAMAccountName
> AuthAttrDef logonHours,MS-Login-Hours,check
> ConsumePassword ,
Change this to 'ConsumePassword'. That is, let it empty the password
completely. In some cases both static and one-time password are sent
together and need to split, but not this time.
https://files.radiatorsoftware.com/radiator/ref/ConsumePassword.html
<https://files.radiatorsoftware.com/radiator/ref/ConsumePassword.html>
> </AuthBy>
> AuthBy otp-authby
> </Handler>
>
> Error Log : https://paste-bin.xyz/30722
<https://paste-bin.xyz/30722> <https://paste-bin.xyz/30722
<https://paste-bin.xyz/30722>>
>
> [root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct
> -password '' -user XXXXX -password XXXX
> sending Access-Request
> OK
Use '-trace 4' with rdpwtst to see in detail what it sends and
receives.
With multi-round authentication, also add '-interactive' flag to tell
radpwtst that more than a single request is needed.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com <http://radiatorsoftware.com> for
Radiator AAA server software
--
Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com
<http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w>
Skype: sagar.ecosmob
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our website,
any views or opinions presented in this email are solely those of the
originator and do not necessarily represent those of the Company or its
sister concerns. Any liability (in negligence, contract or otherwise)
arising from any third party taking any action, or refraining from
taking any action on the basis of any of the information contained in
this email is hereby excluded.
*Confidentiality*
This communication (including any attachment/s) is intended only for the
use of the addressee(s) and contains information that is PRIVILEGED AND
CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or
copying of this communication is prohibited. Please inform originator if
you have received it in error.
*Caution for viruses, malware etc.*
This communication, including any attachments, may not be free of
viruses, trojans, similar or new contaminants/malware, interceptions or
interference, and may not be compatible with your systems. You shall
carry out virus/malware scanning on your own before opening any
attachment to this e-mail. The sender of this e-mail and Company
including its sister concerns shall not be liable for any damage that
may incur to you as a result of viruses, incompleteness of this message,
a delay in receipt of this message or any other computer problems.
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
