I started debugging this morning with a VPN server which acts fine in
Access-Challenge with an older Radius / OTP installation.
The problem seems that the Radius server does not add the attributes
received from rlm_perl module:
rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’} →
‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →
‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’} →
‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → 'please
enter otp: ’
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’} →
‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} →
‘0x000000000000000000000000000000000000000000000000000000000000000’
(1) perl : &reply:State = $RAD_REPLY{‘State’} → ‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{‘Response-Packet-Type’} → ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’} →
‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port 34786,
id=196, length=0
(1) Class =
0x000000000000000000000000000000000000000000000000000000000000000
Sending Access-Challenge Id 196 from 192.168.1.1:1812 to 192.168.1.1:34786
Class = 0x000000000000000000000000000000000000000000000000000000000000000
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests
You can see that perl sends Class and State attributes, but only Class
attribute is submitted. My access_challenge attributes file allows to send
State and Reply-Message:
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY
Do you have a hint on how to get this working?
Regards,
RaoulOn Wednesday, September 21, 2016 at 4:39:55 PM UTC+2, Cornelius Kölbel wrote:
As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius
Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:
Ok, now I understand. Currently I am using a perl script to do some
testing. I should be able to modify this script, but is this kind of
challenge supported by major vendors like Cisco, Fortinet or Palo
Alto?
Regards,
Raoul
Hi,
what radius client is issuing the requests?
You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as
state to
the next RADIUS request. If the RADIUS client does not do this,
the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.
You should not do challenge response, unless you are familiar with
the
RADIUS protocol.
Kind regards
Cornelius
Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:
Hi,
I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm
The applied policy in privacyIDEA is { “challenge_response”:
“totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the
debug
logs that I receive a transaction_id. Next the client has to
enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the first
request
the pass is my actual password and in the second request it is
my
pin. As what I understood from the REST API the transaction_id
must
be included in the second request.
Is there a fix for privacyidea_radius.pm somewhere or did I made
a
wrong configuration in freeradius?
Many thanks,
Raoul
–
Please read the blog post about getting help
Getting help – privacyID3A.
For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support Level
You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel