Hi,

> On 14 Jul 2017, at 20.16, s.schw...@lumc.nl wrote:
>    
> However once I do this, in my RADIUS server I receive the following error 
> once I try to authenticate. I figurd I’d test out LSA first, and once I have 
> that working I’d work on getting OTP’s working
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Received from 172.16.0.3 port 55428 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
> Attributes:
>                 Service-Type = Voice
>                 User-Name = "domain\username"
>                 Called-Station-Id = "UserAuthType:PW"
>                 MS-Machine-Name = "hostname.something"
>                 MS-Network-Access-Server-Type = Terminal-Server-Gateway
>                 NAS-Port-Type = Virtual
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler 
> 'Client-Identifier = From_NPS', Identifier 'Default'
> Mon Jul 10 03:36:41 2017: DEBUG:  Deleting session for domain\username, 
> 172.16.0.3,
> Mon Jul 10 03:36:41 2017: DEBUG: Handling with Radius::AuthLSA:
> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, Authentication 
> protocol Unknown not allowed by AuthenProto configuration parameter
> Mon Jul 10 03:36:41 2017: INFO: Access rejected for domain\username: 
> Authentication protocol Unknown not allowed by AuthenProto configuration 
> parameter
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Sending to 172.16.0.3 port 55428 ....
> Code:       Access-Reject
> Identifier: 2
> Authentic:  <168><196>1<151><190>*<174><132><177>*l<209>\NT~
> Attributes:
>                 Reply-Message = "Request Denied"
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
>  
> I tried the following handler for LSA auth:
> <Handler Client-Identifier = From_NPS>
>                 Identifier Default
>                 <AuthBy LSA>
>                                 Domain domainname
>                                 UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 AuthLog                               Logfile_Dev
>                 AcctLogFileName %L/Dev_detail_%Y-%m-%d.log
> </Handler>
>  
> Any pointers would be appreciated. 
> It should be possible, since for example this guide shows how to do it with 
> WikiD 
> http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
> But I rather use 1 product instead of various products to achieve the same 
> result..
>  
> We do actually have Azure MFA which can be used for this, but I actually 
> don’t want to use it for this scenario.
>  

as the Access-Request does not contain any attribute carrying a password or a 
challenge-response, 
you will need to add following configuration options within AuthBy LSA:

AuthenProto Unknown
NoCheckPassword

http://www.open.com.au/radiator/ref/AuthenProto.html#AuthenProto
http://www.open.com.au/radiator/ref/NoCheckPassword.html#NoCheckPassword

E.g.

<AuthBy LSA>
    ...

    # Allow access requests without a password (required for Radiator 4.18 and 
later)
    AuthenProto Unknown

    # Do not try to check user’s password
    NoCheckPassword
</AuthBy>


BR
-- 
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to