On 31.1.2022 14.40, Sagar Malam wrote:
I am trying to implement 2FA using LDAP2 and TOTP but i am facing issue
with *ConsumePassword *. I am using ":" to separate LDAP password and
TOTP but when Auth by LDAP receives the password ( PASS:TOTP PIN) , it
consume both parts of the password and hence LDAP auth fails.
Thanks for reporting this. It seems ConsumePassword does not currently
work as expected with ServerChecksPassword within AuthBy LDAP2. Briefly:
because the User-Password attribute is not compared against a value from
LDAP, it doesn't play well with ConsumePassword.
However, there's a possibility to do this with different steps. This is
how it was already possible before ConsumePassword helper.
I recommend also adding 'NoDefault' flag within AuthBy LDAP2 to suppress
DEFAULT user lookup. 'EncryptedPasswordAttr unicodePwd' should also be
removed because that LDAP attribute is write-only in AD.
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { my $p = $_[0]; \
my @parts = split(m/:/s, $p->decodedPassword(), 2);\
$p->{DecodedPassword} = $parts[0]; \
return ($main::ACCEPT);}
</AuthBy>
<AuthBy LDAP2>
# No need for ConsumePassword
</AuthBy>
# Decrypt User-Password again and use the 2nd part
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { my $p = $_[0]; $p->{DecodedPassword} = undef; \
my @parts = split(m/:/s, $p->decodedPassword(), 2);\
$p->{DecodedPassword} = $parts[1]; \
return ($main::ACCEPT);}
</AuthBy>
<AuthBy SQLTOTP>
# No changes here
</AuthBY>
</Handler>
Please let us know how it goes.
Thanks,
Heikki
I am testing it using radpwtst like this :
[root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -user
mike -password password:123344
sending Access-Request
Rejected: Request Denied
CFG :
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
ConsumePassword :
Host 192.168.0.45
AuthDN DC=com
AuthPassword XXXXXXX
BaseDN DC=com
ServerChecksPassword
EncryptedPasswordAttr unicodePwd
UsernameAttr sAMAccountName
ConsumePassword :
</AuthBy>
<AuthBy SQLTOTP>
DBSource dbi:mysql:radius
DBUsername mike
DBAuth test
AuthSelect select secret, active, pin, digits, bad_logins,
unix_timestamp(accessed), last_timestep, algorithm, timestep,
timestep_origin from totpkeys where username=?
AuthSelectParam %0
UpdateQuery update totpkeys set accessed=now(), bad_logins=?,
last_timestep=? where username=?
UpdateQueryParam %0
UpdateQueryParam %2
UpdateQueryParam %1
</AuthBy>
</Handler>
==================================
LOGS :
ccd9afa0 Mon Jan 31 07:25:29 2022 257280: DEBUG: AuthBy LDAP2 result:
REJECT, Bad Encrypted password
ccd9afa0 Mon Jan 31 07:25:29 2022 257662: INFO: Access rejected for
mike: Bad Encrypted password
ccd9afa0 Mon Jan 31 07:25:29 2022 258306: DEBUG: Packet dump:
ccd9afa0 *** Sending to 127.0.0.1 port 56705 ....
ccd9afa0 Code: Access-Reject
ccd9afa0 Identifier: 178
ccd9afa0 Authentic:
<173><187><218><177><232><218><9>Rj<235>f<202><165><204><190>'
ccd9afa0 Attributes:
ccd9afa0 Reply-Message = "Request Denied"
326fc0b0 Mon Jan 31 07:26:28 2022 066537: DEBUG: Packet dump:
326fc0b0 *** Received from 127.0.0.1 port 35953 ....
326fc0b0 Code: Access-Request
326fc0b0 Identifier: 131
326fc0b0 Authentic:
<8><237><192><14><185><143>]G<152><155><207><171>p<162>a<10>
326fc0b0 Attributes:
326fc0b0 User-Name = "mike"
326fc0b0 Service-Type = Framed-User
326fc0b0 NAS-IP-Address = 203.63.154.1
326fc0b0 NAS-Identifier = "203.63.154.1"
326fc0b0 NAS-Port = 1234
326fc0b0 Called-Station-Id = "123456789"
326fc0b0 Calling-Station-Id = "987654321"
326fc0b0 NAS-Port-Type = Async
326fc0b0 User-Password =
J<234><249><188><26>D<248>T<29>9<152><142><175><182>A<217>
326fc0b0 Mon Jan 31 07:26:28 2022 066918: DEBUG: Handling request with
Handler '', Identifier ''
326fc0b0 Mon Jan 31 07:26:28 2022 067174: DEBUG: SessINTERNAL: Deleting
session for mike, 203.63.154.1, 1234
326fc0b0 Mon Jan 31 07:26:28 2022 067326: DEBUG: Handling with
Radius::AuthLDAP2:
00000000 Mon Jan 31 07:26:28 2022 067596: INFO: AuthLDAP2 Connecting to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 069773: INFO: AuthLDAP2 Connected to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 069985: INFO: AuthLDAP2 Attempting to
bind to LDAP server 192.168.0.45 port 389
326fc0b0 Mon Jan 31 07:26:28 2022 074574: DEBUG: AuthLDAP2 Got result
with filter (sAMAccountName=mike) for DN CN=mike,DC=com
326fc0b0 Mon Jan 31 07:26:28 2022 097755: DEBUG: AuthLDAP2
ServerChecksPassword failed for CN=mike,DC=com
326fc0b0 Mon Jan 31 07:26:28 2022 098056: DEBUG: Radius::AuthLDAP2 looks
for match with 'mike' [mike]
326fc0b0 Mon Jan 31 07:26:28 2022 098497: DEBUG: Radius::AuthLDAP2
REJECT: Bad Encrypted password: 'mike' [mike]
00000000 Mon Jan 31 07:26:28 2022 098704: INFO: AuthLDAP2 Connecting to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 099847: INFO: AuthLDAP2 Connected to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 100137: INFO: AuthLDAP2 Attempting to
bind to LDAP server 192.168.0.45 port 389
326fc0b0 Mon Jan 31 07:26:28 2022 104783: DEBUG: AuthLDAP2 No entries
for 'DEFAULT' found in LDAP database with filter (sAMAccountName=DEFAULT)
326fc0b0 Mon Jan 31 07:26:28 2022 105113: DEBUG: AuthBy LDAP2 result:
REJECT, Bad Encrypted password
326fc0b0 Mon Jan 31 07:26:28 2022 105413: INFO: Access rejected for
mike: Bad Encrypted password
326fc0b0 Mon Jan 31 07:26:28 2022 105921: DEBUG: Packet dump:
326fc0b0 *** Sending to 127.0.0.1 port 35953 ....
326fc0b0 Code: Access-Reject
326fc0b0 Identifier: 131
326fc0b0 Authentic: y7<179><203>z<170>]<212>R<7><229><218><231>3D<215>
326fc0b0 Attributes:
326fc0b0 Reply-Message = "Request Denied"
Please help me troubleshoot this.
--
Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com
<http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w>
Skype: sagar.ecosmob
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our website,
any views or opinions presented in this email are solely those of the
originator and do not necessarily represent those of the Company or its
sister concerns. Any liability (in negligence, contract or otherwise)
arising from any third party taking any action, or refraining from
taking any action on the basis of any of the information contained in
this email is hereby excluded.
*Confidentiality*
This communication (including any attachment/s) is intended only for the
use of the addressee(s) and contains information that is PRIVILEGED AND
CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or
copying of this communication is prohibited. Please inform originator if
you have received it in error.
*Caution for viruses, malware etc.*
This communication, including any attachments, may not be free of
viruses, trojans, similar or new contaminants/malware, interceptions or
interference, and may not be compatible with your systems. You shall
carry out virus/malware scanning on your own before opening any
attachment to this e-mail. The sender of this e-mail and Company
including its sister concerns shall not be liable for any damage that
may incur to you as a result of viruses, incompleteness of this message,
a delay in receipt of this message or any other computer problems.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator