Re: EAP-TLS works but not PEAP/EAP-TLS
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap xlat, limiting number of returned items to 1
Hi. I'm assigning profiles from ldap to User-Profile and I have a corner case where a user can actually have multiple profiles which returns more then one record and nothing gets assigned to User-Profile. Is there a way to specify sizelimit for a ldap lookup to 1? thanks Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 02:56:44PM +, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? That is the id of the radius packet. EAP lives insided radius packet AVPs called EAP-Message. You can see the AVPs when you run tcpdump -vv. What is worth noting is that radius Access-Request carries EAP-Response from the client to the server and Access-Challenge carries EAP-Request from the server to the client. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote: On 28.08.2013 9:48, Olivier Beytrison wrote: On 28.08.2013 00:20, Martin Kraus wrote: Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. Why not just call rlm_ldap from inner-tunnel post-auth section? This will ensure it called only once and only if inner-tunnel authentication succeeds. I used to use mschapv2 for authentication so I had to lookup passwords in the authorize section. I'm not sure what would happen if I moved the lookups to post-auth so I'll need to setup some testing environment for it. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote: server inner-tunnel { authorize { eap # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) { noop } else { # rest of config goes here } } } The hack I'm currently using for EAP-TLS based on rfc 5216 # EAP-Message - byte 0 = 2 for EAP-Response # byte 1 = Identifier # byte 2-3 = EAP-Message Length including header (for EAP-TLS minimum 6 bytes) # byte 4 = EAP-Type, EAP-TLS = 0x0d (13) # byte 5 = FLAGS (L,M,[SR],R,R,R,R,R) # byte 6-9 = TLS message length (optional if Flag L set) # byte 10+ = TLS data # Empty EAP-Messages are used to acknowledge EAP-Request fragments or are the last message # the client sends at the end of TLS handshake signaling the server has been authenticated # # We would like to do ldap lookups only on the last empty EAP-Message - not really possible # But we can skip first few empty messages based on the Identifier field if the client # starts at 0x01. If not the we'll have to match all the empty EAP-Message ^0x02..00060d00$ # EAP-Response identifier is copied from the EAP-Request, so the starting point is determined # by NAS asking for EAP-Identity. # # usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03 is the client_hello, # 0x04-0x06 are the EAP-Response that ack server side of the handshake so we skip the first 6 # EAP-Response packets from the client. This is a heuristic, might not work if ( (EAP-Type == EAP-TLS) (EAP-Message !~ /^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) { default = return } mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote: Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions. and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. Nope. that profile configuration is still required. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup. # When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the NACK so we want # to skip only up to 0x04 # When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out more messages if ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == EAP-TTLS) (EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) { default = return } elsif ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == PEAP) (EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) { default = return } I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. Then it depends on the size of the information that server is sending to the client. That depends on the number of certificates and MTU and fragment size and who know what else. In my setup with MTU 1500 it fits in 3 Access-Challenge packets and so far it holds. I've checked wpasupplicant and mac osx and there haven't been any problems so far though so I'm going to stick with it. I'll investigate the possibility of using ldap lookups in post-auth but that means no mschapv2 or any other password based auth. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote: OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? with if ( (EAP-Type == Identity) || (EAP-Type == NAK) || (EAP-Message =~ /^0x02..00061a..$/) ) { default = return } The only lookup happens on the pass just above the ^EAP-TLS message. Each ^Authorize: line is one Access-Request. The others are Identity, NAK or empty EAP-Response 0x02..00061a.. Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy= VIRT=default Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=NAK Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel EAP-TLS: User=test EAP-Type=MS-CHAP-V2 outer.EAP-Type=PEAP EAP-Message=0x0209004... Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Post-Auth: User=test EAP-Type=MS-CHAP-V2 EAP-Message=0x030a0004 Packet-Type=Access-Accept, VIRT=inner-tunnel Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote: On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Everything becomes an attribute or a variable and the definitions are mostly at /usr/share/freeradius/dictionary.freeradius.internal and you can also define your own attributes in /etc/freeradius/dictionary. I use this to get time in a format similar to syslog by having a variable My-Local-Time and calling an exec module with date command and assigning the result to this variable which I can then reference in my linelog. the only way I found how to get what I need is to define a linelog, write there the variables I hope will have what I'm looking for and call that linelog from some part of the server configuration and just run my clients against it and see what happens. for the username you can use outer.request:User-Name in the inner-tunnel which should reference the outer tunnel User-Name. User-Name in the inner-tunnel should be the inner EAP username. Also the attribute named Inner-Tunnel-User-Name might have the inner EAP username but that might be defined only in the post-auth section of the default server. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote: Again, look at the debug log to see what's happening. *WHY* are you doing LDAP lookups at all? Can you not delay them? Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. And rlm_cache should help a lot, too. I'm stuck with 2.1.10 on ubuntu:-( Anyway I managed to filter out most of the redundant ldap lookups. the only thing I'm stuck with are lookups during TLS negotiation either in the default server for EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake takes 8 access-requests and the only way I can see to filter it out is to somehow findout if the EAP-Message AVPs contain something to tell me whether it's about to be done or not. for EAP-TTLS and PEAP the eap module in authorize section returns ok which jumps out of the authorize section so the eap module in the authentication section can process it. But for EAP-TLS it returns handled so the whole authorize section gets parsed. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to limit the repeating ldap lookups
Hi. Is it possible to limit the repeating ldap lookups that happen during mschap and tls negotiations? Like having an attribute that I could test for which would tell me that the negotiation is completed? thanks martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote: Is it possible to limit the repeating ldap lookups that happen during mschap and tls negotiations? Like having an attribute that I could test for which would tell me that the negotiation is completed? If you list the ldap module after the eap module in the default configuration then the default config already does this. You may also want to consider using the rlm_cache module. I'm using TTLS+TLS. I can see that the eap { ok = return } automagically skips to the authentication section but the first two access-requests in the session cause it to return updated status so the ldap lookups are executed. I assume there isn't much I can do about that, right? I then have a separate problem with the inner-tunnel where the inner-eap never returns ok in the authorization section so it keeps on doing the ldap lookups. in the session I have it did 9 separate passes which together with the outer tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a single user login. There are also these warnings in inner-tunnel WARNING: !! WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! but the inner tls session seems to be still progressing fine since the last warning is right before the last access-request which results in the access-accept for the user. Is there something I can do about the 9 lookups in the inner-tunnel server? I'll have a look at the rlm_cache as well but I'm just curious as to why is it happening. thanks Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote: If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. I'm still hoping I'll be able to use the outer and inner TLS for privacy reasons and because right now the radius configuration is doing what I want and merging default and inner-tunnel servers would make the configuration even uglier then it already is:-) Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. Yes, all our users have a certificate issued for our internal wifi so that's not a problem. I'm actually hoping to phase out passwords for network logons. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. We don't have control over the client devices. We just have to hope that the users know what to do and what their devices are doing. The main problem is that I'm currently not allowed to go on with a migration to 802.1x until the mschap problem is solved. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote: On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. And that solved the problem:-) I had the fragment size the same in both configs, now it's working just like the EAP-TTLS/EAP-TLS. Thank you so much. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: WARNING: !! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request I've read the instructions but none of that seems to apply to my situation There is TLV result - failure in the supplicant log but I don't have a clue if that is a cause or a effect of the error in freeradius. Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received 37 bytes encrypted data for Phase 2 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=5): 01 07 00 05 +01 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received Phase 2: code=1 identifier=7 length=5 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Phase 2 Request: type=1 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Encrypting Phase 2 data - hexdump(len=18): [REMOVED] Aug 21 12:22:34 localhost wpa_supplicant[19681]: SSL: 90 bytes left to be sent out (of total 90 bytes) Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: method process - ignore=FALSE methodState=MAY_CONT +decision=FAIL Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state SEND_RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state IDLE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: txSuppRsp Aug 21 12:22:34 localhost wpa_supplicant[19681]: TX EAPOL: dst=00:24:14:3a:95:d0 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RECEIVE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: startWhen -- 0 Aug 21 12:22:46 localhost wpa_supplicant[19681]: EAP-TLV: TLV Result - Failure Aug 21 12:22:47 localhost wpa_supplicant[19681]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Thanks for any help Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote: On 21/08/2013 12:17, Martin Kraus wrote: Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec. well looking at man wpa_supplicant I can see EAP-PEAP/TLS so I assumed that this is an equivalent of EAP-TTLS/TLS. also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get it to work because there is no EAP-TTLS/TLS support in windows. There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example). I'll paste the full debug tomorrow when I'm back at the office. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote: i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, If all you want is enable mode after login then send just Service-Type := Administrative-User and don't send the cisco-avpair at all. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Tue, Jul 23, 2013 at 03:12:33PM +0200, Marco Aresu wrote: now i can logon into the switch but i can with all USERS. Where i can specify who can access to the switch? I add a rown in the USERS file user Auth-Type := Reject but nothing change. The first match wins in users file unless the entry also has Fall-Through := Yes so you need to have something like username1 Service-Type := Administrative-User username2 Service-Type := Administrative-User DEFAULT Auth-Type := Reject mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 06:03:31PM +0200, Dario Palmisano wrote: •RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs. So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Do you actually need multiple bssids? mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote: is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations mac address shows the specific client detail information including the vlan. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pulling dn for User-Profile from ldap
On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote: Don't try and use the users file for complex stuff like this. In your profile objects add an attribute for preferredNetwork. Use ldap xlat to search in the directory for an profile object with a preferredNetwork attribute which matches the stripped path of the username, specify DN as the attribute to retrieve. Something like: authorize { update control { User-Profile := %{ldap:ldap:///base dn?DN?sub?prefferedNetwork=%{your_preferred_network_attr}} } if (!control:User-Profile) { reject # or whatever you want to do for this case } ldap } Hi. Thanks for the pointers. I actually needed to search for group membership as well as the group name: User-Profile := %{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?((cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))} This checks whether the current user is a member of the group he/she sent as preferred and returns the pointer to the group radius profile. I'm of course hitting a problem with eap where it complains that the eap identity is different from the User-Name, because I'm changing User-Name in hints file but I'll work around it somehow. thanks again Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pulling dn for User-Profile from ldap
Hi. I'd like to give users an option to specify which network to connect to using something like helpdesk\username@realm admins\username@realm I was thinking of stripping the network part in hints and saving it in a variable say Preferred-Network and then match on it in users DEFAULT Ldap-Group=%{Preferred-Network} User-Profile := %{Profile-DN} Profile-DN would be matched to seeAlso in ldap.attr and seeAlso would be an attribute containing dn of the radius profile to be used for this group. However when I set it up I didn't see ldap module returning Profile-DN and I couldn't match against it. I guess I'm using the ldap module wrong but I'm not able to figure it out. thanks for any pointers martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap module, which objects return check and reply items
Hi. Out of curiosity, which objects does the ldap module check for checkitems and replyitems? Only the object that identifies the user and the object pointed to by User-Profile? I mapped a seeAlso attribute in ldap.attrmap but I don't see it being pulled from a group object the user is matched against. thanks mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple ldap instances, which instance is used for searching?
Hi. I had to create 3 instances for the ldap module. One is the default ldap { } and then I got two named ldap ldap-eduroam { } ldap ldap-netdefault { } I'm using the two named for doing attribute pulling in post-proxy. Now my setup stopped working because suddenly ldap-eduroam was checking for groups when matching Ldap-Group. I was under the impression that when not specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used. I had to instantiate the ldap modules in a special order instantiate { ldap-eduroam ldap-netdefault ldap } so the ldap instance would take over again. Is this an expected behaviour? Will this solution hold or should I name the ldap instance as well and use the name-Ldap-Group everywhere? thanks mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using pam_oath doesn't return otp challenge
On Sun, Jun 16, 2013 at 01:15:06PM -0400, Alan DeKok wrote: Martin Kraus wrote: Yes I did that before posting. However the only thing that would allow something like a standard password plus otp is using google authenticator with the forward password option through rlm_pam again. I was looking for other options just to look at it from different angle that might perhaps turn out better. Using PAM is the wrong approach. PAM is an abstraction layer around back-end authentication systems. FreeRADIUS can connect directly to all authentication systems. So using PAM is redundant, and often just adds problems. Ok. However I still don't see how I would go about setting it up. I thought I can call only a single authentication module in freeradius. When one succeeds the authentication section terminates. Also the only support for oath in freeradius are the oath toolkit and google authenticator PAM modules. could you please point me in the right direction? thanks martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using pam_oath doesn't return otp challenge
On Sun, Jun 16, 2013 at 10:46:51AM +0100, Phil Mayers wrote: There are various ways of doing OTP with FreeRADIUS. Read the docs/wiki and sample configs, and search the archives of the list. Yes I did that before posting. However the only thing that would allow something like a standard password plus otp is using google authenticator with the forward password option through rlm_pam again. I was looking for other options just to look at it from different angle that might perhaps turn out better. thanks mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius using pam_oath doesn't return otp challenge
Hi. I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way. I'm using freeradius 2.1.12 from debian wheezy. PAM confiuration is simple: auth required pam_unix.so nullok_secure auth requisite pam_oath.so usersfile=/etc/users.oath debug On the testing machine runnning freeradius this works great for su: root|lex[pam.d]# su Password: [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root One-time password (OATH) for `root': After entering the passord the pam_oath module sends the challenge for OTP and then it authenticates me. SSH works well as well. However when I run freeradius I never get the challenge: pam_pass: using pamauth string radiusd for pam.conf lookup [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root [pam_oath.c:pam_sm_authenticate(232)] conv returned: karel [pam_oath.c:pam_sm_authenticate(248)] OTP too short: karel [pam_oath.c:pam_sm_authenticate(322)] done. [Authentication failure] pam_pass: function pam_authenticate FAILED for root. Reason: Authentication failure It seems it gets passed the first password even though try_first_pass nor use_first_pass are set for the pam_oath module. It looks like freeradius passes it the User-Password attribute. Is this a problem in freeradius or the pam stack or am I doing something wrong? I was expecting to get a radius access-challenge proxying the pam_oath challenge similar to how ssh takes care of this. Is there a way to get this setup working? I'd like to use the ldap passwords for users so I'm trying to avoid plaintext secrets in oath configuration. So far it seems I cannot use more then one authentication method in freeradius so pam or some custom module seem like the only two options. thank for pointers Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html