[RADIATOR] Authby LDAP and Authby OTP

2015-12-20 Thread Joe Honnold 
Good day.

I am working on a project for sending users OTP’s to gain access.  I would like 
to have users authenticate to AD and once accepted use Authby OTP to generate a 
token and send it to the user via SMS.   The user would then enter the OTP and 
gain access.
I have done a bit of researching and found a config that I am using as a base.  
http://www.van-sluis.nl/?p=345
The Authby LDAP2 in my config is working as expected but the Authby OTP is not. 
 It is a bit confusing at this point as I am unsure how to debug the Authby OTP 
failure to find the exact issue.

My expectation is that if the Authby OTP was working right a one-password would 
be generated and the sent to the users mobile number found in AD.

Any ideas where to start with this one?

Cleaned radius.cfg file

# radius.cfg - Niels van Sluis, >
#
# Example Radiator configuration file.
#
# * retrieve mobile number from Directory Server.
# * generate and send One-Time Password to mobile number.
# * authenticate One-Time Password.

LogDir  /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 7

AuthPort1812
AcctPort1813


Secret REDACTED
Identifier juni-sslvpn



# Radiator talks to Microsoft AD.
# Try to find mobile number only.
Debug 255
Identifier SSLVPN_LDAP
NoDefault
Host 1.1.50.80 1.1.50.82
Port 3268
BaseDN
AuthDN cn=SVC_REDACTED OU=REDACTED, DC=REDACTED, DC=REDACTED, DC=REDACTED
AuthPassword REDACTED
Timeout 2
UsernameAttr sAMAccountName
PasswordAttr
ServerChecksPassword
HoldServerConnection
FailureBackoffTime 0
# Get attribute that contains the mobile number.
AuthAttrDef MobileNumber

# We don't do authentication. Authentication is done by OTP.
#NoCheckPassword

# Some code to put the mobile number into memory, so it can be used
 # by OTP.
 PostSearchHook sub {\
use Radius::Context;\

my $user = $_[1];\
my $attr = ($_[4]->get('MobileNumber'))[0];\

my $context = ::Context::get("otp:$user", 120);\
$context->{mobile_number} = $attr;\
  }



# Authenticate based on One-Time Password sent to user by SMS.
 Identifier SSLVPN_OTP
EAPType One-Time-Password,Generic-Token
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\
system('/etc/radiator/otp/sendsms.php', $user, $context->{mobile_number}, 
$context->{otp_password});\
return "Enter One-Time Password"; \
}



 Identifier Check-LDAP-and-OTP
 AuthByPolicy ContinueWhileAccept
 AuthBy SSLVPN_LDAP
 AuthBy SSLVPN_OTP



 RejectHasReason
 AuthBy Check-LDAP-and-OTP



Cleaned log output

Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:
*** Received from 1.1.100.8 port 48711 

Packet length = 60
01 f9 00 3c 44 f6 a0 c6 d9 45 84 6b 77 b0 3b bd
6f 7c a6 a6 01 0a 48 6f 6e 6e 6f 6c 64 4a 02 12
38 0e 00 f6 b2 17 6f 3b e0 62 22 b9 36 35 f7 bd
06 06 00 00 00 01 04 06 a7 64 64 08
Code:   Access-Request
Identifier: 249
Authentic:  D<246><160><198><217>E<132>kw<176>;<189>o|<166><166>
Attributes:
User-Name = "ADUSER"
User-Password = 8<14><0><246><178><23>o;<224>b"<185>65<247><189>
Service-Type = Login-User
NAS-IP-Address = 1.1.100.8

Sun Dec 20 20:55:03 2015: DEBUG: Handling request with Handler 
'Client-Identifier = juni-sslvpn', Identifier ''
Sun Dec 20 20:55:03 2015: DEBUG:  Deleting session for ADUSER, 1.1.100.8,
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthGROUP: 
Check-LDAP-and-OTP
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthLDAP2: SSLVPN_LDAP
Sun Dec 20 20:55:03 2015: INFO: Connecting to 1.1.50.80:3268 1.1.50.82:3268
Sun Dec 20 20:55:03 2015: INFO: Connected to 1.1.50.80:3268
Sun Dec 20 20:55:03 2015: INFO: Attempting to bind to LDAP server 1.1.50.80:3268
Sun Dec 20 20:55:03 2015: DEBUG: LDAP got result for CN=AD 
User,OU=REDACTED,OU=REDACTED,DC=REDACTED,DC=REDACTED,DC=REDACTED
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 looks for match with ADUSER 
[ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 ACCEPT: : ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP 
SSLVPN_LDAP result: ACCEPT,
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthOTP: SSLVPN_OTP
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP looks for match with ADUSER 
[ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP REJECT: OTP Authentication 
failed: (): ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP 
SSLVPN_OTP result: REJECT, OTP Authentication failed: ()
Sun Dec 20 20:55:03 2015: DEBUG: AuthBy GROUP result: REJECT, OTP 
Authentication failed: ()
Sun Dec 20 20:55:03 2015: INFO: Access rejected for ADUSER: OTP Authentication 
failed: ()
Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:
*** Sending to 1.1.100.8 port 48711 

Packet length = 51
03 f9 00 33 67 f2 b5 1f 1c 13 63 fc 25 ff d3 79
a5 80

Re: [RADIATOR] AuthBy LDAP2 to AD

2015-12-20 Thread Hartmaier Alexander 
@Heikki: could you add a section in the AuthBy LDAP2 which covers the 
topic Microsoft Active Directory?


Thanks, Alex

On 2015-12-20 07:47, Joe Honnold wrote:
Got it all sorted.  Thanks for the pointers.  Here is what my working 
config for AD looks like.


Foreground
LogStdout
LogDir/var/log/radius
DbDir/etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort1645
AcctPort1646


SecretIMNOTTELLLING




Debug 255
NoDefault
Host10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPasswordPLAINTEXTPASSWORD
BaseDN
PasswordAttr
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef MobileNumber,Callback-Number,request




On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander 
> wrote:


Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) 
you can't specify a BaseDN, leave it empty!

Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:

Hi.

I am working towards a config that does AD authentication with the 
addition of OTP.  I have started the AD config and have hit an issue 
that I can not seem to get around.

The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad
Encrypted password: UserJ [UserJ]

I have completed some research via the docs and internet searching 
but nothing has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this 
to work prior to adding the OTP settings to the config.


radius.cfg file
==
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir/var/log/radius
DbDir/etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort1645
AcctPort1646

# You will probably want to add other Clients to suit your site.

SecretIMNOTTELLLING


# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.


Debug 255
NoDefault
Host10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPasswordPLAINTEXTPASSWORD
BaseDNDC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check



==

Cleansed log dump
==
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', 
Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 
10.0.100.8,

Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 
10.0.50.82:3268

Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 
10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe 
User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match 
with UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad 
Encrypted password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad 
Encrypted password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad 
Encrypted password

Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code: