Hi Heikki and Mike,
I'm already using AuthBy OTP with my own ChallengeHook.
I've read RFC2865 yesterday but missed the State attribute, thanks for
the great pointer!
Thats the working config I came up with:
<AuthLog FILE>
Identifier tsa-otp-client-vpn
Filename %L/tsa-otp-client-vpn.authlog
LogSuccess 1
LogFailure 1
# log the Handler Identifier to be able to distinguish between AD
and OTP auth failures
SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
FailureFormat
%l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL
</AuthLog>
<Handler Callback-Number=/.+/>
Identifier otp_sms_challenge
AuthByPolicy ContinueUntilChallenge
#StripFromRequest Password
# clear the password to force AuthOTP to always generate a OTP
PreAuthHook sub { \
my $p = ${$_[0]}; \
my $rp = ${$_[1]}; \
$p->{DecodedPassword} = ''; \
}
AuthBy otp_sms
#AddToReply State="otp-challenge"
</Handler>
<Handler Client-Identifier="tsa-tc-flod|localhost"
Request-Type="Access-Request" State="otp-challenge">
Identifier tsa-otp-client-vpn-otp
AuthLog tsa-otp-client-vpn
# Show any rejection reason to the end user
RejectHasReason
AuthBy otp_sms
</Handler>
<Handler Client-Identifier="tsa-tc-flod|localhost"
Request-Type="Access-Request">
Identifier tsa-otp-client-vpn-ad
AuthByPolicy ContinueUntilChallenge
# Show any rejection reason to the end user
RejectHasReason
AuthLog tsa-otp-client-vpn
<AuthBy LDAP2>
# Save time by never looking for a default
NoDefault
Host ip1 ip2 ip3
Port 389
Version 3
# request timeout in seconds
Timeout 2
# don't try to reach the ldap for this amount of seconds after
failure
FailureBackoffTime 0
UsernameAttr samaccountname
# don't check the password, just for phone number lookup
#PasswordAttr
ServerChecksPassword
# store the users mobile phone number in the Callback-Number
radius attribute
AuthAttrDef mobile,Callback-Number,request
</AuthBy>
<AuthBy HANDLER>
HandlerId otp_sms_challenge
</AuthBy>
</Handler>
I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
by using PreAuthHook to delete the DecodedPassword.
As you see I've tried StripFromRequest Password which didn't work.
I was looking for a way to clear the password between the AuthBy LDAP
and AuthBy OTP.
Is there a way to do this?
Cheers, Alex
Am 2012-01-17 21:12, schrieb Mike McCauley:
> Hi Heikki,
>
> I wonder if he should also look at AuthBy OTP?
> Cheers.
>
> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>
>> Hello Alexander,
>>
>>> I'm trying to implement a two factor auth where the user has to enter
>>> his Active Directory credentials.
>>> Radiator checks those against the AD, if successful creates an OTP and
>>> sends that to the mobile phone number fetched from the AD.
>> Add State attribute to the challenge at this point.
>>
>>> A challenge is returned to the NAS.
>> See this for how NAS should react to challenge.
>> http://tools.ietf.org/html/rfc2865#section-5.24
>>
>>> My problem is that I can't distinguish the initial request and the
>>> challenge response which should skip the AD auth because this time the
>>> password field holds the OTP response.
>> State should be echoed back in the challenge response unless the NAS is
>> badly broken.
>>
>>> By looking at the radius packets with tcpdump I couldn't find a
>>> difference in the radius attributes sent that let me write two different
>>> handlers.
>>>
>>> Ideas?
>> Try something like this. Note that I have used a fixed value for
>> challenge, but you could make it generic to protect against replay
>> attacks or some other information that might be useful for selecting the
>> correct handler for verifying the challenge.
>>
>> <Handler attribute=value,...,State=whatever>
>> # Check challenge here
>> </Handler>
>>
>> <Handler attribute=value,...>
>> # Generate OTP here and send challenge
>> <AuthBy ...>
>> # AD auth happens here
>> AddToReply State=whatever
>> </AuthBy>
>> </Handler>
>>
>>
>>
>> Please let us know how it goes.
>> Heikki
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
