Radius 2FA (LDAP + OTP)

Hi,

I am currently looking into privacyIDEA and try to configure freeradius to
get 2 factor authentication working. The current configuration makes use of
the rlm_perl module and privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”: “totp”,
“otppin”: “userstore” }. My current situation allows me to authenticate the
client in the userstore as I can see in the debug logs that I receive a
transaction_id. Next the client has to enter the OTP pin, but this request
seems to be wrong, as the transaction_id is missing.
The second request does not differ from the first one, the parameters are
for both client, pass, realm and user where in the first request the pass
is my actual password and in the second request it is my pin. As what I
understood from the REST API the transaction_id must be included in the
second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made a wrong
configuration in freeradius?

Many thanks,
Raoul

Ok, now I understand. Currently I am using a perl script to do some
testing. I should be able to modify this script, but is this kind of
challenge supported by major vendors like Cisco, Fortinet or Palo Alto?

Regards,
RaoulOn Wednesday, September 21, 2016 at 4:10:46 PM UTC+2, Cornelius Kölbel wrote:

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as state to
the next RADIUS request. If the RADIUS client does not do this, the
RADIUS server can not know, that this is a response to a challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”: “totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the debug
logs that I receive a transaction_id. Next the client has to enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the parameters
are for both client, pass, realm and user where in the first request
the pass is my actual password and in the second request it is my
pin. As what I understood from the REST API the transaction_id must
be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made a
wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
CorneliusAm Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to do some
testing. I should be able to modify this script, but is this kind of
challenge supported by major vendors like Cisco, Fortinet or Palo
Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as
state to
the next RADIUS request. If the RADIUS client does not do this,
the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with
the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”:
“totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the
debug
logs that I receive a transaction_id. Next the client has to
enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the first
request
the pass is my actual password and in the second request it is
my
pin. As what I understood from the REST API the transaction_id
must
be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made
a
wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as state to
the next RADIUS request. If the RADIUS client does not do this, the
RADIUS server can not know, that this is a response to a challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with the
RADIUS protocol.

Kind regards
CorneliusAm Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”: “totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the debug
logs that I receive a transaction_id. Next the client has to enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the parameters
are for both client, pass, realm and user where in the first request
the pass is my actual password and in the second request it is my
pin. As what I understood from the REST API the transaction_id must
be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made a
wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

I started debugging this morning with a VPN server which acts fine in
Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the attributes
received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’} ->
‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’} ->
‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} -> 'please
enter otp: '
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’} ->
‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->
‘0x000000000000000000000000000000000000000000000000000000000000000’
(1) perl : &reply:State = $RAD_REPLY{‘State’} -> ‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{‘Response-Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’} ->
‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port 34786,
id=196, length=0
(1) Class =
0x000000000000000000000000000000000000000000000000000000000000000
Sending Access-Challenge Id 196 from 192.168.1.1:1812 to 192.168.1.1:34786
Class = 0x000000000000000000000000000000000000000000000000000000000000000
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but only Class
attribute is submitted. My access_challenge attributes file allows to send
State and Reply-Message:

DEFAULT

EAP-Message =* ANY,

State =* ANY,

Message-Authenticator =* ANY,

Reply-Message =* ANY,

Proxy-State =* ANY,

Session-Timeout =* ANY,

Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,

RaoulOn Wednesday, September 21, 2016 at 4:39:55 PM UTC+2, Cornelius Kölbel wrote:

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to do some
testing. I should be able to modify this script, but is this kind of
challenge supported by major vendors like Cisco, Fortinet or Palo
Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as
state to
the next RADIUS request. If the RADIUS client does not do this,
the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with
the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”:
“totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the
debug
logs that I receive a transaction_id. Next the client has to
enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the first
request
the pass is my actual password and in the second request it is
my
pin. As what I understood from the REST API the transaction_id
must
be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made
a
wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Oh, that one is not solved. Access-Challenge seems not possible with
privacyidea. Il will look into other solutions for this at some later point.On Monday, September 26, 2016 at 12:33:32 PM UTC+2, Cornelius Kölbel wrote:

Oh no.
I ment your initial problem.
Kind regards
Cornelius

Am Montag, den 26.09.2016, 03:23 -0700 schrieb Raoul:

I got the documentation wrong, freeradius does not load all files
from /usr/share/freeradius. I include now
/usr/share/freeradius/dictionary.netknights and the attribute is sent
to the client.

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
Cornelius

Am Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:

Looks like my authentication is working now, but there is still
one
error message printed to the console:
(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial
=
TOTP0000A123

Do you have an idea about this?

I started debugging this morning with a VPN server which acts
fine

in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the
attributes received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’}
->

‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-
Timestamp’} -> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-
Password’} -> ‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-
Address’} -> ‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-
Message’} ->

'please enter otp: '
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’}
->

‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->

‘0x000000000000000000000000000000000000000000000000000000000000000’

(1) perl : &reply:State = $RAD_REPLY{‘State’} ->
‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{'Response-

Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’}
->

‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} ->
‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port
34786, id=196, length=0
(1) Class =

0x000000000000000000000000000000000000000000000000000000000000000

Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =

0x000000000000000000000000000000000000000000000000000000000000000

(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but
only

Class attribute is submitted. My access_challenge attributes
file

allows to send State and Reply-Message:

DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,
Raoul

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to
do

some

testing. I should be able to modify this script, but is
this

kind of

challenge supported by major vendors like Cisco, Fortinet
or

Palo

Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds
this

as

state to
the next RADIUS request. If the RADIUS client does not
do

this,

the
RADIUS server can not know, that this is a response to
a

challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are
familiar

with

the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb
Raoul:

Hi,

I am currently looking into privacyIDEA and try to
configure

freeradius to get 2 factor authentication working. The
current

configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is {
“challenge_response”:

“totp”,

“otppin”: “userstore” }. My current situation allows
me

to

authenticate the client in the userstore as I can see
in

the

debug

logs that I receive a transaction_id. Next the client
has

to

enter

the OTP pin, but this request seems to be wrong, as
the

transaction_id is missing.
The second request does not differ from the first one,
the

parameters

are for both client, pass, realm and user where in the
first

request

the pass is my actual password and in the second
request it

is

my

pin. As what I understood from the REST API the
transaction_id

must

be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or
did I

made

a

wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding
two

factor

authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE
LEVEL

AGREEMENT

which suites your needs for SECURITY, AVAILABILITY
and

LIABILITY:

https://netknights.it/en/leistungen/service-level-agree
ment

s/


You received this message because you are subscribed
to

the

Google

Groups “privacyidea” group.
To unsubscribe from this group and stop receiving
emails

from

it,

send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva…@googlegro
ups.

com.

Visit this group at https://groups.google.com/group/pri
vacy

idea.

To view this discussion on the web visit https://groups
.goo

gle.co

m/d/

msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/opt
out.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
CorneliusAm Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:

Looks like my authentication is working now, but there is still one
error message printed to the console:
(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial =
TOTP0000A123

Do you have an idea about this?

I started debugging this morning with a VPN server which acts fine
in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the
attributes received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} ->
‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-
Timestamp’} -> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-
Password’} -> ‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-
Address’} -> ‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
'please enter otp: ’
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’} ->
‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->
‘0x000000000000000000000000000000000000000000000000000000000000000’
(1) perl : &reply:State = $RAD_REPLY{‘State’} ->
‘0000000000000000000’
(1) perl : &control:Response-Packet-Type = $RAD_CHECK{‘Response-
Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’} ->
‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} ->
‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port
34786, id=196, length=0
(1) Class =
0x000000000000000000000000000000000000000000000000000000000000000
Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =
0x000000000000000000000000000000000000000000000000000000000000000
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but only
Class attribute is submitted. My access_challenge attributes file
allows to send State and Reply-Message:

DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,
Raoul

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to do
some
testing. I should be able to modify this script, but is this
kind of
challenge supported by major vendors like Cisco, Fortinet or
Palo
Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this
as

state to
the next RADIUS request. If the RADIUS client does not do
this,

the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar
with

the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to
configure

freeradius to get 2 factor authentication working. The
current

configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is {
“challenge_response”:

“totp”,

“otppin”: “userstore” }. My current situation allows me
to

authenticate the client in the userstore as I can see in
the

debug

logs that I receive a transaction_id. Next the client has
to

enter

the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the
first

request

the pass is my actual password and in the second request it
is

my

pin. As what I understood from the REST API the
transaction_id

must

be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I
made

a

wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two
factor

authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE
LEVEL

AGREEMENT

which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreement
s/


You received this message because you are subscribed to
the

Google

Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails
from

it,

send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva…@googlegroups.
com.

Visit this group at https://groups.google.com/group/privacy
idea.

To view this discussion on the web visit https://groups.goo
gle.co

m/d/

msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Oh no.
I ment your initial problem.
Kind regards
CorneliusAm Montag, den 26.09.2016, 03:23 -0700 schrieb Raoul:

I got the documentation wrong, freeradius does not load all files
from /usr/share/freeradius. I include now
/usr/share/freeradius/dictionary.netknights and the attribute is sent
to the client.

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
Cornelius

Am Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:

Looks like my authentication is working now, but there is still
one
error message printed to the console:
(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial
=
TOTP0000A123

Do you have an idea about this?

I started debugging this morning with a VPN server which acts
fine

in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the
attributes received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’}
->

‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-
Timestamp’} -> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-
Password’} -> ‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-
Address’} -> ‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-
Message’} ->

'please enter otp: ’
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’}
->

‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->

‘0x000000000000000000000000000000000000000000000000000000000000000’

(1) perl : &reply:State = $RAD_REPLY{‘State’} ->
‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{'Response-

Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’}
->

‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} ->
‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port
34786, id=196, length=0
(1) Class =

0x000000000000000000000000000000000000000000000000000000000000000

Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =

0x000000000000000000000000000000000000000000000000000000000000000

(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but
only

Class attribute is submitted. My access_challenge attributes
file

allows to send State and Reply-Message:

DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,
Raoul

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to
do

some

testing. I should be able to modify this script, but is
this

kind of

challenge supported by major vendors like Cisco, Fortinet
or

Palo

Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds
this

as

state to
the next RADIUS request. If the RADIUS client does not
do

this,

the
RADIUS server can not know, that this is a response to
a

challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are
familiar

with

the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb
Raoul:

Hi,

I am currently looking into privacyIDEA and try to
configure

freeradius to get 2 factor authentication working. The
current

configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is {
“challenge_response”:

“totp”,

“otppin”: “userstore” }. My current situation allows
me

to

authenticate the client in the userstore as I can see
in

the

debug

logs that I receive a transaction_id. Next the client
has

to

enter

the OTP pin, but this request seems to be wrong, as
the

transaction_id is missing.
The second request does not differ from the first one,
the

parameters

are for both client, pass, realm and user where in the
first

request

the pass is my actual password and in the second
request it

is

my

pin. As what I understood from the REST API the
transaction_id

must

be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or
did I

made

a

wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding
two

factor

authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE
LEVEL

AGREEMENT

which suites your needs for SECURITY, AVAILABILITY
and

LIABILITY:

https://netknights.it/en/leistungen/service-level-agree
ment

s/


You received this message because you are subscribed
to

the

Google

Groups “privacyidea” group.
To unsubscribe from this group and stop receiving
emails

from

it,

send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva…@googlegro
ups.

com.

Visit this group at https://groups.google.com/group/pri
vacy

idea.

To view this discussion on the web visit https://groups
.goo

gle.co

m/d/

msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/opt
out.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Looks like my authentication is working now, but there is still one error
message printed to the console:

(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial =
TOTP0000A123

Do you have an idea about this?On Thursday, September 22, 2016 at 12:11:59 PM UTC+2, Raoul wrote:

I started debugging this morning with a VPN server which acts fine in
Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the attributes
received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
-> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’} ->
‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
'please enter otp: '
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’} ->
‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->
‘0x000000000000000000000000000000000000000000000000000000000000000’
(1) perl : &reply:State = $RAD_REPLY{‘State’} -> ‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{‘Response-Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’} ->
‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port 34786,
id=196, length=0
(1) Class =
0x000000000000000000000000000000000000000000000000000000000000000
Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =
0x000000000000000000000000000000000000000000000000000000000000000
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but only Class
attribute is submitted. My access_challenge attributes file allows to send
State and Reply-Message:

DEFAULT

EAP-Message =* ANY,

State =* ANY,

Message-Authenticator =* ANY,

Reply-Message =* ANY,

Proxy-State =* ANY,

Session-Timeout =* ANY,

Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,

Raoul

On Wednesday, September 21, 2016 at 4:39:55 PM UTC+2, Cornelius Kölbel wrote:

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to do some
testing. I should be able to modify this script, but is this kind of
challenge supported by major vendors like Cisco, Fortinet or Palo
Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this as
state to
the next RADIUS request. If the RADIUS client does not do this,
the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar with
the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to configure
freeradius to get 2 factor authentication working. The current
configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is { “challenge_response”:
“totp”,
“otppin”: “userstore” }. My current situation allows me to
authenticate the client in the userstore as I can see in the
debug
logs that I receive a transaction_id. Next the client has to
enter
the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the first
request
the pass is my actual password and in the second request it is
my
pin. As what I understood from the REST API the transaction_id
must
be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I made
a
wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

I got the documentation wrong, freeradius does not load all files from
/usr/share/freeradius. I include now
/usr/share/freeradius/dictionary.netknights and the attribute is sent to
the client.On Monday, September 26, 2016 at 12:08:50 PM UTC+2, Cornelius Kölbel wrote:

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
Cornelius

Am Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:

Looks like my authentication is working now, but there is still one
error message printed to the console:
(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial =
TOTP0000A123

Do you have an idea about this?

I started debugging this morning with a VPN server which acts fine
in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the
attributes received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} ->
‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-
Timestamp’} -> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-
Password’} -> ‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-
Address’} -> ‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
'please enter otp: '
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’} ->
‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->
‘0x000000000000000000000000000000000000000000000000000000000000000’
(1) perl : &reply:State = $RAD_REPLY{‘State’} ->
‘0000000000000000000’
(1) perl : &control:Response-Packet-Type = $RAD_CHECK{‘Response-
Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’} ->
‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} ->
‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port
34786, id=196, length=0
(1) Class =
0x000000000000000000000000000000000000000000000000000000000000000
Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =
0x000000000000000000000000000000000000000000000000000000000000000
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but only
Class attribute is submitted. My access_challenge attributes file
allows to send State and Reply-Message:

DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,
Raoul

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to do
some
testing. I should be able to modify this script, but is this
kind of
challenge supported by major vendors like Cisco, Fortinet or
Palo
Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds this
as

state to
the next RADIUS request. If the RADIUS client does not do
this,

the
RADIUS server can not know, that this is a response to a
challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are familiar
with

the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb Raoul:

Hi,

I am currently looking into privacyIDEA and try to
configure

freeradius to get 2 factor authentication working. The
current

configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is {
“challenge_response”:

“totp”,

“otppin”: “userstore” }. My current situation allows me
to

authenticate the client in the userstore as I can see in
the

debug

logs that I receive a transaction_id. Next the client has
to

enter

the OTP pin, but this request seems to be wrong, as the
transaction_id is missing.
The second request does not differ from the first one, the
parameters
are for both client, pass, realm and user where in the
first

request

the pass is my actual password and in the second request it
is

my

pin. As what I understood from the REST API the
transaction_id

must

be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or did I
made

a

wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two
factor

authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE
LEVEL

AGREEMENT

which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreement
s/


You received this message because you are subscribed to
the

Google

Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails
from

it,

send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva…@googlegroups.
com.

Visit this group at https://groups.google.com/group/privacy
idea.

To view this discussion on the web visit https://groups.goo
gle.co

m/d/

msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Putting back online my test server with privacyIdea and upgraded to 2.17
solved the issue with access-challenge / response.On Monday, September 26, 2016 at 2:57:04 PM UTC+2, Raoul wrote:

Oh, that one is not solved. Access-Challenge seems not possible with
privacyidea. Il will look into other solutions for this at some later point.

On Monday, September 26, 2016 at 12:33:32 PM UTC+2, Cornelius Kölbel wrote:

Oh no.
I ment your initial problem.
Kind regards
Cornelius

Am Montag, den 26.09.2016, 03:23 -0700 schrieb Raoul:

I got the documentation wrong, freeradius does not load all files
from /usr/share/freeradius. I include now
/usr/share/freeradius/dictionary.netknights and the attribute is sent
to the client.

Hi Raoul,

can you please tell, what the problem was?

The dictionary file is missing.

Kind regards
Cornelius

Am Montag, den 26.09.2016, 02:46 -0700 schrieb Raoul:

Looks like my authentication is working now, but there is still
one
error message printed to the console:
(0) ERROR: perl : Failed to create pair reply:privacyIDEA-Serial
=
TOTP0000A123

Do you have an idea about this?

I started debugging this morning with a VPN server which acts
fine

in Access-Challenge with an older Radius / OTP installation.

The problem seems that the Radius server does not add the
attributes received from rlm_perl module:

rlm_perl: return RLM_MODULE_HANDLED
(1) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’}
->

‘raoul’
(1) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-
Timestamp’} -> ‘Sep 22 2016 12:01:57 CEST’
(1) perl : &request:User-Password = $RAD_REQUEST{‘User-
Password’} -> ‘password’
(1) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-
Address’} -> ‘192.168.1.1’
(1) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-
Message’} ->

'please enter otp: '
(1) perl : &reply:Service-Type = $RAD_REPLY{‘Service-Type’}
->

‘Administrative-User’
(1) perl : &reply:Class = $RAD_REPLY{‘Class’} ->

‘0x000000000000000000000000000000000000000000000000000000000000000’

(1) perl : &reply:State = $RAD_REPLY{‘State’} ->
‘0000000000000000000’
(1) perl : &control:Response-Packet-Type =
$RAD_CHECK{'Response-

Packet-Type’} -> ‘Access-Challenge’
(1) perl : &control:Ldap-UserDn = $RAD_CHECK{‘Ldap-UserDn’}
->

‘uid=raoul,ou=users,dc=example,dc=com’
(1) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} ->
‘Perl’
(1) [perl] = handled
(1) } # Auth-Type Perl = handled
(1) Sending Access-Challenge packet to host 192.168.1.1 port
34786, id=196, length=0
(1) Class =

0x000000000000000000000000000000000000000000000000000000000000000

Sending Access-Challenge Id 196 from 192.168.1.1:1812 to
192.168.1.1:34786
Class =

0x000000000000000000000000000000000000000000000000000000000000000

(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 196 with timestamp +24
Ready to process requests

You can see that perl sends Class and State attributes, but
only

Class attribute is submitted. My access_challenge attributes
file

allows to send State and Reply-Message:

DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

Do you have a hint on how to get this working?

Regards,
Raoul

As I mentioned earlier, this is standard RADIUS chal/resp.
Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 07:25 -0700 schrieb Raoul:

Ok, now I understand. Currently I am using a perl script to
do

some

testing. I should be able to modify this script, but is
this

kind of

challenge supported by major vendors like Cisco, Fortinet
or

Palo

Alto?

Regards,
Raoul

Hi,

what radius client is issuing the requests?

You also need the logic in the RADIUS client!
As the RADIUS client takes the transaction ID and adds
this

as

state to
the next RADIUS request. If the RADIUS client does not
do

this,

the
RADIUS server can not know, that this is a response to
a

challenge.
RADIUS is a stateless protocol.

You should not do challenge response, unless you are
familiar

with

the
RADIUS protocol.

Kind regards
Cornelius

Am Mittwoch, den 21.09.2016, 06:36 -0700 schrieb
Raoul:

Hi,

I am currently looking into privacyIDEA and try to
configure

freeradius to get 2 factor authentication working. The
current

configuration makes use of the rlm_perl module and
privacyidea_radius.pm

The applied policy in privacyIDEA is {
“challenge_response”:

“totp”,

“otppin”: “userstore” }. My current situation allows
me

to

authenticate the client in the userstore as I can see
in

the

debug

logs that I receive a transaction_id. Next the client
has

to

enter

the OTP pin, but this request seems to be wrong, as
the

transaction_id is missing.
The second request does not differ from the first one,
the

parameters

are for both client, pass, realm and user where in the
first

request

the pass is my actual password and in the second
request it

is

my

pin. As what I understood from the REST API the
transaction_id

must

be included in the second request.

Is there a fix for privacyidea_radius.pm somewhere or
did I

made

a

wrong configuration in freeradius?

Many thanks,
Raoul


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding
two

factor

authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE
LEVEL

AGREEMENT

which suites your needs for SECURITY, AVAILABILITY
and

LIABILITY:

https://netknights.it/en/leistungen/service-level-agree
ment

s/


You received this message because you are subscribed
to

the

Google

Groups “privacyidea” group.
To unsubscribe from this group and stop receiving
emails

from

it,

send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva…@googlegro
ups.

com.

Visit this group at https://groups.google.com/group/pri
vacy

idea.

To view this discussion on the web visit https://groups
.goo

gle.co

m/d/

msgid/privacyidea/3c8e3f5f-a300-402f-b488-
0dec0403b8fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/opt
out.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel