Hi Stephan,
good to hear this.
There are always security concerns. Only others.
With using PAP the password transmitted over the wire is encrypted using
the RADIUS secret. This is why you should choose a good RADIUS secret
which is at least as long as the usual passwords.
With MSCHAPv2 the password is not transmitted. But the password hash is
used. Usually this is ok, since the password is also hashed in active
directory. This way you can use the password from active directory.
Now comes the problem and thus the other security concerns:
If you are authenticating with two factors like:
<AD-Password> + <OTP>
Using MSCHAPv2 is not possible, since you would have to store the
password encrypted - not hashed.
Then privacyIDEA would have to READ the password from AD, decrypt it to
generate
HASH( ADpassword + OTP)
since
HASH(ADpassword + OTP) != HASH(ADPassword) + HASH(OTP)
But you DO NOT WANT to store the password in an encrypted way.
OK, if you are using privacyIDEA OTP PIN (not the AD password) like
<OTP PIN> + <OTP>
then you have the same thing. privacyIDEA can save the OTP PINs (which
are also passwords) in an encrypted a.k.a. decryptable way.
You may think about it, if you like it at this point.
But even if we do so, there is another only small problem:
We do not know, which hash was calculated by the client side:
The user could have entered either PIN + OTPvalue1 or PIN + OTPvalue2
oder PIN+OTPvalue3…
So we do not know which of the many possible hashes the user had used.
So the protocol gets a bit more complicated (complicated not
impossible).
This could be implemented but it is simply not implemented at the moment
(Please again note: You would have to store the passwords decrypteable)
The next security concern is, that you really really do not want to use
RSA SecurID 
I do not elaborate on this
So the questions are:
- Do you want a really strong 2nd factor or only a weak one.
- Would you want to use AD-Password or OTP-PIN (which is also a
password)
- Are you more concerned about someone stealing the RADIUS Secret,
sniffing your network and getting the OTP PIN or about backdoors,
delivery chains of preseeded proprietary tokens etc. etc.
As mentioned, yes it is a security concern. But as always it is your
decision which risks you are willing to take and I can only point out
some details.
Finally:
If your VPN supports a two step authentication like
- first authenticating against one RADIUS and
- then against another
you can do it like:
- Authenticate with AD-Password via MSCHAPv2 against NPS
- Authenticate with OTP via PAP against FreeRADIUS
But then again a security concern: Some customers do not like their
users to use their LDAP password in the wild! Since the risk of shoulder
surfing (either by human eye or camera) when entering the AD password
could be seen as higher.
I hope I gave you some input on making up your mind.
Anyway: If you are really into MSCHAPv2 we can also talk about this.
I am looking forward to your response.
Kind regards
CorneliusAm Freitag, den 05.02.2016, 10:16 +0000 schrieb Stephen Horvath:
I am able to auth with a freeradius server using ldap and mschapv2
which is a good solution but I wanted 2 factor auth hence the reason
for looking into privacyIDEA.
Basically I have some users in the financial sector who want a
2-factor auth VPN. My options may be to go with something like RSA
secureid or something similar but I’d really like to use something
open source. Happy to pay. I’d rather contribute to open source than
finance the tech giants.
Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747
On 5 February 2016 at 10:11, Stephen Horvath stephen@workshopit.co.uk wrote:
It does work using pap but aren’t there security concerns
using pap?
Stephen Horvath
Director
( MCSE | CCNA | MTCNA | MTCRE )
---
Workshop IT:
5 Cowcross Street London EC1M 6DW
t: 020 7183 0498
e: stephen@workshopit.co.uk
w: www.workshopit.co.uk
Registered in England and Wales: 8366747
On 5 February 2016 at 10:09, Cornelius Kölbel <@cornelinux> wrote:
Hi Stephen,
you can use RADIUS, but only with PAP. With plain
normal RADIUS this
works like a charm.
Anyway, it might depend on your VPN server.
But you have the right setup:
* VPN-Server asks FreeRADIUS
* FreeRADIUS users rlm_perl/privacyidea to ask
privacyIDEA.
* privacyIDEA finds user in AD
* privacyIDEA checks OTP value and responds to
rlm_perl/FreeRADIUS
If you need detailed help on this, just drop me a
note.
Kind regards
Cornelius
Am Freitag, den 05.02.2016, 10:02 +0000 schrieb
Stephen Horvath:
> Thanks,
> I was pretty excited to find privacyIDEA and it
looked like it would
> do everything I wanted...
> I only need to auth VPN access using OTP authing
against an AD server.
> Can you recommend a way of doing this another way?
>
>
>
> Stephen Horvath
> Director
>
> ( MCSE | CCNA | MTCNA | MTCRE )
> ---
>
>
> Workshop IT:
> 5 Cowcross Street London EC1M 6DW
>
> t: 020 7183 0498
> e: stephen@workshopit.co.uk
> w: www.workshopit.co.uk
> Registered in England and Wales: 8366747
>
> On 5 February 2016 at 09:52, Cornelius Kölbel <@cornelinux> wrote:
> Hi Stephan,
>
> connecting the application, in this scenario
the VPN via
> RADIUS, is
> often the interesting part.
>
> Especially with a VPN and RADIUS there are
often difficulties
> which I
> solve in remote sessions with the customers.
>
> 1. MSCHAP is not supported by the
RADIUS-Plugin. MSCHAP does
> not easily
> work well with OTP.
> 2. Run freeradius in debug mode (-X)
> 3. Check the secrets.
> 4. Often VPN servers expect special
attributes in the response
> to put
> the users into certain groups.
>
> Kind regards
> Cornelius
>
> Am Freitag, den 05.02.2016, 01:35 -0800
schrieb Stephen
> Horvath:
> > Hi,
> > I need some help getting this to work
> > I have a PrivacyIDEA server (2.9-1) with
the radius module
> > My aim is to auth as follows
> > clientVPN (ipsec) -> Firewall (aaa enabled
pointing to
> privacyIDEA
> > server) using AD credentials
> >
> >
> > I have set up the following
> > PrivacyIDEA:
> > Radius module installed and freeradius
running on the same
> server (all
> > set up using the package manager)
> > I have an LDAP resolver (AD) which works
and pulls my users
> > successfully from a samba4 active
directory server
> > I have a policy using otppin-userstore so
it uses the AD
> password
> > I have a Realm using the LDAP resolver
> > I have a token (TOTP) mapped to an AD user
> >
> >
> > when running radtest using the AD username
ADpassword-OTPpin
> all works
> > great
> >
> >
> > My issue is I now need my vpn users to
connect to the
> firewall/vpn
> > endpoint and get authed in the same way
> >
> >
> > When connecting via VPN the request goes
through to the
> privacyIDEA
> > freeradius server but get's rejected.
> > I'm assuming it's because it's using
MSCHAP.
> >
> >
> > Any help getting this scenario to work
would be really
> helpful
> >
> >
> > --
> > Please read the blog post about getting
help
> > https://www.privacyidea.org/getting-help/.
> >
> > For professional services and consultancy
regarding two
> factor
> > authentication please visit
> >
https://netknights.it/en/leistungen/one-time-services/
> >
> > In an enterprise environment you should
get a SERVICE LEVEL
> AGREEMENT
> > which suites your needs for SECURITY,
AVAILABILITY and
> LIABILITY:
> >
>
https://netknights.it/en/leistungen/service-level-agreements/
> > ---
> > You received this message because you are
subscribed to the
> Google
> > Groups "privacyidea" group.
> > To unsubscribe from this group and stop
receiving emails
> from it, send
> > an email to privacyidea
+unsubscribe@googlegroups.com.
> > To post to this group, send email to
> privacyidea@googlegroups.com.
> > Visit this group at
> https://groups.google.com/group/privacyidea.
> > To view this discussion on the web visit
> >
>
https://groups.google.com/d/msgid/privacyidea/58f3f108-8bb4-402f-9e2f-e816bab7525b%40googlegroups.com.
> > For more options, visit
https://groups.google.com/d/optout.
>
> --
> Cornelius Kölbel
> @cornelinux
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy
regarding two factor
> authentication please visit
>
https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get
a SERVICE LEVEL
> AGREEMENT which suites your needs for
SECURITY, AVAILABILITY
> and LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are
subscribed to a
> topic in the Google Groups "privacyidea"
group.
> To unsubscribe from this topic, visit
>
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
> To unsubscribe from this group and all its
topics, send an
> email to privacyidea
+unsubscribe@googlegroups.com.
> To post to this group, send email to
> privacyidea@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/1454665927.20654.119.camel%40puckel.
> For more options, visit
https://groups.google.com/d/optout.
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding
two factor
> authentication please visit
>
https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a
SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY
and LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed
to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving
emails from it, send
> an email to privacyidea
+unsubscribe@googlegroups.com.
> To post to this group, send email to
privacyidea@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/CAAyQAQR1VnFNixU_EmNGoWbVF1ceCTqXMgYCHGDNPYJg0PA4nA%40mail.gmail.com.
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding
two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE
LEVEL AGREEMENT which suites your needs for SECURITY,
AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed
to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/privacyidea/sQxd_4To7Go/unsubscribe.
To unsubscribe from this group and all its topics,
send an email to privacyidea
+unsubscribe@googlegroups.com.
To post to this group, send email to
privacyidea@googlegroups.com.
Visit this group at
https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1454666981.20654.123.camel%40puckel.
For more options, visit
https://groups.google.com/d/optout.
–
Please read the blog post about getting help
Getting help – privacyID3A.
For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/CAAyQAQSg2ZnUsyE%
3DBy4m22Wh1PdZ_JetcGuH8b9F6Mck-6s-ug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)