Help with vpn login to privacyIDEA radius

Hi,
I need some help getting this to work
I have a PrivacyIDEA server (2.9-1) with the radius module
My aim is to auth as follows
clientVPN (ipsec) -> Firewall (aaa enabled pointing to privacyIDEA server)
using AD credentials

I have set up the following
PrivacyIDEA:
Radius module installed and freeradius running on the same server (all set
up using the package manager)
I have an LDAP resolver (AD) which works and pulls my users successfully
from a samba4 active directory server
I have a policy using otppin-userstore so it uses the AD password
I have a Realm using the LDAP resolver
I have a token (TOTP) mapped to an AD user

when running radtest using the AD username ADpassword-OTPpin all works great

My issue is I now need my vpn users to connect to the firewall/vpn endpoint
and get authed in the same way

When connecting via VPN the request goes through to the privacyIDEA
freeradius server but get’s rejected.
I’m assuming it’s because it’s using MSCHAP.

Any help getting this scenario to work would be really helpful

The RADIUS protocol is plain text. Even MSCHAP transmits all other
information in plain text. You can get all information who is
successfully authenticating when.
So if you do not want to sniff anyone. Yes, use an encryption like a VPN
between the VPN and the RADIUS Server.Am Freitag, den 05.02.2016, 10:18 +0000 schrieb Stephen Horvath:

Am I right in my assumption though that using pap with ipsec shouldn’t
be a security issue as it’s done within the ipsec tunnel?
If so then pap is the answer

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:16, Stephen Horvath stephen@workshopit.co.uk wrote:
I am able to auth with a freeradius server using ldap and
mschapv2 which is a good solution but I wanted 2 factor auth
hence the reason for looking into privacyIDEA.
Basically I have some users in the financial sector who want a
2-factor auth VPN. My options may be to go with something like
RSA secureid or something similar but I’d really like to use
something open source. Happy to pay. I’d rather contribute to
open source than finance the tech giants.

    Stephen Horvath
    Director
    
    ( MCSE | CCNA | MTCNA | MTCRE )
    ---
    
    
    Workshop IT:
    5 Cowcross Street London EC1M 6DW
    
    t: 020 7183 0498
    e: stephen@workshopit.co.uk
    w: www.workshopit.co.uk
    Registered in England and Wales: 8366747
    
    On 5 February 2016 at 10:11, Stephen Horvath <stephen@workshopit.co.uk> wrote:
            It does work using pap but aren't there security
            concerns using pap?
            
            
            
            Stephen Horvath
            Director
            
            ( MCSE | CCNA | MTCNA | MTCRE )
            ---
            
            
            Workshop IT:
            5 Cowcross Street London EC1M 6DW
            
            t: 020 7183 0498
            e: stephen@workshopit.co.uk
            w: www.workshopit.co.uk
            Registered in England and Wales: 8366747
            
            On 5 February 2016 at 10:09, Cornelius Kölbel <@cornelinux> wrote:
                    Hi Stephen,
                    
                    you can use RADIUS, but only with PAP. With
                    plain normal RADIUS this
                    works like a charm.
                    Anyway, it might depend on your VPN server.
                    
                    But you have the right setup:
                    
                    * VPN-Server asks FreeRADIUS
                    * FreeRADIUS users rlm_perl/privacyidea to ask
                    privacyIDEA.
                    * privacyIDEA finds user in AD
                    * privacyIDEA checks OTP value and responds to
                    rlm_perl/FreeRADIUS
                    
                    If you need detailed help on this, just drop
                    me a note.
                    
                    Kind regards
                    Cornelius
                    
                    
                    Am Freitag, den 05.02.2016, 10:02 +0000
                    schrieb Stephen Horvath:
                    > Thanks,
                    > I was pretty excited to find privacyIDEA and
                    it looked like it would
                    > do everything I wanted...
                    > I only need to auth VPN access using OTP
                    authing against an AD server.
                    > Can you recommend a way of doing this
                    another way?
                    >
                    >
                    >
                    > Stephen Horvath
                    > Director
                    >
                    > ( MCSE | CCNA | MTCNA | MTCRE )
                    > ---
                    >
                    >
                    > Workshop IT:
                    > 5 Cowcross Street London EC1M 6DW
                    >
                    > t: 020 7183 0498
                    > e: stephen@workshopit.co.uk
                    > w: www.workshopit.co.uk
                    > Registered in England and Wales: 8366747
                    >
                    > On 5 February 2016 at 09:52, Cornelius Kölbel <@cornelinux> wrote:
                    >         Hi Stephan,
                    >
                    >         connecting the application, in this
                    scenario the VPN via
                    >         RADIUS, is
                    >         often the interesting part.
                    >
                    >         Especially with a VPN and RADIUS
                    there are often difficulties
                    >         which I
                    >         solve in remote sessions with the
                    customers.
                    >
                    >         1. MSCHAP is not supported by the
                    RADIUS-Plugin. MSCHAP does
                    >         not easily
                    >         work well with OTP.
                    >         2. Run freeradius in debug mode (-X)
                    >         3. Check the secrets.
                    >         4. Often VPN servers expect special
                    attributes in the response
                    >         to put
                    >         the users into certain groups.
                    >
                    >         Kind regards
                    >         Cornelius
                    >
                    >         Am Freitag, den 05.02.2016, 01:35
                    -0800 schrieb Stephen
                    >         Horvath:
                    >         > Hi,
                    >         > I need some help getting this to
                    work
                    >         > I have a PrivacyIDEA server
                    (2.9-1) with the radius module
                    >         > My aim is to auth as follows
                    >         > clientVPN (ipsec) -> Firewall (aaa
                    enabled pointing to
                    >         privacyIDEA
                    >         > server) using AD credentials
                    >         >
                    >         >
                    >         > I have set up the following
                    >         > PrivacyIDEA:
                    >         > Radius module installed and
                    freeradius running on the same
                    >         server (all
                    >         > set up using the package manager)
                    >         > I have an LDAP resolver (AD) which
                    works and pulls my users
                    >         > successfully from a samba4 active
                    directory server
                    >         > I have a policy using
                    otppin-userstore so it uses the AD
                    >         password
                    >         > I have a Realm using the LDAP
                    resolver
                    >         > I have a token (TOTP) mapped to an
                    AD user
                    >         >
                    >         >
                    >         > when running radtest using the AD
                    username ADpassword-OTPpin
                    >         all works
                    >         > great
                    >         >
                    >         >
                    >         > My issue is I now need my vpn
                    users to connect to the
                    >         firewall/vpn
                    >         > endpoint and get authed in the
                    same way
                    >         >
                    >         >
                    >         > When connecting via VPN the
                    request goes through to the
                    >         privacyIDEA
                    >         > freeradius server but get's
                    rejected.
                    >         > I'm assuming it's because it's
                    using MSCHAP.
                    >         >
                    >         >
                    >         > Any help getting this scenario to
                    work would be really
                    >         helpful
                    >         >
                    >         >
                    >         > --
                    >         > Please read the blog post about
                    getting help
                    >         >
                    https://www.privacyidea.org/getting-help/.
                    >         >
                    >         > For professional services and
                    consultancy regarding two
                    >         factor
                    >         > authentication please visit
                    >         >
                    https://netknights.it/en/leistungen/one-time-services/
                    >         >
                    >         > In an enterprise environment you
                    should get a SERVICE LEVEL
                    >         AGREEMENT
                    >         > which suites your needs for
                    SECURITY, AVAILABILITY and
                    >         LIABILITY:
                    >         >
                    >
                     https://netknights.it/en/leistungen/service-level-agreements/
                    >         > ---
                    >         > You received this message because
                    you are subscribed to the
                    >         Google
                    >         > Groups "privacyidea" group.
                    >         > To unsubscribe from this group and
                    stop receiving emails
                    >         from it, send
                    >         > an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    >         > To post to this group, send email
                    to
                    >         privacyidea@googlegroups.com.
                    >         > Visit this group at
                    >
                     https://groups.google.com/group/privacyidea.
                    >         > To view this discussion on the web
                    visit
                    >         >
                    >
                     https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
                    >         > For more options, visit
                    https://groups.google.com/d/optout.
                    >
                    >         --
                    >         Cornelius Kölbel
                    >         @cornelinux
                    >         +49 151 2960 1417
                    >
                    >         NetKnights GmbH
                    >         http://www.netknights.it
                    >         Landgraf-Karl-Str. 19, 34131 Kassel,
                    Germany
                    >         Tel: +49 561 3166797, Fax: +49 561
                    3166798
                    >
                    >         Amtsgericht Kassel, HRB 16405
                    >         Geschäftsführer: Cornelius Kölbel
                    >
                    >
                    >         --
                    >         Please read the blog post about
                    getting help
                    >
                     https://www.privacyidea.org/getting-help/.
                    >
                    >         For professional services and
                    consultancy regarding two factor
                    >         authentication please visit
                    >
                     https://netknights.it/en/leistungen/one-time-services/
                    >
                    >         In an enterprise environment you
                    should get a SERVICE LEVEL
                    >         AGREEMENT which suites your needs
                    for SECURITY, AVAILABILITY
                    >         and LIABILITY:
                    >
                     https://netknights.it/en/leistungen/service-level-agreements/
                    >         ---
                    >         You received this message because
                    you are subscribed to a
                    >         topic in the Google Groups
                    "privacyidea" group.
                    >         To unsubscribe from this topic,
                    visit
                    >
                     https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
                    >         To unsubscribe from this group and
                    all its topics, send an
                    >         email to privacyidea
                    +unsubscribe@googlegroups.com.
                    >         To post to this group, send email to
                    >         privacyidea@googlegroups.com.
                    >         Visit this group at
                    >
                     https://groups.google.com/group/privacyidea.
                    >         To view this discussion on the web
                    visit
                    >
                     https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel.
                    >         For more options, visit
                    https://groups.google.com/d/optout.
                    >
                    >
                    > --
                    > Please read the blog post about getting help
                    > https://www.privacyidea.org/getting-help/.
                    >
                    > For professional services and consultancy
                    regarding two factor
                    > authentication please visit
                    >
                    https://netknights.it/en/leistungen/one-time-services/
                    >
                    > In an enterprise environment you should get
                    a SERVICE LEVEL AGREEMENT
                    > which suites your needs for SECURITY,
                    AVAILABILITY and LIABILITY:
                    >
                    https://netknights.it/en/leistungen/service-level-agreements/
                    > ---
                    > You received this message because you are
                    subscribed to the Google
                    > Groups "privacyidea" group.
                    > To unsubscribe from this group and stop
                    receiving emails from it, send
                    > an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    > To post to this group, send email to
                    privacyidea@googlegroups.com.
                    > Visit this group at
                    https://groups.google.com/group/privacyidea.
                    > To view this discussion on the web visit
                    
                    >
                    https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
                    > For more options, visit
                    https://groups.google.com/d/optout.
                    
                    --
                    Cornelius Kölbel
                    @cornelinux
                    +49 151 2960 1417
                    
                    NetKnights GmbH
                    http://www.netknights.it
                    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
                    Tel: +49 561 3166797, Fax: +49 561 3166798
                    
                    Amtsgericht Kassel, HRB 16405
                    Geschäftsführer: Cornelius Kölbel
                    
                    
                    --
                    Please read the blog post about getting help
                    https://www.privacyidea.org/getting-help/.
                    
                    For professional services and consultancy
                    regarding two factor authentication please
                    visit
                    https://netknights.it/en/leistungen/one-time-services/
                    
                    In an enterprise environment you should get a
                    SERVICE LEVEL AGREEMENT which suites your
                    needs for SECURITY, AVAILABILITY and
                    LIABILITY:
                    https://netknights.it/en/leistungen/service-level-agreements/
                    ---
                    You received this message because you are
                    subscribed to a topic in the Google Groups
                    "privacyidea" group.
                    To unsubscribe from this topic, visit
                    https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
                    To unsubscribe from this group and all its
                    topics, send an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    To post to this group, send email to
                    privacyidea@googlegroups.com.
                    Visit this group at
                    https://groups.google.com/group/privacyidea.
                    To view this discussion on the web visit
                    https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
                    For more options, visit
                    https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/CAAyQAQSi5DOYFXvg75gDzcneS2vAiAsCgDjVukNxUFY_iasXig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Am I right in my assumption though that using pap with ipsec shouldn’t be a
security issue as it’s done within the ipsec tunnel?
If so then pap is the answer

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )—

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:16, Stephen Horvath <@Stephen_Horvath> wrote:

I am able to auth with a freeradius server using ldap and mschapv2 which
is a good solution but I wanted 2 factor auth hence the reason for looking
into privacyIDEA.
Basically I have some users in the financial sector who want a 2-factor
auth VPN. My options may be to go with something like RSA secureid or
something similar but I’d really like to use something open source. Happy
to pay. I’d rather contribute to open source than finance the tech giants.

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:11, Stephen Horvath <@Stephen_Horvath> wrote:

It does work using pap but aren’t there security concerns using pap?

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:09, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

Hi Stephen,

you can use RADIUS, but only with PAP. With plain normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.

But you have the right setup:

  • VPN-Server asks FreeRADIUS
  • FreeRADIUS users rlm_perl/privacyidea to ask privacyIDEA.
  • privacyIDEA finds user in AD
  • privacyIDEA checks OTP value and responds to rlm_perl/FreeRADIUS

If you need detailed help on this, just drop me a note.

Kind regards
Cornelius

Am Freitag, den 05.02.2016, 10:02 +0000 schrieb Stephen Horvath:

Thanks,
I was pretty excited to find privacyIDEA and it looked like it would
do everything I wanted…
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: @Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 09:52, Cornelius Kölbel cornelius.koelbel@netknights.it wrote:
Hi Stephan,

    connecting the application, in this scenario the VPN via
    RADIUS, is
    often the interesting part.

    Especially with a VPN and RADIUS there are often difficulties
    which I
    solve in remote sessions with the customers.

    1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does
    not easily
    work well with OTP.
    2. Run freeradius in debug mode (-X)
    3. Check the secrets.
    4. Often VPN servers expect special attributes in the response
    to put
    the users into certain groups.

    Kind regards
    Cornelius

    Am Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen
    Horvath:
    > Hi,
    > I need some help getting this to work
    > I have a PrivacyIDEA server (2.9-1) with the radius module
    > My aim is to auth as follows
    > clientVPN (ipsec) -> Firewall (aaa enabled pointing to
    privacyIDEA
    > server) using AD credentials
    >
    >
    > I have set up the following
    > PrivacyIDEA:
    > Radius module installed and freeradius running on the same
    server (all
    > set up using the package manager)
    > I have an LDAP resolver (AD) which works and pulls my users
    > successfully from a samba4 active directory server
    > I have a policy using otppin-userstore so it uses the AD
    password
    > I have a Realm using the LDAP resolver
    > I have a token (TOTP) mapped to an AD user
    >
    >
    > when running radtest using the AD username ADpassword-OTPpin
    all works
    > great
    >
    >
    > My issue is I now need my vpn users to connect to the
    firewall/vpn
    > endpoint and get authed in the same way
    >
    >
    > When connecting via VPN the request goes through to the
    privacyIDEA
    > freeradius server but get's rejected.
    > I'm assuming it's because it's using MSCHAP.
    >
    >
    > Any help getting this scenario to work would be really
    helpful
    >
    >
    > --
    > Please read the blog post about getting help
    > https://www.privacyidea.org/getting-help/.
    >
    > For professional services and consultancy regarding two
    factor
    > authentication please visit
    > https://netknights.it/en/leistungen/one-time-services/
    >
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY:
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    > ---
    > You received this message because you are subscribed to the
    Google
    > Groups "privacyidea" group.
    > To unsubscribe from this group and stop receiving emails
    from it, send
    > an email to privacyidea+unsubscribe@googlegroups.com.
    > To post to this group, send email to
    privacyidea@googlegroups.com.
    > Visit this group at
    https://groups.google.com/group/privacyidea.
    > To view this discussion on the web visit
    >

https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com
.

    > For more options, visit https://groups.google.com/d/optout.

    --
    Cornelius Kölbel
    cornelius.koelbel@netknights.it
    +49 151 2960 1417

    NetKnights GmbH
    http://www.netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798

    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel


    --
    Please read the blog post about getting help
    https://www.privacyidea.org/getting-help/.

    For professional services and consultancy regarding two factor
    authentication please visit
    https://netknights.it/en/leistungen/one-time-services/

    In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT which suites your needs for SECURITY, AVAILABILITY
    and LIABILITY:
    https://netknights.it/en/leistungen/service-level-agreements/
    ---
    You received this message because you are subscribed to a
    topic in the Google Groups "privacyidea" group.
    To unsubscribe from this topic, visit

https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.

    To unsubscribe from this group and all its topics, send an
    email to privacyidea+unsubscribe@googlegroups.com.
    To post to this group, send email to
    privacyidea@googlegroups.com.
    Visit this group at
    https://groups.google.com/group/privacyidea.
    To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel
.

    For more options, visit https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com
.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
cornelius.koelbel@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel
.
For more options, visit https://groups.google.com/d/optout.

I am able to auth with a freeradius server using ldap and mschapv2 which is
a good solution but I wanted 2 factor auth hence the reason for looking
into privacyIDEA.
Basically I have some users in the financial sector who want a 2-factor
auth VPN. My options may be to go with something like RSA secureid or
something similar but I’d really like to use something open source. Happy
to pay. I’d rather contribute to open source than finance the tech giants.

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )—

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:11, Stephen Horvath <@Stephen_Horvath> wrote:

It does work using pap but aren’t there security concerns using pap?

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:09, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

Hi Stephen,

you can use RADIUS, but only with PAP. With plain normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.

But you have the right setup:

  • VPN-Server asks FreeRADIUS
  • FreeRADIUS users rlm_perl/privacyidea to ask privacyIDEA.
  • privacyIDEA finds user in AD
  • privacyIDEA checks OTP value and responds to rlm_perl/FreeRADIUS

If you need detailed help on this, just drop me a note.

Kind regards
Cornelius

Am Freitag, den 05.02.2016, 10:02 +0000 schrieb Stephen Horvath:

Thanks,
I was pretty excited to find privacyIDEA and it looked like it would
do everything I wanted…
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: @Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 09:52, Cornelius Kölbel cornelius.koelbel@netknights.it wrote:
Hi Stephan,

    connecting the application, in this scenario the VPN via
    RADIUS, is
    often the interesting part.

    Especially with a VPN and RADIUS there are often difficulties
    which I
    solve in remote sessions with the customers.

    1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does
    not easily
    work well with OTP.
    2. Run freeradius in debug mode (-X)
    3. Check the secrets.
    4. Often VPN servers expect special attributes in the response
    to put
    the users into certain groups.

    Kind regards
    Cornelius

    Am Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen
    Horvath:
    > Hi,
    > I need some help getting this to work
    > I have a PrivacyIDEA server (2.9-1) with the radius module
    > My aim is to auth as follows
    > clientVPN (ipsec) -> Firewall (aaa enabled pointing to
    privacyIDEA
    > server) using AD credentials
    >
    >
    > I have set up the following
    > PrivacyIDEA:
    > Radius module installed and freeradius running on the same
    server (all
    > set up using the package manager)
    > I have an LDAP resolver (AD) which works and pulls my users
    > successfully from a samba4 active directory server
    > I have a policy using otppin-userstore so it uses the AD
    password
    > I have a Realm using the LDAP resolver
    > I have a token (TOTP) mapped to an AD user
    >
    >
    > when running radtest using the AD username ADpassword-OTPpin
    all works
    > great
    >
    >
    > My issue is I now need my vpn users to connect to the
    firewall/vpn
    > endpoint and get authed in the same way
    >
    >
    > When connecting via VPN the request goes through to the
    privacyIDEA
    > freeradius server but get's rejected.
    > I'm assuming it's because it's using MSCHAP.
    >
    >
    > Any help getting this scenario to work would be really
    helpful
    >
    >
    > --
    > Please read the blog post about getting help
    > https://www.privacyidea.org/getting-help/.
    >
    > For professional services and consultancy regarding two
    factor
    > authentication please visit
    > https://netknights.it/en/leistungen/one-time-services/
    >
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY:
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    > ---
    > You received this message because you are subscribed to the
    Google
    > Groups "privacyidea" group.
    > To unsubscribe from this group and stop receiving emails
    from it, send
    > an email to privacyidea+unsubscribe@googlegroups.com.
    > To post to this group, send email to
    privacyidea@googlegroups.com.
    > Visit this group at
    https://groups.google.com/group/privacyidea.
    > To view this discussion on the web visit
    >

https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com
.

    > For more options, visit https://groups.google.com/d/optout.

    --
    Cornelius Kölbel
    cornelius.koelbel@netknights.it
    +49 151 2960 1417

    NetKnights GmbH
    http://www.netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798

    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel


    --
    Please read the blog post about getting help
    https://www.privacyidea.org/getting-help/.

    For professional services and consultancy regarding two factor
    authentication please visit
    https://netknights.it/en/leistungen/one-time-services/

    In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT which suites your needs for SECURITY, AVAILABILITY
    and LIABILITY:
    https://netknights.it/en/leistungen/service-level-agreements/
    ---
    You received this message because you are subscribed to a
    topic in the Google Groups "privacyidea" group.
    To unsubscribe from this topic, visit

https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.

    To unsubscribe from this group and all its topics, send an
    email to privacyidea+unsubscribe@googlegroups.com.
    To post to this group, send email to
    privacyidea@googlegroups.com.
    Visit this group at
    https://groups.google.com/group/privacyidea.
    To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel
.

    For more options, visit https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com
.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
cornelius.koelbel@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel
.
For more options, visit https://groups.google.com/d/optout.

It does work using pap but aren’t there security concerns using pap?

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )—

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:09, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

Hi Stephen,

you can use RADIUS, but only with PAP. With plain normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.

But you have the right setup:

  • VPN-Server asks FreeRADIUS
  • FreeRADIUS users rlm_perl/privacyidea to ask privacyIDEA.
  • privacyIDEA finds user in AD
  • privacyIDEA checks OTP value and responds to rlm_perl/FreeRADIUS

If you need detailed help on this, just drop me a note.

Kind regards
Cornelius

Am Freitag, den 05.02.2016, 10:02 +0000 schrieb Stephen Horvath:

Thanks,
I was pretty excited to find privacyIDEA and it looked like it would
do everything I wanted…
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: @Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 09:52, Cornelius Kölbel cornelius.koelbel@netknights.it wrote:
Hi Stephan,

    connecting the application, in this scenario the VPN via
    RADIUS, is
    often the interesting part.

    Especially with a VPN and RADIUS there are often difficulties
    which I
    solve in remote sessions with the customers.

    1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does
    not easily
    work well with OTP.
    2. Run freeradius in debug mode (-X)
    3. Check the secrets.
    4. Often VPN servers expect special attributes in the response
    to put
    the users into certain groups.

    Kind regards
    Cornelius

    Am Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen
    Horvath:
    > Hi,
    > I need some help getting this to work
    > I have a PrivacyIDEA server (2.9-1) with the radius module
    > My aim is to auth as follows
    > clientVPN (ipsec) -> Firewall (aaa enabled pointing to
    privacyIDEA
    > server) using AD credentials
    >
    >
    > I have set up the following
    > PrivacyIDEA:
    > Radius module installed and freeradius running on the same
    server (all
    > set up using the package manager)
    > I have an LDAP resolver (AD) which works and pulls my users
    > successfully from a samba4 active directory server
    > I have a policy using otppin-userstore so it uses the AD
    password
    > I have a Realm using the LDAP resolver
    > I have a token (TOTP) mapped to an AD user
    >
    >
    > when running radtest using the AD username ADpassword-OTPpin
    all works
    > great
    >
    >
    > My issue is I now need my vpn users to connect to the
    firewall/vpn
    > endpoint and get authed in the same way
    >
    >
    > When connecting via VPN the request goes through to the
    privacyIDEA
    > freeradius server but get's rejected.
    > I'm assuming it's because it's using MSCHAP.
    >
    >
    > Any help getting this scenario to work would be really
    helpful
    >
    >
    > --
    > Please read the blog post about getting help
    > https://www.privacyidea.org/getting-help/.
    >
    > For professional services and consultancy regarding two
    factor
    > authentication please visit
    > https://netknights.it/en/leistungen/one-time-services/
    >
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY:
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    > ---
    > You received this message because you are subscribed to the
    Google
    > Groups "privacyidea" group.
    > To unsubscribe from this group and stop receiving emails
    from it, send
    > an email to privacyidea+unsubscribe@googlegroups.com.
    > To post to this group, send email to
    privacyidea@googlegroups.com.
    > Visit this group at
    https://groups.google.com/group/privacyidea.
    > To view this discussion on the web visit
    >

https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com
.

    > For more options, visit https://groups.google.com/d/optout.

    --
    Cornelius Kölbel
    cornelius.koelbel@netknights.it
    +49 151 2960 1417

    NetKnights GmbH
    http://www.netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798

    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel


    --
    Please read the blog post about getting help
    https://www.privacyidea.org/getting-help/.

    For professional services and consultancy regarding two factor
    authentication please visit
    https://netknights.it/en/leistungen/one-time-services/

    In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT which suites your needs for SECURITY, AVAILABILITY
    and LIABILITY:
    https://netknights.it/en/leistungen/service-level-agreements/
    ---
    You received this message because you are subscribed to a
    topic in the Google Groups "privacyidea" group.
    To unsubscribe from this topic, visit

https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.

    To unsubscribe from this group and all its topics, send an
    email to privacyidea+unsubscribe@googlegroups.com.
    To post to this group, send email to
    privacyidea@googlegroups.com.
    Visit this group at
    https://groups.google.com/group/privacyidea.
    To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel
.

    For more options, visit https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com
.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
cornelius.koelbel@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel
.
For more options, visit https://groups.google.com/d/optout.

Hi Stephan,

connecting the application, in this scenario the VPN via RADIUS, is
often the interesting part.

Especially with a VPN and RADIUS there are often difficulties which I
solve in remote sessions with the customers.

  1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does not easily
    work well with OTP.
  2. Run freeradius in debug mode (-X)
  3. Check the secrets.
  4. Often VPN servers expect special attributes in the response to put
    the users into certain groups.

Kind regards
CorneliusAm Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen Horvath:

Hi,
I need some help getting this to work
I have a PrivacyIDEA server (2.9-1) with the radius module
My aim is to auth as follows
clientVPN (ipsec) -> Firewall (aaa enabled pointing to privacyIDEA
server) using AD credentials

I have set up the following
PrivacyIDEA:
Radius module installed and freeradius running on the same server (all
set up using the package manager)
I have an LDAP resolver (AD) which works and pulls my users
successfully from a samba4 active directory server
I have a policy using otppin-userstore so it uses the AD password
I have a Realm using the LDAP resolver
I have a token (TOTP) mapped to an AD user

when running radtest using the AD username ADpassword-OTPpin all works
great

My issue is I now need my vpn users to connect to the firewall/vpn
endpoint and get authed in the same way

When connecting via VPN the request goes through to the privacyIDEA
freeradius server but get’s rejected.
I’m assuming it’s because it’s using MSCHAP.

Any help getting this scenario to work would be really helpful


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks,
I was pretty excited to find privacyIDEA and it looked like it would do
everything I wanted…
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )—

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 09:52, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

Hi Stephan,

connecting the application, in this scenario the VPN via RADIUS, is
often the interesting part.

Especially with a VPN and RADIUS there are often difficulties which I
solve in remote sessions with the customers.

  1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does not easily
    work well with OTP.
  2. Run freeradius in debug mode (-X)
  3. Check the secrets.
  4. Often VPN servers expect special attributes in the response to put
    the users into certain groups.

Kind regards
Cornelius

Am Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen Horvath:

Hi,
I need some help getting this to work
I have a PrivacyIDEA server (2.9-1) with the radius module
My aim is to auth as follows
clientVPN (ipsec) -> Firewall (aaa enabled pointing to privacyIDEA
server) using AD credentials

I have set up the following
PrivacyIDEA:
Radius module installed and freeradius running on the same server (all
set up using the package manager)
I have an LDAP resolver (AD) which works and pulls my users
successfully from a samba4 active directory server
I have a policy using otppin-userstore so it uses the AD password
I have a Realm using the LDAP resolver
I have a token (TOTP) mapped to an AD user

when running radtest using the AD username ADpassword-OTPpin all works
great

My issue is I now need my vpn users to connect to the firewall/vpn
endpoint and get authed in the same way

When connecting via VPN the request goes through to the privacyIDEA
freeradius server but get’s rejected.
I’m assuming it’s because it’s using MSCHAP.

Any help getting this scenario to work would be really helpful


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com
.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
cornelius.koelbel@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel
.
For more options, visit https://groups.google.com/d/optout.

Hi,
I’m not concerned about security between AD, radius server. They are in a
secure environment and (for now) we have no PCI requirement.
I just want to offer the end user 2-factor auth for remote client vpn and
it must be secure of course.
They currently use IPSEC client to firewall -> freeradius server using ldap
and ,mschap authing against active directory (samba4)
However, their clients are not happy with this and want them to use
2-factor auth. They really want the OTP feature added in.
If using IPSEC with a shared secret then using PAP to auth the user either
using a pin or their AD password in addition to the OTP is as secure as
what they are using with the added bonus of using a OTP then I’m happy to
go ahead and use this.

Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )—

Workshop IT:
5 Cowcross Street London EC1M 6DW
*t: *020 7183 0498
*e: *@Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:40, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

The RADIUS protocol is plain text. Even MSCHAP transmits all other
information in plain text. You can get all information who is
successfully authenticating when.
So if you do not want to sniff anyone. Yes, use an encryption like a VPN
between the VPN and the RADIUS Server.

Am Freitag, den 05.02.2016, 10:18 +0000 schrieb Stephen Horvath:

Am I right in my assumption though that using pap with ipsec shouldn’t
be a security issue as it’s done within the ipsec tunnel?
If so then pap is the answer

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: @Stephen_Horvath
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:16, Stephen Horvath <@Stephen_Horvath> wrote:
I am able to auth with a freeradius server using ldap and
mschapv2 which is a good solution but I wanted 2 factor auth
hence the reason for looking into privacyIDEA.
Basically I have some users in the financial sector who want a
2-factor auth VPN. My options may be to go with something like
RSA secureid or something similar but I’d really like to use
something open source. Happy to pay. I’d rather contribute to
open source than finance the tech giants.

    Stephen Horvath
    Director

    ( MCSE | CCNA | MTCNA | MTCRE )
    ---


    Workshop IT:
    5 Cowcross Street London EC1M 6DW

    t: 020 7183 0498
    e: @Stephen_Horvath
    w: www.workshopit.co.uk
    Registered in England and Wales: 8366747

    On 5 February 2016 at 10:11, Stephen Horvath <@Stephen_Horvath> wrote:
            It does work using pap but aren't there security
            concerns using pap?



            Stephen Horvath
            Director

            ( MCSE | CCNA | MTCNA | MTCRE )
            ---


            Workshop IT:
            5 Cowcross Street London EC1M 6DW

            t: 020 7183 0498
            e: @Stephen_Horvath
            w: www.workshopit.co.uk
            Registered in England and Wales: 8366747

            On 5 February 2016 at 10:09, Cornelius Kölbel <cornelius.koelbel@netknights.it> wrote:
                    Hi Stephen,

                    you can use RADIUS, but only with PAP. With
                    plain normal RADIUS this
                    works like a charm.
                    Anyway, it might depend on your VPN server.

                    But you have the right setup:

                    * VPN-Server asks FreeRADIUS
                    * FreeRADIUS users rlm_perl/privacyidea to ask
                    privacyIDEA.
                    * privacyIDEA finds user in AD
                    * privacyIDEA checks OTP value and responds to
                    rlm_perl/FreeRADIUS

                    If you need detailed help on this, just drop
                    me a note.

                    Kind regards
                    Cornelius


                    Am Freitag, den 05.02.2016, 10:02 +0000
                    schrieb Stephen Horvath:
                    > Thanks,
                    > I was pretty excited to find privacyIDEA and
                    it looked like it would
                    > do everything I wanted...
                    > I only need to auth VPN access using OTP
                    authing against an AD server.
                    > Can you recommend a way of doing this
                    another way?
                    >
                    >
                    >
                    > Stephen Horvath
                    > Director
                    >
                    > ( MCSE | CCNA | MTCNA | MTCRE )
                    > ---
                    >
                    >
                    > Workshop IT:
                    > 5 Cowcross Street London EC1M 6DW
                    >
                    > t: 020 7183 0498
                    > e: @Stephen_Horvath
                    > w: www.workshopit.co.uk
                    > Registered in England and Wales: 8366747
                    >
                    > On 5 February 2016 at 09:52, Cornelius Kölbel <cornelius.koelbel@netknights.it> wrote:
                    >         Hi Stephan,
                    >
                    >         connecting the application, in this
                    scenario the VPN via
                    >         RADIUS, is
                    >         often the interesting part.
                    >
                    >         Especially with a VPN and RADIUS
                    there are often difficulties
                    >         which I
                    >         solve in remote sessions with the
                    customers.
                    >
                    >         1. MSCHAP is not supported by the
                    RADIUS-Plugin. MSCHAP does
                    >         not easily
                    >         work well with OTP.
                    >         2. Run freeradius in debug mode (-X)
                    >         3. Check the secrets.
                    >         4. Often VPN servers expect special
                    attributes in the response
                    >         to put
                    >         the users into certain groups.
                    >
                    >         Kind regards
                    >         Cornelius
                    >
                    >         Am Freitag, den 05.02.2016, 01:35
                    -0800 schrieb Stephen
                    >         Horvath:
                    >         > Hi,
                    >         > I need some help getting this to
                    work
                    >         > I have a PrivacyIDEA server
                    (2.9-1) with the radius module
                    >         > My aim is to auth as follows
                    >         > clientVPN (ipsec) -> Firewall (aaa
                    enabled pointing to
                    >         privacyIDEA
                    >         > server) using AD credentials
                    >         >
                    >         >
                    >         > I have set up the following
                    >         > PrivacyIDEA:
                    >         > Radius module installed and
                    freeradius running on the same
                    >         server (all
                    >         > set up using the package manager)
                    >         > I have an LDAP resolver (AD) which
                    works and pulls my users
                    >         > successfully from a samba4 active
                    directory server
                    >         > I have a policy using
                    otppin-userstore so it uses the AD
                    >         password
                    >         > I have a Realm using the LDAP
                    resolver
                    >         > I have a token (TOTP) mapped to an
                    AD user
                    >         >
                    >         >
                    >         > when running radtest using the AD
                    username ADpassword-OTPpin
                    >         all works
                    >         > great
                    >         >
                    >         >
                    >         > My issue is I now need my vpn
                    users to connect to the
                    >         firewall/vpn
                    >         > endpoint and get authed in the
                    same way
                    >         >
                    >         >
                    >         > When connecting via VPN the
                    request goes through to the
                    >         privacyIDEA
                    >         > freeradius server but get's
                    rejected.
                    >         > I'm assuming it's because it's
                    using MSCHAP.
                    >         >
                    >         >
                    >         > Any help getting this scenario to
                    work would be really
                    >         helpful
                    >         >
                    >         >
                    >         > --
                    >         > Please read the blog post about
                    getting help
                    >         >
                    https://www.privacyidea.org/getting-help/.
                    >         >
                    >         > For professional services and
                    consultancy regarding two
                    >         factor
                    >         > authentication please visit
                    >         >

https://netknights.it/en/leistungen/one-time-services/

                    >         >
                    >         > In an enterprise environment you
                    should get a SERVICE LEVEL
                    >         AGREEMENT
                    >         > which suites your needs for
                    SECURITY, AVAILABILITY and
                    >         LIABILITY:
                    >         >
                    >

https://netknights.it/en/leistungen/service-level-agreements/

                    >         > ---
                    >         > You received this message because
                    you are subscribed to the
                    >         Google
                    >         > Groups "privacyidea" group.
                    >         > To unsubscribe from this group and
                    stop receiving emails
                    >         from it, send
                    >         > an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    >         > To post to this group, send email
                    to
                    >         privacyidea@googlegroups.com.
                    >         > Visit this group at
                    >
                     https://groups.google.com/group/privacyidea.
                    >         > To view this discussion on the web
                    visit
                    >         >
                    >

https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com
.

                    >         > For more options, visit
                    https://groups.google.com/d/optout.
                    >
                    >         --
                    >         Cornelius Kölbel
                    >         cornelius.koelbel@netknights.it
                    >         +49 151 2960 1417
                    >
                    >         NetKnights GmbH
                    >         http://www.netknights.it
                    >         Landgraf-Karl-Str. 19, 34131 Kassel,
                    Germany
                    >         Tel: +49 561 3166797, Fax: +49 561
                    3166798
                    >
                    >         Amtsgericht Kassel, HRB 16405
                    >         Geschäftsführer: Cornelius Kölbel
                    >
                    >
                    >         --
                    >         Please read the blog post about
                    getting help
                    >
                     https://www.privacyidea.org/getting-help/.
                    >
                    >         For professional services and
                    consultancy regarding two factor
                    >         authentication please visit
                    >

https://netknights.it/en/leistungen/one-time-services/

                    >
                    >         In an enterprise environment you
                    should get a SERVICE LEVEL
                    >         AGREEMENT which suites your needs
                    for SECURITY, AVAILABILITY
                    >         and LIABILITY:
                    >

https://netknights.it/en/leistungen/service-level-agreements/

                    >         ---
                    >         You received this message because
                    you are subscribed to a
                    >         topic in the Google Groups
                    "privacyidea" group.
                    >         To unsubscribe from this topic,
                    visit
                    >

https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.

                    >         To unsubscribe from this group and
                    all its topics, send an
                    >         email to privacyidea
                    +unsubscribe@googlegroups.com.
                    >         To post to this group, send email to
                    >         privacyidea@googlegroups.com.
                    >         Visit this group at
                    >
                     https://groups.google.com/group/privacyidea.
                    >         To view this discussion on the web
                    visit
                    >

https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel
.

                    >         For more options, visit
                    https://groups.google.com/d/optout.
                    >
                    >
                    > --
                    > Please read the blog post about getting help
                    > https://www.privacyidea.org/getting-help/.
                    >
                    > For professional services and consultancy
                    regarding two factor
                    > authentication please visit
                    >

https://netknights.it/en/leistungen/one-time-services/

                    >
                    > In an enterprise environment you should get
                    a SERVICE LEVEL AGREEMENT
                    > which suites your needs for SECURITY,
                    AVAILABILITY and LIABILITY:
                    >

https://netknights.it/en/leistungen/service-level-agreements/

                    > ---
                    > You received this message because you are
                    subscribed to the Google
                    > Groups "privacyidea" group.
                    > To unsubscribe from this group and stop
                    receiving emails from it, send
                    > an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    > To post to this group, send email to
                    privacyidea@googlegroups.com.
                    > Visit this group at
                    https://groups.google.com/group/privacyidea.
                    > To view this discussion on the web visit

                    >

https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com
.

                    > For more options, visit
                    https://groups.google.com/d/optout.

                    --
                    Cornelius Kölbel
                    cornelius.koelbel@netknights.it
                    +49 151 2960 1417

                    NetKnights GmbH
                    http://www.netknights.it
                    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
                    Tel: +49 561 3166797, Fax: +49 561 3166798

                    Amtsgericht Kassel, HRB 16405
                    Geschäftsführer: Cornelius Kölbel


                    --
                    Please read the blog post about getting help
                    https://www.privacyidea.org/getting-help/.

                    For professional services and consultancy
                    regarding two factor authentication please
                    visit

https://netknights.it/en/leistungen/one-time-services/

                    In an enterprise environment you should get a
                    SERVICE LEVEL AGREEMENT which suites your
                    needs for SECURITY, AVAILABILITY and
                    LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/

                    ---
                    You received this message because you are
                    subscribed to a topic in the Google Groups
                    "privacyidea" group.
                    To unsubscribe from this topic, visit

https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.

                    To unsubscribe from this group and all its
                    topics, send an email to privacyidea
                    +unsubscribe@googlegroups.com.
                    To post to this group, send email to
                    privacyidea@googlegroups.com.
                    Visit this group at
                    https://groups.google.com/group/privacyidea.
                    To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel
.

                    For more options, visit
                    https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/CAAyQAQSi5DOYFXvg75gDzcneS2vAiAsCgDjVukNxUFY_iasXig%40mail.gmail.com
.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
cornelius.koelbel@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the
Google Groups “privacyidea” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454668808.20654.146.camel%40puckel
.
For more options, visit https://groups.google.com/d/optout.

Hi Stephan,

good to hear this.

There are always security concerns. Only others.

With using PAP the password transmitted over the wire is encrypted using
the RADIUS secret. This is why you should choose a good RADIUS secret
which is at least as long as the usual passwords.

With MSCHAPv2 the password is not transmitted. But the password hash is
used. Usually this is ok, since the password is also hashed in active
directory. This way you can use the password from active directory.

Now comes the problem and thus the other security concerns:
If you are authenticating with two factors like:

    <AD-Password> + <OTP>

Using MSCHAPv2 is not possible, since you would have to store the
password encrypted - not hashed.
Then privacyIDEA would have to READ the password from AD, decrypt it to
generate

    HASH( ADpassword + OTP)

since

    HASH(ADpassword + OTP) != HASH(ADPassword) + HASH(OTP)

But you DO NOT WANT to store the password in an encrypted way.

OK, if you are using privacyIDEA OTP PIN (not the AD password) like

    <OTP PIN> + <OTP>

then you have the same thing. privacyIDEA can save the OTP PINs (which
are also passwords) in an encrypted a.k.a. decryptable way.
You may think about it, if you like it at this point.

But even if we do so, there is another only small problem:

We do not know, which hash was calculated by the client side:
The user could have entered either PIN + OTPvalue1 or PIN + OTPvalue2
oder PIN+OTPvalue3…

So we do not know which of the many possible hashes the user had used.
So the protocol gets a bit more complicated (complicated not
impossible).
This could be implemented but it is simply not implemented at the moment
(Please again note: You would have to store the passwords decrypteable)

The next security concern is, that you really really do not want to use
RSA SecurID :wink:
I do not elaborate on this :wink:

So the questions are:

  • Do you want a really strong 2nd factor or only a weak one.
  • Would you want to use AD-Password or OTP-PIN (which is also a
    password)
  • Are you more concerned about someone stealing the RADIUS Secret,
    sniffing your network and getting the OTP PIN or about backdoors,
    delivery chains of preseeded proprietary tokens etc. etc.

As mentioned, yes it is a security concern. But as always it is your
decision which risks you are willing to take and I can only point out
some details.

Finally:

If your VPN supports a two step authentication like

  • first authenticating against one RADIUS and
  • then against another

you can do it like:

  1. Authenticate with AD-Password via MSCHAPv2 against NPS
  2. Authenticate with OTP via PAP against FreeRADIUS

But then again a security concern: Some customers do not like their
users to use their LDAP password in the wild! Since the risk of shoulder
surfing (either by human eye or camera) when entering the AD password
could be seen as higher.

I hope I gave you some input on making up your mind.
Anyway: If you are really into MSCHAPv2 we can also talk about this.

I am looking forward to your response.

Kind regards
CorneliusAm Freitag, den 05.02.2016, 10:16 +0000 schrieb Stephen Horvath:

I am able to auth with a freeradius server using ldap and mschapv2
which is a good solution but I wanted 2 factor auth hence the reason
for looking into privacyIDEA.
Basically I have some users in the financial sector who want a
2-factor auth VPN. My options may be to go with something like RSA
secureid or something similar but I’d really like to use something
open source. Happy to pay. I’d rather contribute to open source than
finance the tech giants.

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:11, Stephen Horvath stephen@workshopit.co.uk wrote:
It does work using pap but aren’t there security concerns
using pap?

    Stephen Horvath
    Director
    
    ( MCSE | CCNA | MTCNA | MTCRE )
    ---
    
    
    Workshop IT:
    5 Cowcross Street London EC1M 6DW
    
    t: 020 7183 0498
    e: stephen@workshopit.co.uk
    w: www.workshopit.co.uk
    Registered in England and Wales: 8366747
    
    On 5 February 2016 at 10:09, Cornelius Kölbel <@cornelinux> wrote:
            Hi Stephen,
            
            you can use RADIUS, but only with PAP. With plain
            normal RADIUS this
            works like a charm.
            Anyway, it might depend on your VPN server.
            
            But you have the right setup:
            
            * VPN-Server asks FreeRADIUS
            * FreeRADIUS users rlm_perl/privacyidea to ask
            privacyIDEA.
            * privacyIDEA finds user in AD
            * privacyIDEA checks OTP value and responds to
            rlm_perl/FreeRADIUS
            
            If you need detailed help on this, just drop me a
            note.
            
            Kind regards
            Cornelius
            
            
            Am Freitag, den 05.02.2016, 10:02 +0000 schrieb
            Stephen Horvath:
            > Thanks,
            > I was pretty excited to find privacyIDEA and it
            looked like it would
            > do everything I wanted...
            > I only need to auth VPN access using OTP authing
            against an AD server.
            > Can you recommend a way of doing this another way?
            >
            >
            >
            > Stephen Horvath
            > Director
            >
            > ( MCSE | CCNA | MTCNA | MTCRE )
            > ---
            >
            >
            > Workshop IT:
            > 5 Cowcross Street London EC1M 6DW
            >
            > t: 020 7183 0498
            > e: stephen@workshopit.co.uk
            > w: www.workshopit.co.uk
            > Registered in England and Wales: 8366747
            >
            > On 5 February 2016 at 09:52, Cornelius Kölbel <@cornelinux> wrote:
            >         Hi Stephan,
            >
            >         connecting the application, in this scenario
            the VPN via
            >         RADIUS, is
            >         often the interesting part.
            >
            >         Especially with a VPN and RADIUS there are
            often difficulties
            >         which I
            >         solve in remote sessions with the customers.
            >
            >         1. MSCHAP is not supported by the
            RADIUS-Plugin. MSCHAP does
            >         not easily
            >         work well with OTP.
            >         2. Run freeradius in debug mode (-X)
            >         3. Check the secrets.
            >         4. Often VPN servers expect special
            attributes in the response
            >         to put
            >         the users into certain groups.
            >
            >         Kind regards
            >         Cornelius
            >
            >         Am Freitag, den 05.02.2016, 01:35 -0800
            schrieb Stephen
            >         Horvath:
            >         > Hi,
            >         > I need some help getting this to work
            >         > I have a PrivacyIDEA server (2.9-1) with
            the radius module
            >         > My aim is to auth as follows
            >         > clientVPN (ipsec) -> Firewall (aaa enabled
            pointing to
            >         privacyIDEA
            >         > server) using AD credentials
            >         >
            >         >
            >         > I have set up the following
            >         > PrivacyIDEA:
            >         > Radius module installed and freeradius
            running on the same
            >         server (all
            >         > set up using the package manager)
            >         > I have an LDAP resolver (AD) which works
            and pulls my users
            >         > successfully from a samba4 active
            directory server
            >         > I have a policy using otppin-userstore so
            it uses the AD
            >         password
            >         > I have a Realm using the LDAP resolver
            >         > I have a token (TOTP) mapped to an AD user
            >         >
            >         >
            >         > when running radtest using the AD username
            ADpassword-OTPpin
            >         all works
            >         > great
            >         >
            >         >
            >         > My issue is I now need my vpn users to
            connect to the
            >         firewall/vpn
            >         > endpoint and get authed in the same way
            >         >
            >         >
            >         > When connecting via VPN the request goes
            through to the
            >         privacyIDEA
            >         > freeradius server but get's rejected.
            >         > I'm assuming it's because it's using
            MSCHAP.
            >         >
            >         >
            >         > Any help getting this scenario to work
            would be really
            >         helpful
            >         >
            >         >
            >         > --
            >         > Please read the blog post about getting
            help
            >         > https://www.privacyidea.org/getting-help/.
            >         >
            >         > For professional services and consultancy
            regarding two
            >         factor
            >         > authentication please visit
            >         >
            https://netknights.it/en/leistungen/one-time-services/
            >         >
            >         > In an enterprise environment you should
            get a SERVICE LEVEL
            >         AGREEMENT
            >         > which suites your needs for SECURITY,
            AVAILABILITY and
            >         LIABILITY:
            >         >
            >
             https://netknights.it/en/leistungen/service-level-agreements/
            >         > ---
            >         > You received this message because you are
            subscribed to the
            >         Google
            >         > Groups "privacyidea" group.
            >         > To unsubscribe from this group and stop
            receiving emails
            >         from it, send
            >         > an email to privacyidea
            +unsubscribe@googlegroups.com.
            >         > To post to this group, send email to
            >         privacyidea@googlegroups.com.
            >         > Visit this group at
            >         https://groups.google.com/group/privacyidea.
            >         > To view this discussion on the web visit
            >         >
            >
             https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
            >         > For more options, visit
            https://groups.google.com/d/optout.
            >
            >         --
            >         Cornelius Kölbel
            >         @cornelinux
            >         +49 151 2960 1417
            >
            >         NetKnights GmbH
            >         http://www.netknights.it
            >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany
            >         Tel: +49 561 3166797, Fax: +49 561 3166798
            >
            >         Amtsgericht Kassel, HRB 16405
            >         Geschäftsführer: Cornelius Kölbel
            >
            >
            >         --
            >         Please read the blog post about getting help
            >         https://www.privacyidea.org/getting-help/.
            >
            >         For professional services and consultancy
            regarding two factor
            >         authentication please visit
            >
             https://netknights.it/en/leistungen/one-time-services/
            >
            >         In an enterprise environment you should get
            a SERVICE LEVEL
            >         AGREEMENT which suites your needs for
            SECURITY, AVAILABILITY
            >         and LIABILITY:
            >
             https://netknights.it/en/leistungen/service-level-agreements/
            >         ---
            >         You received this message because you are
            subscribed to a
            >         topic in the Google Groups "privacyidea"
            group.
            >         To unsubscribe from this topic, visit
            >
             https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
            >         To unsubscribe from this group and all its
            topics, send an
            >         email to privacyidea
            +unsubscribe@googlegroups.com.
            >         To post to this group, send email to
            >         privacyidea@googlegroups.com.
            >         Visit this group at
            >         https://groups.google.com/group/privacyidea.
            >         To view this discussion on the web visit
            >
             https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel.
            >         For more options, visit
            https://groups.google.com/d/optout.
            >
            >
            > --
            > Please read the blog post about getting help
            > https://www.privacyidea.org/getting-help/.
            >
            > For professional services and consultancy regarding
            two factor
            > authentication please visit
            >
            https://netknights.it/en/leistungen/one-time-services/
            >
            > In an enterprise environment you should get a
            SERVICE LEVEL AGREEMENT
            > which suites your needs for SECURITY, AVAILABILITY
            and LIABILITY:
            >
            https://netknights.it/en/leistungen/service-level-agreements/
            > ---
            > You received this message because you are subscribed
            to the Google
            > Groups "privacyidea" group.
            > To unsubscribe from this group and stop receiving
            emails from it, send
            > an email to privacyidea
            +unsubscribe@googlegroups.com.
            > To post to this group, send email to
            privacyidea@googlegroups.com.
            > Visit this group at
            https://groups.google.com/group/privacyidea.
            > To view this discussion on the web visit
            
            >
            https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
            > For more options, visit
            https://groups.google.com/d/optout.
            
            --
            Cornelius Kölbel
            @cornelinux
            +49 151 2960 1417
            
            NetKnights GmbH
            http://www.netknights.it
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany
            Tel: +49 561 3166797, Fax: +49 561 3166798
            
            Amtsgericht Kassel, HRB 16405
            Geschäftsführer: Cornelius Kölbel
            
            
            --
            Please read the blog post about getting help
            https://www.privacyidea.org/getting-help/.
            
            For professional services and consultancy regarding
            two factor authentication please visit
            https://netknights.it/en/leistungen/one-time-services/
            
            In an enterprise environment you should get a SERVICE
            LEVEL AGREEMENT which suites your needs for SECURITY,
            AVAILABILITY and LIABILITY:
            https://netknights.it/en/leistungen/service-level-agreements/
            ---
            You received this message because you are subscribed
            to a topic in the Google Groups "privacyidea" group.
            To unsubscribe from this topic, visit
            https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
            To unsubscribe from this group and all its topics,
            send an email to privacyidea
            +unsubscribe@googlegroups.com.
            To post to this group, send email to
            privacyidea@googlegroups.com.
            Visit this group at
            https://groups.google.com/group/privacyidea.
            To view this discussion on the web visit
            https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
            For more options, visit
            https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/CAAyQAQSg2ZnUsyE%
3DBy4m22Wh1PdZ_JetcGuH8b9F6Mck-6s-ug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Go for it! :-)Am Freitag, den 05.02.2016, 10:48 +0000 schrieb Stephen Horvath:

Hi,
I’m not concerned about security between AD, radius server. They are
in a secure environment and (for now) we have no PCI requirement.
I just want to offer the end user 2-factor auth for remote client vpn
and it must be secure of course.
They currently use IPSEC client to firewall -> freeradius server using
ldap and ,mschap authing against active directory (samba4)
However, their clients are not happy with this and want them to use
2-factor auth. They really want the OTP feature added in.
If using IPSEC with a shared secret then using PAP to auth the user
either using a pin or their AD password in addition to the OTP is as
secure as what they are using with the added bonus of using a OTP then
I’m happy to go ahead and use this.

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 10:40, Cornelius Kölbel <@cornelinux> wrote:
The RADIUS protocol is plain text. Even MSCHAP transmits all
other
information in plain text. You can get all information who is
successfully authenticating when.
So if you do not want to sniff anyone. Yes, use an encryption
like a VPN
between the VPN and the RADIUS Server.

    Am Freitag, den 05.02.2016, 10:18 +0000 schrieb Stephen
    Horvath:
    > Am I right in my assumption though that using pap with ipsec
    shouldn't
    > be a security issue as it's done within the ipsec tunnel?
    > If so then pap is the answer
    >
    >
    >
    > Stephen Horvath
    > Director
    >
    > ( MCSE | CCNA | MTCNA | MTCRE )
    > ---
    >
    >
    > Workshop IT:
    > 5 Cowcross Street London EC1M 6DW
    >
    > t: 020 7183 0498
    > e: stephen@workshopit.co.uk
    > w: www.workshopit.co.uk
    > Registered in England and Wales: 8366747
    >
    > On 5 February 2016 at 10:16, Stephen Horvath <stephen@workshopit.co.uk> wrote:
    >         I am able to auth with a freeradius server using
    ldap and
    >         mschapv2 which is a good solution but I wanted 2
    factor auth
    >         hence the reason for looking into privacyIDEA.
    >         Basically I have some users in the financial sector
    who want a
    >         2-factor auth VPN. My options may be to go with
    something like
    >         RSA secureid or something similar but I'd really
    like to use
    >         something open source. Happy to pay. I'd rather
    contribute to
    >         open source than finance the tech giants.
    >
    >
    >
    >         Stephen Horvath
    >         Director
    >
    >         ( MCSE | CCNA | MTCNA | MTCRE )
    >         ---
    >
    >
    >         Workshop IT:
    >         5 Cowcross Street London EC1M 6DW
    >
    >         t: 020 7183 0498
    >         e: stephen@workshopit.co.uk
    >         w: www.workshopit.co.uk
    >         Registered in England and Wales: 8366747
    >
    >         On 5 February 2016 at 10:11, Stephen Horvath <stephen@workshopit.co.uk> wrote:
    >                 It does work using pap but aren't there
    security
    >                 concerns using pap?
    >
    >
    >
    >                 Stephen Horvath
    >                 Director
    >
    >                 ( MCSE | CCNA | MTCNA | MTCRE )
    >                 ---
    >
    >
    >                 Workshop IT:
    >                 5 Cowcross Street London EC1M 6DW
    >
    >                 t: 020 7183 0498
    >                 e: stephen@workshopit.co.uk
    >                 w: www.workshopit.co.uk
    >                 Registered in England and Wales: 8366747
    >
    >                 On 5 February 2016 at 10:09, Cornelius Kölbel <@cornelinux> wrote:
    >                         Hi Stephen,
    >
    >                         you can use RADIUS, but only with
    PAP. With
    >                         plain normal RADIUS this
    >                         works like a charm.
    >                         Anyway, it might depend on your VPN
    server.
    >
    >                         But you have the right setup:
    >
    >                         * VPN-Server asks FreeRADIUS
    >                         * FreeRADIUS users
    rlm_perl/privacyidea to ask
    >                         privacyIDEA.
    >                         * privacyIDEA finds user in AD
    >                         * privacyIDEA checks OTP value and
    responds to
    >                         rlm_perl/FreeRADIUS
    >
    >                         If you need detailed help on this,
    just drop
    >                         me a note.
    >
    >                         Kind regards
    >                         Cornelius
    >
    >
    >                         Am Freitag, den 05.02.2016, 10:02
    +0000
    >                         schrieb Stephen Horvath:
    >                         > Thanks,
    >                         > I was pretty excited to find
    privacyIDEA and
    >                         it looked like it would
    >                         > do everything I wanted...
    >                         > I only need to auth VPN access
    using OTP
    >                         authing against an AD server.
    >                         > Can you recommend a way of doing
    this
    >                         another way?
    >                         >
    >                         >
    >                         >
    >                         > Stephen Horvath
    >                         > Director
    >                         >
    >                         > ( MCSE | CCNA | MTCNA | MTCRE )
    >                         > ---
    >                         >
    >                         >
    >                         > Workshop IT:
    >                         > 5 Cowcross Street London EC1M 6DW
    >                         >
    >                         > t: 020 7183 0498
    >                         > e: stephen@workshopit.co.uk
    >                         > w: www.workshopit.co.uk
    >                         > Registered in England and Wales:
    8366747
    >                         >
    >                         > On 5 February 2016 at 09:52, Cornelius Kölbel <@cornelinux> wrote:
    >                         >         Hi Stephan,
    >                         >
    >                         >         connecting the
    application, in this
    >                         scenario the VPN via
    >                         >         RADIUS, is
    >                         >         often the interesting
    part.
    >                         >
    >                         >         Especially with a VPN and
    RADIUS
    >                         there are often difficulties
    >                         >         which I
    >                         >         solve in remote sessions
    with the
    >                         customers.
    >                         >
    >                         >         1. MSCHAP is not supported
    by the
    >                         RADIUS-Plugin. MSCHAP does
    >                         >         not easily
    >                         >         work well with OTP.
    >                         >         2. Run freeradius in debug
    mode (-X)
    >                         >         3. Check the secrets.
    >                         >         4. Often VPN servers
    expect special
    >                         attributes in the response
    >                         >         to put
    >                         >         the users into certain
    groups.
    >                         >
    >                         >         Kind regards
    >                         >         Cornelius
    >                         >
    >                         >         Am Freitag, den
    05.02.2016, 01:35
    >                         -0800 schrieb Stephen
    >                         >         Horvath:
    >                         >         > Hi,
    >                         >         > I need some help getting
    this to
    >                         work
    >                         >         > I have a PrivacyIDEA
    server
    >                         (2.9-1) with the radius module
    >                         >         > My aim is to auth as
    follows
    >                         >         > clientVPN (ipsec) ->
    Firewall (aaa
    >                         enabled pointing to
    >                         >         privacyIDEA
    >                         >         > server) using AD
    credentials
    >                         >         >
    >                         >         >
    >                         >         > I have set up the
    following
    >                         >         > PrivacyIDEA:
    >                         >         > Radius module installed
    and
    >                         freeradius running on the same
    >                         >         server (all
    >                         >         > set up using the package
    manager)
    >                         >         > I have an LDAP resolver
    (AD) which
    >                         works and pulls my users
    >                         >         > successfully from a
    samba4 active
    >                         directory server
    >                         >         > I have a policy using
    >                         otppin-userstore so it uses the AD
    >                         >         password
    >                         >         > I have a Realm using the
    LDAP
    >                         resolver
    >                         >         > I have a token (TOTP)
    mapped to an
    >                         AD user
    >                         >         >
    >                         >         >
    >                         >         > when running radtest
    using the AD
    >                         username ADpassword-OTPpin
    >                         >         all works
    >                         >         > great
    >                         >         >
    >                         >         >
    >                         >         > My issue is I now need
    my vpn
    >                         users to connect to the
    >                         >         firewall/vpn
    >                         >         > endpoint and get authed
    in the
    >                         same way
    >                         >         >
    >                         >         >
    >                         >         > When connecting via VPN
    the
    >                         request goes through to the
    >                         >         privacyIDEA
    >                         >         > freeradius server but
    get's
    >                         rejected.
    >                         >         > I'm assuming it's
    because it's
    >                         using MSCHAP.
    >                         >         >
    >                         >         >
    >                         >         > Any help getting this
    scenario to
    >                         work would be really
    >                         >         helpful
    >                         >         >
    >                         >         >
    >                         >         > --
    >                         >         > Please read the blog
    post about
    >                         getting help
    >                         >         >
    >
     https://www.privacyidea.org/getting-help/.
    >                         >         >
    >                         >         > For professional
    services and
    >                         consultancy regarding two
    >                         >         factor
    >                         >         > authentication please
    visit
    >                         >         >
    >
     https://netknights.it/en/leistungen/one-time-services/
    >                         >         >
    >                         >         > In an enterprise
    environment you
    >                         should get a SERVICE LEVEL
    >                         >         AGREEMENT
    >                         >         > which suites your needs
    for
    >                         SECURITY, AVAILABILITY and
    >                         >         LIABILITY:
    >                         >         >
    >                         >
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    >                         >         > ---
    >                         >         > You received this
    message because
    >                         you are subscribed to the
    >                         >         Google
    >                         >         > Groups "privacyidea"
    group.
    >                         >         > To unsubscribe from this
    group and
    >                         stop receiving emails
    >                         >         from it, send
    >                         >         > an email to privacyidea
    >                         +unsubscribe@googlegroups.com.
    >                         >         > To post to this group,
    send email
    >                         to
    >                         >
     privacyidea@googlegroups.com.
    >                         >         > Visit this group at
    >                         >
    >
    https://groups.google.com/group/privacyidea.
    >                         >         > To view this discussion
    on the web
    >                         visit
    >                         >         >
    >                         >
    >
    https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
    >                         >         > For more options, visit
    >                         https://groups.google.com/d/optout.
    >                         >
    >                         >         --
    >                         >         Cornelius Kölbel
    >                         >
     @cornelinux
    >                         >         +49 151 2960 1417
    >                         >
    >                         >         NetKnights GmbH
    >                         >         http://www.netknights.it
    >                         >         Landgraf-Karl-Str. 19,
    34131 Kassel,
    >                         Germany
    >                         >         Tel: +49 561 3166797, Fax:
    +49 561
    >                         3166798
    >                         >
    >                         >         Amtsgericht Kassel, HRB
    16405
    >                         >         Geschäftsführer: Cornelius
    Kölbel
    >                         >
    >                         >
    >                         >         --
    >                         >         Please read the blog post
    about
    >                         getting help
    >                         >
    >
    https://www.privacyidea.org/getting-help/.
    >                         >
    >                         >         For professional services
    and
    >                         consultancy regarding two factor
    >                         >         authentication please
    visit
    >                         >
    >
    https://netknights.it/en/leistungen/one-time-services/
    >                         >
    >                         >         In an enterprise
    environment you
    >                         should get a SERVICE LEVEL
    >                         >         AGREEMENT which suites
    your needs
    >                         for SECURITY, AVAILABILITY
    >                         >         and LIABILITY:
    >                         >
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    >                         >         ---
    >                         >         You received this message
    because
    >                         you are subscribed to a
    >                         >         topic in the Google Groups
    >                         "privacyidea" group.
    >                         >         To unsubscribe from this
    topic,
    >                         visit
    >                         >
    >
    https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
    >                         >         To unsubscribe from this
    group and
    >                         all its topics, send an
    >                         >         email to privacyidea
    >                         +unsubscribe@googlegroups.com.
    >                         >         To post to this group,
    send email to
    >                         >
     privacyidea@googlegroups.com.
    >                         >         Visit this group at
    >                         >
    >
    https://groups.google.com/group/privacyidea.
    >                         >         To view this discussion on
    the web
    >                         visit
    >                         >
    >
    https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel.
    >                         >         For more options, visit
    >                         https://groups.google.com/d/optout.
    >                         >
    >                         >
    >                         > --
    >                         > Please read the blog post about
    getting help
    >                         >
    https://www.privacyidea.org/getting-help/.
    >                         >
    >                         > For professional services and
    consultancy
    >                         regarding two factor
    >                         > authentication please visit
    >                         >
    >
     https://netknights.it/en/leistungen/one-time-services/
    >                         >
    >                         > In an enterprise environment you
    should get
    >                         a SERVICE LEVEL AGREEMENT
    >                         > which suites your needs for
    SECURITY,
    >                         AVAILABILITY and LIABILITY:
    >                         >
    >
     https://netknights.it/en/leistungen/service-level-agreements/
    >                         > ---
    >                         > You received this message because
    you are
    >                         subscribed to the Google
    >                         > Groups "privacyidea" group.
    >                         > To unsubscribe from this group and
    stop
    >                         receiving emails from it, send
    >                         > an email to privacyidea
    >                         +unsubscribe@googlegroups.com.
    >                         > To post to this group, send email
    to
    >                         privacyidea@googlegroups.com.
    >                         > Visit this group at
    >
     https://groups.google.com/group/privacyidea.
    >                         > To view this discussion on the web
    visit
    >
    >                         >
    >
     https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
    >                         > For more options, visit
    >                         https://groups.google.com/d/optout.
    >
    >                         --
    >                         Cornelius Kölbel
    >                         @cornelinux
    >                         +49 151 2960 1417
    >
    >                         NetKnights GmbH
    >                         http://www.netknights.it
    >                         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany
    >                         Tel: +49 561 3166797, Fax: +49 561
    3166798
    >
    >                         Amtsgericht Kassel, HRB 16405
    >                         Geschäftsführer: Cornelius Kölbel
    >
    >
    >                         --
    >                         Please read the blog post about
    getting help
    >
     https://www.privacyidea.org/getting-help/.
    >
    >                         For professional services and
    consultancy
    >                         regarding two factor authentication
    please
    >                         visit
    >
     https://netknights.it/en/leistungen/one-time-services/
    >
    >                         In an enterprise environment you
    should get a
    >                         SERVICE LEVEL AGREEMENT which suites
    your
    >                         needs for SECURITY, AVAILABILITY and
    >                         LIABILITY:
    >
     https://netknights.it/en/leistungen/service-level-agreements/
    >                         ---
    >                         You received this message because
    you are
    >                         subscribed to a topic in the Google
    Groups
    >                         "privacyidea" group.
    >                         To unsubscribe from this topic,
    visit
    >
     https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
    >                         To unsubscribe from this group and
    all its
    >                         topics, send an email to privacyidea
    >                         +unsubscribe@googlegroups.com.
    >                         To post to this group, send email to
    >                         privacyidea@googlegroups.com.
    >                         Visit this group at
    >
     https://groups.google.com/group/privacyidea.
    >                         To view this discussion on the web
    visit
    >
     https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
    >                         For more options, visit
    >                         https://groups.google.com/d/optout.
    >
    >
    >
    >
    >
    >
    >
    > --
    > Please read the blog post about getting help
    > https://www.privacyidea.org/getting-help/.
    >
    > For professional services and consultancy regarding two
    factor
    > authentication please visit
    > https://netknights.it/en/leistungen/one-time-services/
    >
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY:
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    > ---
    > You received this message because you are subscribed to the
    Google
    > Groups "privacyidea" group.
    > To unsubscribe from this group and stop receiving emails
    from it, send
    > an email to privacyidea+unsubscribe@googlegroups.com.
    > To post to this group, send email to
    privacyidea@googlegroups.com.
    > Visit this group at
    https://groups.google.com/group/privacyidea.
    > To view this discussion on the web visit
    
    >
    https://groups.google.com/d/msgid/privacyidea/CAAyQAQSi5DOYFXvg75gDzcneS2vAiAsCgDjVukNxUFY_iasXig%40mail.gmail.com.
    > For more options, visit https://groups.google.com/d/optout.
    
    --
    Cornelius Kölbel
    @cornelinux
    +49 151 2960 1417
    
    NetKnights GmbH
    http://www.netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    --
    Please read the blog post about getting help
    https://www.privacyidea.org/getting-help/.
    
    For professional services and consultancy regarding two factor
    authentication please visit
    https://netknights.it/en/leistungen/one-time-services/
    
    In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT which suites your needs for SECURITY, AVAILABILITY
    and LIABILITY:
    https://netknights.it/en/leistungen/service-level-agreements/
    ---
    You received this message because you are subscribed to a
    topic in the Google Groups "privacyidea" group.
    To unsubscribe from this topic, visit
    https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
    To unsubscribe from this group and all its topics, send an
    email to privacyidea+unsubscribe@googlegroups.com.
    To post to this group, send email to
    privacyidea@googlegroups.com.
    Visit this group at
    https://groups.google.com/group/privacyidea.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/privacyidea/1454668808.20654.146.camel%40puckel.
    For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Stephen,

you can use RADIUS, but only with PAP. With plain normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.

But you have the right setup:

  • VPN-Server asks FreeRADIUS
  • FreeRADIUS users rlm_perl/privacyidea to ask privacyIDEA.
  • privacyIDEA finds user in AD
  • privacyIDEA checks OTP value and responds to rlm_perl/FreeRADIUS

If you need detailed help on this, just drop me a note.

Kind regards
CorneliusAm Freitag, den 05.02.2016, 10:02 +0000 schrieb Stephen Horvath:

Thanks,
I was pretty excited to find privacyIDEA and it looked like it would
do everything I wanted…
I only need to auth VPN access using OTP authing against an AD server.
Can you recommend a way of doing this another way?

Stephen Horvath
Director

( MCSE | CCNA | MTCNA | MTCRE )

Workshop IT:
5 Cowcross Street London EC1M 6DW

t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747

On 5 February 2016 at 09:52, Cornelius Kölbel <@cornelinux> wrote:
Hi Stephan,

    connecting the application, in this scenario the VPN via
    RADIUS, is
    often the interesting part.
    
    Especially with a VPN and RADIUS there are often difficulties
    which I
    solve in remote sessions with the customers.
    
    1. MSCHAP is not supported by the RADIUS-Plugin. MSCHAP does
    not easily
    work well with OTP.
    2. Run freeradius in debug mode (-X)
    3. Check the secrets.
    4. Often VPN servers expect special attributes in the response
    to put
    the users into certain groups.
    
    Kind regards
    Cornelius
    
    Am Freitag, den 05.02.2016, 01:35 -0800 schrieb Stephen
    Horvath:
    > Hi,
    > I need some help getting this to work
    > I have a PrivacyIDEA server (2.9-1) with the radius module
    > My aim is to auth as follows
    > clientVPN (ipsec) -> Firewall (aaa enabled pointing to
    privacyIDEA
    > server) using AD credentials
    >
    >
    > I have set up the following
    > PrivacyIDEA:
    > Radius module installed and freeradius running on the same
    server (all
    > set up using the package manager)
    > I have an LDAP resolver (AD) which works and pulls my users
    > successfully from a samba4 active directory server
    > I have a policy using otppin-userstore so it uses the AD
    password
    > I have a Realm using the LDAP resolver
    > I have a token (TOTP) mapped to an AD user
    >
    >
    > when running radtest using the AD username ADpassword-OTPpin
    all works
    > great
    >
    >
    > My issue is I now need my vpn users to connect to the
    firewall/vpn
    > endpoint and get authed in the same way
    >
    >
    > When connecting via VPN the request goes through to the
    privacyIDEA
    > freeradius server but get's rejected.
    > I'm assuming it's because it's using MSCHAP.
    >
    >
    > Any help getting this scenario to work would be really
    helpful
    >
    >
    > --
    > Please read the blog post about getting help
    > https://www.privacyidea.org/getting-help/.
    >
    > For professional services and consultancy regarding two
    factor
    > authentication please visit
    > https://netknights.it/en/leistungen/one-time-services/
    >
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY:
    >
    https://netknights.it/en/leistungen/service-level-agreements/
    > ---
    > You received this message because you are subscribed to the
    Google
    > Groups "privacyidea" group.
    > To unsubscribe from this group and stop receiving emails
    from it, send
    > an email to privacyidea+unsubscribe@googlegroups.com.
    > To post to this group, send email to
    privacyidea@googlegroups.com.
    > Visit this group at
    https://groups.google.com/group/privacyidea.
    > To view this discussion on the web visit
    >
    https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
    > For more options, visit https://groups.google.com/d/optout.
    
    --
    Cornelius Kölbel
    @cornelinux
    +49 151 2960 1417
    
    NetKnights GmbH
    http://www.netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    --
    Please read the blog post about getting help
    https://www.privacyidea.org/getting-help/.
    
    For professional services and consultancy regarding two factor
    authentication please visit
    https://netknights.it/en/leistungen/one-time-services/
    
    In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT which suites your needs for SECURITY, AVAILABILITY
    and LIABILITY:
    https://netknights.it/en/leistungen/service-level-agreements/
    ---
    You received this message because you are subscribed to a
    topic in the Google Groups "privacyidea" group.
    To unsubscribe from this topic, visit
    https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
    To unsubscribe from this group and all its topics, send an
    email to privacyidea+unsubscribe@googlegroups.com.
    To post to this group, send email to
    privacyidea@googlegroups.com.
    Visit this group at
    https://groups.google.com/group/privacyidea.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel.
    For more options, visit https://groups.google.com/d/optout.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)