PrivacyIDEA Access-Challange

a.key · March 22, 2019, 12:13pm

Hi,
We’ve setup PrivacyIDEA in our environment using ubuntu packages. It works quite well with a policy requiring user to provide password followed by the TOKEN code through FreeRadius so PAP + TOTP scenario. This works great.

Now we are currently setting up OpenConnect server (ocserv) which supports access-challenge type of authentication in clients out of the box (unlike eg. OpenVPN).
So the way we want to have it done is:
User authenticates using his AD username and normal password then is challenged through Radius’ access-challenge for the TOTP token. This challenge comes up as a 2nd pop-up for password but is titled appropriately.

Our policy currently is:
authentication { "challenge_response": "hotp totp", "otppin": "userstore" }

Radius config:
…
authorize {
…
if ( NAS-IP-Address == “x.x.x.x” ) {
update control {
Auth-Type := Perl
}
}

This seems to be working but unfortunately only partially.
The user is prompted for username and password when that is sent another popup (access-challenge) is issued for the TOTP token (please enter otp: ). When just the token number is provided Radius returns “wrong otp pin” because that’s what it gets from PrivacyIDEA. The user can only authenticate when he/she provides the password in a form of “AD password + TOTP token”.
The interesting bit is that we are sure that PrivacyIDEA does validate the 1st credentials (AD user + AD password) correctly when they are sent in the first request because it behaves differently when you provide incorrect password. When that’s the case it will simply say “wrong otp pin” rather than: "please enter otp: ".

So the question is:
Is it possible to construct the policy in a way that:

Radius client sends Username + password
Radius server, through the perl module authenticates the user against PrivacyIDEA
PrivacyIDEA issues access-challenge for OTP Token
User gets prompted for the Token and supplies JUST the token code
This code is sent to Radius server, which then passes it to PrivacyIDEA which then checks it against stored user token and if all OK sends Access-Accept.

?

Here are the relevant RADIUS logs from when it doesn’t quite work:

Ready to process requests
(6) Received Access-Request Id 56 from 192.168.1.119:48865 to 192.168.1.115:1812 length 132
(6)   User-Name = "user1"
(6)   User-Password = "password1"
(6)   NAS-IP-Address = 192.168.1.119
(6)   Calling-Station-Id = "x.x.x.x"
(6)   Connect-Info = "Open AnyConnect VPN Agent v7.08"
(6)   Service-Type = Authenticate-Only
(6)   NAS-Port-Type = Async
(6)   NAS-Port = 31202
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "user1", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: No EAP-Message, not doing EAP
(6)     [eap] = noop
(6) files: users: Matched entry DEFAULT at line 23
(6)     [files] = ok
rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 88 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Reserved connection (3)
(6) ldap: EXPAND (&(|(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))(objectClass=person))
(6) ldap:    --> (&(|(sAMAccountname=user1)(mail=user1))(objectClass=person))
(6) ldap: Performing search in "OU=UNIT,DC=example,DC=com" with filter "(&(|(sAMAccountname=user1)(mail=user1))(objectClass=person))", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: User object found at DN "CN=Name Surname,OU=Users,DC=example,DC=com"
(6) ldap: Processing user attributes
(6) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (3)
Need 1 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (10), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.example.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(6)     [ldap] = ok
(6)     [expiration] = noop
(6)     [logintime] = noop
(6) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(6) pap: WARNING: Authentication will fail unless a "known good" password is available
(6)     [pap] = noop
(6)     if ( NAS-IP-Address == "192.168.1.119" ) {
(6)     if ( NAS-IP-Address == "192.168.1.119" )  -> TRUE
(6)     if ( NAS-IP-Address == "192.168.1.119" )  {
(6)       update control {
(6)         Auth-Type := Perl
(6)       } # update control = noop
(6)     } # if ( NAS-IP-Address == "192.168.1.119" )  = noop
(6)   } # authorize = ok
(6) Found Auth-Type = Perl
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   Auth-Type Perl {
(6) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Mar 22 2019 00:39:28 GMT'
(6) perl:   $RAD_REQUEST{'Connect-Info'} = &request:Connect-Info -> 'Open AnyConnect VPN Agent v7.08'
(6) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'user1'
(6) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'password1'
(6) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.1.119'
(6) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '31202'
(6) perl:   $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only'
(6) perl:   $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'x.x.x.x'
(6) perl:   $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Async'
(6) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(6) perl:   $RAD_CHECK{'LDAP-UserDN'} = &control:LDAP-UserDN -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
(6) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(6) perl:   $RAD_CONFIG{'LDAP-UserDN'} = &control:LDAP-UserDN -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://2fa.example.com/validate/check 
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: NAS-Port-Type = Async
rlm_perl: RAD_REQUEST: Service-Type = Authenticate-Only
rlm_perl: RAD_REQUEST: Calling-Station-Id = x.x.x.x
rlm_perl: RAD_REQUEST: User-Name = user1
rlm_perl: RAD_REQUEST: Event-Timestamp = Mar 22 2019 00:39:28 GMT
rlm_perl: RAD_REQUEST: User-Password = password1
rlm_perl: RAD_REQUEST: Connect-Info = Open AnyConnect VPN Agent v7.08
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.1.119
rlm_perl: RAD_REQUEST: NAS-Port = 31202
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://2fa.example.com/validate/check
rlm_perl: user sent to privacyidea: user1
rlm_perl: realm sent to privacyidea: 
rlm_perl: resolver sent to privacyidea: 
rlm_perl: client sent to privacyidea: 192.168.1.119
rlm_perl: state sent to privacyidea: 
rlm_perl: urlparam client = 192.168.1.119 
rlm_perl: urlparam pass = password1 
rlm_perl: urlparam user = user1 
rlm_perl: Request timeout: 10 
rlm_perl: Content {"jsonrpc": "2.0", "signature": "9218015338844245583945038983354146097677228821207865990352173165520742879467674515020256229772777885710907879312052737867238010397144999501863298525834574527556824334022738334267434950619748190946323852562199984009942541112116587928709587005853375227372114742188190367966398877595169325453076458835822257317544401355990031522274784403303085912177923178326363252640465651194993614428932200318478284033986378611766478781362508160582474595423495194442006458268545203462087983332999420649890448218347793645082484022530252373397995384605485099594933871514133392219789815359986894065624197452252536189055240973332617249384", "detail": {"multi_challenge": [{"attributes": null, "serial": "TOTP0040870B", "transaction_id": "06919129143853937197"}], "threadid": 139839663404800, "attributes": null, "message": "please enter otp: ", "serial": "TOTP0040870B", "transaction_id": "06919129143853937197"}, "versionnumber": "2.23.dev2", "version": "privacyIDEA 2.23.dev2", "result": {"status": true, "value": false}, "time": 1553215170.182349, "id": 1}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: +++ Map: serial -> privacyIDEA-Serial
rlm_perl: return RLM_MODULE_HANDLED
(6) perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Async'
(6) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only'
(6) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'x.x.x.x'
(6) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'user1'
(6) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 22 2019 00:39:28 GMT'
(6) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password1'
(6) perl: &request:Connect-Info = $RAD_REQUEST{'Connect-Info'} -> 'Open AnyConnect VPN Agent v7.08'
(6) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.119'
(6) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '31202'
(6) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'please enter otp: '
(6) perl: &reply:privacyIDEA-Serial = $RAD_REPLY{'privacyIDEA-Serial'} -> 'TOTP0040870B'
(6) perl: &reply:State = $RAD_REPLY{'State'} -> '06919129143853937197'
(6) perl: &control:LDAP-UserDN = $RAD_CHECK{'LDAP-UserDN'} -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
(6) perl: &control:Response-Packet-Type = $RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge'
(6) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(6)     [perl] = handled
(6)   } # Auth-Type Perl = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 56 from 192.168.1.115:1812 to 192.168.1.119:48865 length 0
(6)   Reply-Message = "please enter otp: "
(6)   privacyIDEA-Serial = "TOTP0040870B"
(6)   State = 0x3036393139313239313433383533393337313937
(6) Finished request
Waking up in 4.9 seconds.
(6) Cleaning up request packet ID 56 with timestamp +136
Ready to process requests
(7) Received Access-Request Id 121 from 192.168.1.119:54692 to 192.168.1.115:1812 length 116
(7)   User-Name = "user1"
(7)   User-Password = "828033"
(7)   NAS-IP-Address = 192.168.1.119
(7)   Calling-Station-Id = "x.x.x.x"
(7)   Connect-Info = "Open AnyConnect VPN Agent v7.08"
(7)   Service-Type = Authenticate-Only
(7)   NAS-Port-Type = Async
(7)   NAS-Port = 31202
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "user1", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: No EAP-Message, not doing EAP
(7)     [eap] = noop
(7) files: users: Matched entry DEFAULT at line 23
(7)     [files] = ok
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 62 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Reserved connection (3)
(7) ldap: EXPAND (&(|(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))(objectClass=person))
(7) ldap:    --> (&(|(sAMAccountname=user1)(mail=user1))(objectClass=person))
(7) ldap: Performing search in "OU=UNIT,DC=example,DC=com" with filter "(&(|(sAMAccountname=user1)(mail=user1))(objectClass=person))", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=Name Surname,OU=Users,DC=example,DC=com"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (3)
Need 1 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (11), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.example.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7)     [ldap] = ok
(7)     [expiration] = noop
(7)     [logintime] = noop
(7) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(7) pap: WARNING: Authentication will fail unless a "known good" password is available
(7)     [pap] = noop
(7)     if ( NAS-IP-Address == "192.168.1.119" ) {
(7)     if ( NAS-IP-Address == "192.168.1.119" )  -> TRUE
(7)     if ( NAS-IP-Address == "192.168.1.119" )  {
(7)       update control {
(7)         Auth-Type := Perl
(7)       } # update control = noop
(7)     } # if ( NAS-IP-Address == "192.168.1.119" )  = noop
(7)   } # authorize = ok
(7) Found Auth-Type = Perl
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Auth-Type Perl {
(7) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Mar 22 2019 00:39:41 GMT'
(7) perl:   $RAD_REQUEST{'Connect-Info'} = &request:Connect-Info -> 'Open AnyConnect VPN Agent v7.08'
(7) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'user1'
(7) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> '828033'
(7) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.1.119'
(7) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '31202'
(7) perl:   $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only'
(7) perl:   $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'x.x.x.x'
(7) perl:   $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Async'
(7) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(7) perl:   $RAD_CHECK{'LDAP-UserDN'} = &control:LDAP-UserDN -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
(7) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(7) perl:   $RAD_CONFIG{'LDAP-UserDN'} = &control:LDAP-UserDN -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://2fa.example.com/validate/check 
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: NAS-Port-Type = Async
rlm_perl: RAD_REQUEST: Service-Type = Authenticate-Only
rlm_perl: RAD_REQUEST: Calling-Station-Id = x.x.x.x
rlm_perl: RAD_REQUEST: User-Name = user1
rlm_perl: RAD_REQUEST: Event-Timestamp = Mar 22 2019 00:39:41 GMT
rlm_perl: RAD_REQUEST: User-Password = 828033
rlm_perl: RAD_REQUEST: Connect-Info = Open AnyConnect VPN Agent v7.08
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.1.119
rlm_perl: RAD_REQUEST: NAS-Port = 31202
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://2fa.example.com/validate/check
rlm_perl: user sent to privacyidea: user1
rlm_perl: realm sent to privacyidea: 
rlm_perl: resolver sent to privacyidea: 
rlm_perl: client sent to privacyidea: 192.168.1.119
rlm_perl: state sent to privacyidea: 
rlm_perl: urlparam client = 192.168.1.119 
rlm_perl: urlparam pass = 828033 
rlm_perl: urlparam user = user1 
rlm_perl: Request timeout: 10 
rlm_perl: Content {"jsonrpc": "2.0", "signature": "12729578281053959483997013887698580063654987213538027895923253792439488407852922375479344573437659958278099307274733118885913339806939812912997252275250328104555901188868698285509683743706206832971557431515012370841895610869815808354058010889231299085732838601706836871331305361822741568865057208579998330230815033043455781552061660624450790774640447056500571913778717524256327319830748577740971129381761322797175851435946377308004899916009449642076328680733573489584985807026591253659721498169862408988078017261178431440575416556989501292882377030334307218351419336537242610369683394051856354541167582755702646669512", "detail": {"message": "wrong otp pin", "threadid": 139839655012096}, "versionnumber": "2.23.dev2", "version": "privacyIDEA 2.23.dev2", "result": {"status": true, "value": false}, "time": 1553215182.440062, "id": 1}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
(7) perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Async'
(7) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only'
(7) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'x.x.x.x'
(7) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'user1'
(7) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 22 2019 00:39:41 GMT'
(7) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '828033'
(7) perl: &request:Connect-Info = $RAD_REQUEST{'Connect-Info'} -> 'Open AnyConnect VPN Agent v7.08'
(7) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.119'
(7) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '31202'
(7) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'wrong otp pin'
(7) perl: &control:LDAP-UserDN = $RAD_CHECK{'LDAP-UserDN'} -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
(7) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(7)     [perl] = reject
(7)   } # Auth-Type Perl = reject
(7) Failed to authenticate the user
(7) Login incorrect: [user1] (from client IO.example.com port 31202 cli x.x.x.x)
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> user1
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 121 from 192.168.1.115:1812 to 192.168.1.119:54692 length 35
(7)   Reply-Message = "wrong otp pin"
Waking up in 3.9 seconds.
(7) Cleaning up request packet ID 121 with timestamp +149
Ready to process requests

cornelinux · March 22, 2019, 1:37pm

Hi,

welcome to privacyIDEA.

Yes, this should work depending on the transaction_id.
See:

github.com

privacyidea/FreeRADIUS/blob/master/privacyidea_radius.pm#L459


      
              $params{"client"} = $RAD_REQUEST{'NAS-IP-Address'};
              &radiusd::radlog( Info, "Setting client IP to $params{'client'}." );
          } elsif ( exists( $RAD_REQUEST{'Packet-Src-IP-Address'} ) ) {
              $params{"client"} = $RAD_REQUEST{'Packet-Src-IP-Address'};
              &radiusd::radlog( Info, "Setting client IP to $params{'client'}." );
          }
          if (exists ( $Config->{CLIENTATTRIBUTE} ) ) {
              if ( exists( $RAD_REQUEST{$Config->{CLIENTATTRIBUTE}} ) ) {
                  $params{"client"} = $RAD_REQUEST{$Config->{CLIENTATTRIBUTE}};
                  &radiusd::radlog( Info, "Setting client IP to $params{'client'}." );
              }
          }
          if ( length($REALM) > 0 ) {
              $params{"realm"} = $REALM;
          } elsif ( length($RAD_REQUEST{'Realm'}) > 0 ) {
              $params{"realm"} = $RAD_REQUEST{'Realm'};
          }
          if ( length($RESCONF) > 0 ) {
              $params{"resConf"} = $RESCONF;
          }

And obviouly this works according to your logs:

Kind regards
Cornelius

a.key · March 22, 2019, 5:15pm

Yeah but for some reason it gets rejected unless I specify the actual user password + OTP Token code:

rlm_perl: Default URL https://2fa.example.com/validate/check 
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: NAS-Port-Type = Async
rlm_perl: RAD_REQUEST: Service-Type = Authenticate-Only
rlm_perl: RAD_REQUEST: Calling-Station-Id = x.x.x.x
rlm_perl: RAD_REQUEST: User-Name = user1
rlm_perl: RAD_REQUEST: Event-Timestamp = Mar 22 2019 00:39:41 GMT
rlm_perl: RAD_REQUEST: User-Password = 828033
rlm_perl: RAD_REQUEST: Connect-Info = Open AnyConnect VPN Agent v7.08
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.1.119
rlm_perl: RAD_REQUEST: NAS-Port = 31202
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://2fa.example.com/validate/check
rlm_perl: user sent to privacyidea: user1
rlm_perl: realm sent to privacyidea: 
rlm_perl: resolver sent to privacyidea: 
rlm_perl: client sent to privacyidea: 192.168.1.119
rlm_perl: state sent to privacyidea: 
rlm_perl: urlparam client = 192.168.1.119 
rlm_perl: urlparam pass = 828033 
rlm_perl: urlparam user = user1 
rlm_perl: Request timeout: 10 
rlm_perl: Content {"jsonrpc": "2.0", "signature": "12729578281053959483997013887698580063654987213538027895923253792439488407852922375479344573437659958278099307274733118885913339806939812912997252275250328104555901188868698285509683743706206832971557431515012370841895610869815808354058010889231299085732838601706836871331305361822741568865057208579998330230815033043455781552061660624450790774640447056500571913778717524256327319830748577740971129381761322797175851435946377308004899916009449642076328680733573489584985807026591253659721498169862408988078017261178431440575416556989501292882377030334307218351419336537242610369683394051856354541167582755702646669512", "detail": {"message": "wrong otp pin", "threadid": 139839655012096}, "versionnumber": "2.23.dev2", "version": "privacyIDEA 2.23.dev2", "result": {"status": true, "value": false}, "time": 1553215182.440062, "id": 1}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
(7) perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Async'
(7) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only'
(7) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'x.x.x.x'
(7) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'user1'
(7) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 22 2019 00:39:41 GMT'
(7) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '828033'
(7) perl: &request:Connect-Info = $RAD_REQUEST{'Connect-Info'} -> 'Open AnyConnect VPN Agent v7.08'
(7) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.119'
(7) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '31202'
(7) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'wrong otp pin'
(7) perl: &control:LDAP-UserDN = $RAD_CHECK{'LDAP-UserDN'} -> 'CN=Name Surname,OU=Users,DC=example,DC=com'
(7) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(7)     [perl] = reject
(7)   } # Auth-Type Perl = reject
(7) Failed to authenticate the user
(7) Login incorrect: [user1] (from client IO.example.com port 31202 cli x.x.x.x)

I’ll try enabling debugging in PrivacyIDEA and seeing if it shows anything more. Somehow I forgot that there was this option.

cornelinux · March 22, 2019, 7:20pm

It looks as if in the ACCESS-REQUEST, that follows the ACCESS-CHALLENGE for some reason the transaction_id/state is missing.

The RADIUS client (Open AnyConnect) should handle this.

a.key · March 23, 2019, 11:51am

Hi,
Yeah I can see that.
I had a look in the OpenConnect source and it doesn’t support the State attribute.
Thanks for your help @cornelinux.

a.key · January 25, 2021, 4:26pm

For anyone still searching for an answer on this question…

The necessary changes have been implemented in OpenConnect server (OpenConnect VPN server.) so this now works out of the box.