Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-04 Thread Dubravko Penezic 
Hi Sagar,

I must said i didnt hear for any standard RADIUS client that have
ability to do 2FA on correct way, also RADIUS protocol doesnt support it
also.

However we use EAP-TTLS/PAP protocol define like part of 802.1x standard
on which we actually do 2FA but using predefined methods.

In first step negotiation is done using TLS, and server certificate, and
in second step authentication is done using RADIUS PAP authentication.

Please consider reading RFC connected to RADIUS protocol, and
possibility of authentication.

Have in mind that RADIUS is mostly network authentication protocol, and
it isnt create to authenticate web services at any kind.

Regards,
Dubravko Penezic
Srce

On 1/4/22 11:15 AM, Sagar Malam wrote:
> Hello Everyone, 
> 
> I am new to radiator and perl.I would like to implement 2FA using Authby
> LDAP2 and Authby OTP but i am not able to find any examples for
> implementing the same over the internet. 
> 
> Please help me with this in any way you can. 
> -- 
> 
> Thanks & Regards,
> Sagar Malam
> Project Leader | Ecosmob Technologies Pvt. Ltd.
> (+91)9601533171 | www.ecosmob.com
> 
> Skype: sagar.ecosmob
> 
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our website,
> any views or opinions presented in this email are solely those of the
> originator and do not necessarily represent those of the Company or its
> sister concerns. Any liability (in negligence, contract or otherwise)
> arising from any third party taking any action, or refraining from
> taking any action on the basis of any of the information contained in
> this email is hereby excluded.
> 
> *Confidentiality*
> This communication (including any attachment/s) is intended only for the
> use of the addressee(s) and contains information that is PRIVILEGED AND
> CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or
> copying of this communication is prohibited. Please inform originator if
> you have received it in error.
> 
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of
> viruses, trojans, similar or new contaminants/malware, interceptions or
> interference, and may not be compatible with your systems. You shall
> carry out virus/malware scanning on your own before opening any
> attachment to this e-mail. The sender of this e-mail and Company
> including its sister concerns shall not be liable for any damage that
> may incur to you as a result of viruses, incompleteness of this message,
> a delay in receipt of this message or any other computer problems. 
> 
> ___
> radiator mailing list
> radiator@lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
> 
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-05 Thread Heikki Vatiainen 

On 4.1.2022 12.15, Sagar Malam wrote:

I am new to radiator and perl.I would like to implement 2FA using Authby 
LDAP2 and Authby OTP but i am not able to find any examples for 
implementing the same over the internet.


Please see goodies/duo.cfg together with goodies/otp.cfg

duo.cfg shows how to check password against a file, can be SQL, LDAP, 
etc. too, and then pass the request, if successful so far, to the second 
factor. In this case there's no Access-Challenge required, just one 
Access-Request followed by access or reject, and it works with plain PAP 
and EAP-TTLS/PAP.


If you'd like to use AuthBy OTP, something like this could work:


Identifer otp-authby
# Add to Access-Challenge State attribute with value 'auth-otp'
# This is done in the ChallengeHook



AuthBy otp-authby



AuthByPolicy ContinueWhileAccept

ConsumePassword

AuthBy otp-authby



The user first logs in with their LDAP password. If successful, password 
is cleared from the request and AuthBy OTP is called for the first time. 
This triggers ChallengeHook. Within the ChallengeHook, add State 
attribute so that the subsequent Access-Accept, that now contains the 
one-time-password, caught by .


What the above requires is PAP and that the authentication client 
software the user has understands Radius Access-Challenge.


Using EAP-TTLS/PAP could also work. In this case the correct use of 
State attribute needs to be checked.


Note that the above is plain Radius where a RADIUS client sends requests 
to Radiator. If you'd need to have an integration to web services, that 
can be problematic as Dubravko wrote earlier.


Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-06 Thread Sagar Malam 
Hello Heikki,

Thanks for the help. I tried the approach with authby OTP that you
suggested but once Authby LDAP2 is processed , Authby OTP is not getting
executed instead Access-Accept is sent to  client.


Config File :


Identifer otp-authby
EAPType One-Time-Password,Generic-Token
PasswordPattern 9

ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\

system('/usr/src/send_sms.sh','N',$context->{otp_password});\
return "OTP sent";}

AddToReply State="auth-otp"
VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
return $context->{otp_password} eq $submitted_pw ;}



AuthBy otp-authby



AuthByPolicy ContinueWhileAccept

 Host192.168.0.45
EAPType One-Time-Password,Generic-Token
AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
AuthPasswordX
BaseDNDC=XX,DC=X,DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
ConsumePassword ,

AuthBy otp-authby


Error Log : https://paste-bin.xyz/30722

[root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -password
'' -user X -password 
sending Access-Request
OK
[root@radiator goodies]#




On Wed, Jan 5, 2022 at 6:08 PM Heikki Vatiainen  wrote:

> On 4.1.2022 12.15, Sagar Malam wrote:
>
> > I am new to radiator and perl.I would like to implement 2FA using Authby
> > LDAP2 and Authby OTP but i am not able to find any examples for
> > implementing the same over the internet.
>
> Please see goodies/duo.cfg together with goodies/otp.cfg
>
> duo.cfg shows how to check password against a file, can be SQL, LDAP,
> etc. too, and then pass the request, if successful so far, to the second
> factor. In this case there's no Access-Challenge required, just one
> Access-Request followed by access or reject, and it works with plain PAP
> and EAP-TTLS/PAP.
>
> If you'd like to use AuthBy OTP, something like this could work:
>
> 
>  Identifer otp-authby
>  # Add to Access-Challenge State attribute with value 'auth-otp'
>  # This is done in the ChallengeHook
> 
>
> 
>  AuthBy otp-authby
> 
>
> 
>  AuthByPolicy ContinueWhileAccept
>  
>  ConsumePassword
>  
>  AuthBy otp-authby
> 
>
>
> The user first logs in with their LDAP password. If successful, password
> is cleared from the request and AuthBy OTP is called for the first time.
> This triggers ChallengeHook. Within the ChallengeHook, add State
> attribute so that the subsequent Access-Accept, that now contains the
> one-time-password, caught by .
>
> What the above requires is PAP and that the authentication client
> software the user has understands Radius Access-Challenge.
>
> Using EAP-TTLS/PAP could also work. In this case the correct use of
> State attribute needs to be checked.
>
> Note that the above is plain Radius where a RADIUS client sends requests
> to Radiator. If you'd need to have an integration to web services, that
> can be problematic as Dubravko wrote earlier.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> ___
> radiator mailing list
> radiator@lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator



-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com

Skype: sagar.ecosmob

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-07 Thread Heikki Vatiainen 

On 6.1.2022 14.31, Sagar Malam wrote:

Thanks for the help. I tried the approach with authby OTP that you 
suggested but once Authby LDAP2 is processed , Authby OTP is not getting 
executed instead Access-Accept is sent to  client.


Thanks for the log and config. It seems I made a typo in my previous reply:


Config File :


         Identifer otp-authby


This should be 'Identifier'. One 'i' is missing. When this happens there 
are error and warning level log messages because of this and missing 
reference from . Remember to check the startup log messages too 
when troubleshooting.



     EAPType One-Time-Password,Generic-Token


I'd also remove EAPType parameters for now. If you need to support EAP, 
then it should be tested separately to see that the processing works 
with EAP and see what updates might be needed.


Note that there's also EAPType in AuthBy LDAP2 clause below.



     AuthByPolicy ContinueWhileAccept
     
  Host    192.168.0.45
     EAPType One-Time-Password,Generic-Token
     AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
     AuthPassword    X
     BaseDN        DC=XX,DC=X,DC=com
     ServerChecksPassword
     UsernameAttr sAMAccountName
     AuthAttrDef logonHours,MS-Login-Hours,check
     ConsumePassword ,


Change this to 'ConsumePassword'. That is, let it empty the password 
completely. In some cases both static and one-time password are sent 
together and need to split, but not this time.


https://files.radiatorsoftware.com/radiator/ref/ConsumePassword.html



     
     AuthBy otp-authby


Error Log : https://paste-bin.xyz/30722 

[root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct 
-password '' -user X -password 

sending Access-Request
OK


Use '-trace 4' with rdpwtst to see in detail what it sends and receives. 
With multi-round authentication, also add '-interactive' flag to tell 
radpwtst that more than a single request is needed.


Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-10 Thread Sagar Malam 
Hello Heikki,

Thanks for the help. I worked as expected after doing corrections. I
would like to have EAP support as well. Can you help me with enabling that
?

On Fri, Jan 7, 2022 at 5:52 PM Heikki Vatiainen  wrote:

> On 6.1.2022 14.31, Sagar Malam wrote:
>
> > Thanks for the help. I tried the approach with authby OTP that you
> > suggested but once Authby LDAP2 is processed , Authby OTP is not getting
> > executed instead Access-Accept is sent to  client.
>
> Thanks for the log and config. It seems I made a typo in my previous reply:
>
> > Config File :
> >
> > 
> >  Identifer otp-authby
>
> This should be 'Identifier'. One 'i' is missing. When this happens there
> are error and warning level log messages because of this and missing
> reference from . Remember to check the startup log messages too
> when troubleshooting.
>
> >  EAPType One-Time-Password,Generic-Token
>
> I'd also remove EAPType parameters for now. If you need to support EAP,
> then it should be tested separately to see that the processing works
> with EAP and see what updates might be needed.
>
> Note that there's also EAPType in AuthBy LDAP2 clause below.
>
> > 
> >  AuthByPolicy ContinueWhileAccept
> >  
> >   Host192.168.0.45
> >  EAPType One-Time-Password,Generic-Token
> >  AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
> >  AuthPasswordX
> >  BaseDNDC=XX,DC=X,DC=com
> >  ServerChecksPassword
> >  UsernameAttr sAMAccountName
> >  AuthAttrDef logonHours,MS-Login-Hours,check
> >  ConsumePassword ,
>
> Change this to 'ConsumePassword'. That is, let it empty the password
> completely. In some cases both static and one-time password are sent
> together and need to split, but not this time.
>
> https://files.radiatorsoftware.com/radiator/ref/ConsumePassword.html
>
>
> >  
> >  AuthBy otp-authby
> > 
> >
> > Error Log : https://paste-bin.xyz/30722 
> >
> > [root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct
> > -password '' -user X -password 
> > sending Access-Request
> > OK
>
> Use '-trace 4' with rdpwtst to see in detail what it sends and receives.
> With multi-round authentication, also add '-interactive' flag to tell
> radpwtst that more than a single request is needed.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
>


-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com

Skype: sagar.ecosmob

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses, incompleteness of 
this message, a delay in receipt of this message or any other computer 
problems. 
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-12 Thread Heikki Vatiainen 

On 10.1.2022 14.50, Sagar Malam wrote:

Thanks for the help. I worked as expected after doing corrections. I 
would like to have EAP support as well. Can you help me with enabling 
that  ?


Please see below a modifed version of the previous configuration. 
Changes are:

- Add new global parameter that tells EAP to use State attribute
- Fix 'Identifier' spelling in AuthBy OTP
- Move State attribute to into the step where it's actually needed
- New Handler that takes care of EAP by converting EAP-GTC to PAP
- Updated  to check that State ends with 'auth-otp'
- Leave EAPType enabled only within AuthBy that processes EAP
- ConsumePassword is set to empty to clear the password before OTP

Things to note: EAP-GTC is supported by converting it to PAP and then 
doing the same steps that plain PAP would do. Some extra work is needed 
to take care of State attribute that EAP also uses to track its state.


With EAP the message payload is not encrypted unless the EAP method 
itself does this. EAP-GTC does not. You can configure the following to 
avoid exposing the static password to Radiator DEBUG level logging (the 
parameter allows multiple attribute names too)


  PacketDumpOmitAttributes EAP-Message,User-Password

Care is also needed when EAP-GTC is transferred without secure tunneling 
(EAP-TTLS, PEAP, IPsec, VPN or other method).


PEAP and other, typically Wi-Fi, methods are not supported by the 
configuration. I took a look at the current Laptop and Wireless EAP 
clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare. 
OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.


Here's the updated configuration. Please let us know how it goes.


EAP_UseState 1


Identifier otp-authby
PasswordPattern 9

# Return undef from ChallengeHook to force reject if State
# already ends with 'auth-otp'. Now it will send a new SMS
# when empty string is entered by the end user.
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\

system('/usr/src/send_sms.sh','N',$context->{otp_password});\
$p->{rp}->add_attr('State', 'auth-otp') \
unless $p->get_attr('State') =~ m/auth-otp\z/s; \
return "OTP sent";}

VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
return $context->{otp_password} eq $submitted_pw ;}



 
 EAPType GTC
 Filename /dev/null
 EAP_GTC_PAP_Convert
 

 # EAP adds State. It's permissible to add more,
 # such as AuthBy OTP State value, to the end.
 PostProcessingHook sub { my $rp = ${$_[1]}; \
  my @states = $rp->get_attr('State'); return if @states != 2; \
  $rp->delete_attr('State'); \
  $rp->add_attr('State', join('', reverse @states)); }



AuthBy otp-authby



AuthByPolicy ContinueWhileAccept

Host192.168.0.45
AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
AuthPasswordX
BaseDNDC=XX,DC=X,DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
ConsumePassword

AuthBy otp-authby



On Fri, Jan 7, 2022 at 5:52 PM Heikki Vatiainen > wrote:


On 6.1.2022 14.31, Sagar Malam wrote:

 > Thanks for the help. I tried the approach with authby OTP that you
 > suggested but once Authby LDAP2 is processed , Authby OTP is not
getting
 > executed instead Access-Accept is sent to  client.

Thanks for the log and config. It seems I made a typo in my previous
reply:

 > Config File :
 >
 > 
 >          Identifer otp-authby

This should be 'Identifier'. One 'i' is missing. When this happens
there
are error and warning level log messages because of this and missing
reference from . Remember to check the startup log messages
too
when troubleshooting.

 >      EAPType One-Time-Password,Generic-Token

I'd also remove EAPType parameters for now. If you need to support EAP,
then it should be tested separately to see that the processing works
with EAP and see what updates might be needed.

Note that there's also EAPType in AuthBy LDAP2 clause below.

 > 
 >      AuthByPolicy ContinueWhileAccept
 >      
 >   Host    192.168.0.45
 >      EAPType One-Time-Password,Generic-Token
 >      AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
 >      AuthPassword    X
 >      BaseDN        DC=XX,DC=X,DC=com
 >      ServerChecksPassword
 >      UsernameAttr sAMAccountName
 >      AuthAttrDef logonHours,MS-Login-Hours,check
 >      ConsumePassword ,

Change this to 'ConsumePassword'. That is, let it empty the password
completely. In some cases both static and one-time password are sent
together and need to split, but not thi

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-12 Thread Heikki Vatiainen 
A small update to the previous message to clarify the ChallengeHook a 
little.


On 10.1.2022 14.50, Sagar Malam wrote:

Thanks for the help. I worked as expected after doing corrections. I 
would like to have EAP support as well. Can you help me with enabling 
that  ?


Please see below for a modifed version of the previous configuration. 
Changes are:

- Add new global parameter that tells EAP to use State attribute
- Fix 'Identifier' spelling in AuthBy OTP
- Move State attribute to into the step where it's actually needed
- New Handler that takes care of EAP by converting EAP-GTC to PAP
- Updated  to check that State ends with 'auth-otp'
- Leave EAPType enabled only within AuthBy that processes EAP
- ConsumePassword is set to empty to clear the password before OTP

Things to note: EAP-GTC is supported by converting it to PAP and then 
doing the same steps that plain PAP would do. Some extra work is needed 
to take care of State attribute that EAP also uses to track its state.


With EAP the message payload is not encrypted unless the EAP method 
itself does this. EAP-GTC does not. You can configure the following to 
avoid exposing the static password to Radiator DEBUG level logging (the 
parameter allows multiple attribute names too)


  PacketDumpOmitAttributes EAP-Message,User-Password

Care is also needed when EAP-GTC is transferred without secure tunneling 
(EAP-TTLS, PEAP, IPsec, VPN or other method).


PEAP and other, typically Wi-Fi, methods are not supported by the 
configuration. I took a look at the current Laptop and Wireless EAP 
clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare. 
OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.


Here's the updated configuration. Please let us know how it goes.


EAP_UseState 1


Identifier otp-authby
PasswordPattern 9

# Return undef from ChallengeHook to force reject if State
# already ends with 'auth-otp'. Now it will send a new SMS
# when empty string is entered by the end user.
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\
my $state = $p->get_attr('State'); \
$p->{rp}->add_attr('State', 'auth-otp') \
if !$state || $state !~ m/auth-otp\z/s; \

system('/usr/src/send_sms.sh','N',$context->{otp_password});\
return "OTP sent";}

VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
return $context->{otp_password} eq $submitted_pw ;}



 
 EAPType GTC
 Filename /dev/null
 EAP_GTC_PAP_Convert
 

 # EAP adds State. It's permissible to add more,
 # such as AuthBy OTP State value, to the end.
 PostProcessingHook sub { my $rp = ${$_[1]}; \
  my @states = $rp->get_attr('State'); return if @states != 2; \
  $rp->delete_attr('State'); \
  $rp->add_attr('State', join('', reverse @states)); }



AuthBy otp-authby



AuthByPolicy ContinueWhileAccept

Host192.168.0.45
AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
AuthPasswordX
BaseDNDC=XX,DC=X,DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
ConsumePassword

AuthBy otp-authby



Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-16 Thread Sagar Malam 
This works exactly as expected. Thanks a lot Heikki.

On Wed, Jan 12, 2022 at 11:32 PM Heikki Vatiainen  wrote:

> A small update to the previous message to clarify the ChallengeHook a
> little.
>
> On 10.1.2022 14.50, Sagar Malam wrote:
>
> > Thanks for the help. I worked as expected after doing corrections. I
> > would like to have EAP support as well. Can you help me with enabling
> > that  ?
>
> Please see below for a modifed version of the previous configuration.
> Changes are:
> - Add new global parameter that tells EAP to use State attribute
> - Fix 'Identifier' spelling in AuthBy OTP
> - Move State attribute to into the step where it's actually needed
> - New Handler that takes care of EAP by converting EAP-GTC to PAP
> - Updated  to check that State ends with 'auth-otp'
> - Leave EAPType enabled only within AuthBy that processes EAP
> - ConsumePassword is set to empty to clear the password before OTP
>
> Things to note: EAP-GTC is supported by converting it to PAP and then
> doing the same steps that plain PAP would do. Some extra work is needed
> to take care of State attribute that EAP also uses to track its state.
>
> With EAP the message payload is not encrypted unless the EAP method
> itself does this. EAP-GTC does not. You can configure the following to
> avoid exposing the static password to Radiator DEBUG level logging (the
> parameter allows multiple attribute names too)
>
>PacketDumpOmitAttributes EAP-Message,User-Password
>
> Care is also needed when EAP-GTC is transferred without secure tunneling
> (EAP-TTLS, PEAP, IPsec, VPN or other method).
>
> PEAP and other, typically Wi-Fi, methods are not supported by the
> configuration. I took a look at the current Laptop and Wireless EAP
> clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare.
> OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.
>
> Here's the updated configuration. Please let us know how it goes.
>
>
> EAP_UseState 1
>
> 
>  Identifier otp-authby
>  PasswordPattern 9
>
>  # Return undef from ChallengeHook to force reject if State
>  # already ends with 'auth-otp'. Now it will send a new SMS
>  # when empty string is entered by the end user.
>  ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
>  $context->{otp_password} = $self->generate_password();\
>  my $state = $p->get_attr('State'); \
>  $p->{rp}->add_attr('State', 'auth-otp') \
>  if !$state || $state !~ m/auth-otp\z/s; \
>
> system('/usr/src/send_sms.sh','N',$context->{otp_password});\
>  return "OTP sent";}
>
>  VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
>  return $context->{otp_password} eq $submitted_pw ;}
> 
>
> 
>   
>   EAPType GTC
>   Filename /dev/null
>   EAP_GTC_PAP_Convert
>   
>
>   # EAP adds State. It's permissible to add more,
>   # such as AuthBy OTP State value, to the end.
>   PostProcessingHook sub { my $rp = ${$_[1]}; \
>my @states = $rp->get_attr('State'); return if @states != 2; \
>$rp->delete_attr('State'); \
>$rp->add_attr('State', join('', reverse @states)); }
> 
>
> 
>  AuthBy otp-authby
> 
>
> 
>  AuthByPolicy ContinueWhileAccept
>  
>  Host192.168.0.45
>  AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
>  AuthPasswordX
>  BaseDNDC=XX,DC=X,DC=com
>  ServerChecksPassword
>  UsernameAttr sAMAccountName
>  AuthAttrDef logonHours,MS-Login-Hours,check
>  ConsumePassword
>  
>  AuthBy otp-authby
> 
>
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> ___
> radiator mailing list
> radiator@lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator



-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com

Skype: sagar.ecosmob

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Ple

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-17 Thread Sagar Malam 
Hello Heikki,

I need one more help. I would like to get a phone number from LDAP ( AD )
and use it in a challenge hook to send SMS to it.
I tried to set it  in auth by ldap2 :
AuthAttrDef phoneNumber, request

But it is not working for me. Am I doing it the right way ? Can you please
provide me some direction on this ?



On Mon, Jan 17, 2022 at 1:21 PM Sagar Malam  wrote:

> This works exactly as expected. Thanks a lot Heikki.
>
> On Wed, Jan 12, 2022 at 11:32 PM Heikki Vatiainen  wrote:
>
>> A small update to the previous message to clarify the ChallengeHook a
>> little.
>>
>> On 10.1.2022 14.50, Sagar Malam wrote:
>>
>> > Thanks for the help. I worked as expected after doing corrections. I
>> > would like to have EAP support as well. Can you help me with enabling
>> > that  ?
>>
>> Please see below for a modifed version of the previous configuration.
>> Changes are:
>> - Add new global parameter that tells EAP to use State attribute
>> - Fix 'Identifier' spelling in AuthBy OTP
>> - Move State attribute to into the step where it's actually needed
>> - New Handler that takes care of EAP by converting EAP-GTC to PAP
>> - Updated  to check that State ends with
>> 'auth-otp'
>> - Leave EAPType enabled only within AuthBy that processes EAP
>> - ConsumePassword is set to empty to clear the password before OTP
>>
>> Things to note: EAP-GTC is supported by converting it to PAP and then
>> doing the same steps that plain PAP would do. Some extra work is needed
>> to take care of State attribute that EAP also uses to track its state.
>>
>> With EAP the message payload is not encrypted unless the EAP method
>> itself does this. EAP-GTC does not. You can configure the following to
>> avoid exposing the static password to Radiator DEBUG level logging (the
>> parameter allows multiple attribute names too)
>>
>>PacketDumpOmitAttributes EAP-Message,User-Password
>>
>> Care is also needed when EAP-GTC is transferred without secure tunneling
>> (EAP-TTLS, PEAP, IPsec, VPN or other method).
>>
>> PEAP and other, typically Wi-Fi, methods are not supported by the
>> configuration. I took a look at the current Laptop and Wireless EAP
>> clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare.
>> OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.
>>
>> Here's the updated configuration. Please let us know how it goes.
>>
>>
>> EAP_UseState 1
>>
>> 
>>  Identifier otp-authby
>>  PasswordPattern 9
>>
>>  # Return undef from ChallengeHook to force reject if State
>>  # already ends with 'auth-otp'. Now it will send a new SMS
>>  # when empty string is entered by the end user.
>>  ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
>>  $context->{otp_password} = $self->generate_password();\
>>  my $state = $p->get_attr('State'); \
>>  $p->{rp}->add_attr('State', 'auth-otp') \
>>  if !$state || $state !~ m/auth-otp\z/s; \
>>
>> system('/usr/src/send_sms.sh','N',$context->{otp_password});\
>>  return "OTP sent";}
>>
>>  VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
>>  return $context->{otp_password} eq $submitted_pw ;}
>> 
>>
>> 
>>   
>>   EAPType GTC
>>   Filename /dev/null
>>   EAP_GTC_PAP_Convert
>>   
>>
>>   # EAP adds State. It's permissible to add more,
>>   # such as AuthBy OTP State value, to the end.
>>   PostProcessingHook sub { my $rp = ${$_[1]}; \
>>my @states = $rp->get_attr('State'); return if @states != 2; \
>>$rp->delete_attr('State'); \
>>$rp->add_attr('State', join('', reverse @states)); }
>> 
>>
>> 
>>  AuthBy otp-authby
>> 
>>
>> 
>>  AuthByPolicy ContinueWhileAccept
>>  
>>  Host192.168.0.45
>>  AuthDN CN=XX ,OU=ServiceAccounts,DC=X,DC=X,DC=com
>>  AuthPasswordX
>>  BaseDNDC=XX,DC=X,DC=com
>>  ServerChecksPassword
>>  UsernameAttr sAMAccountName
>>  AuthAttrDef logonHours,MS-Login-Hours,check
>>  ConsumePassword
>>  
>>  AuthBy otp-authby
>> 
>>
>>
>> Thanks,
>> Heikki
>>
>> --
>> Heikki Vatiainen
>> OSC, makers of Radiator
>> Visit radiatorsoftware.com for Radiator AAA server software
>> ___
>> radiator mailing list
>> radiator@lists.open.com.au
>> https://lists.open.com.au/mailman/listinfo/radiator
>
>
>
> --
>
> Thanks & Regards,
> Sagar Malam
> Project Leader | Ecosmob Technologies Pvt. Ltd.
> (+91)9601533171 | www.ecosmob.com
> 
> Skype: sagar.ecosmob
>


-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com

Skype: sagar.ecos

Re: [RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

2022-01-17 Thread Heikki Vatiainen 

On 17.1.2022 10.11, Sagar Malam wrote:

I need one more help. I would like to get a phone number from LDAP ( AD 
) and use it in a challenge hook to send SMS to it.

I tried to set it  in auth by ldap2 :
AuthAttrDef phoneNumber, request

But it is not working for me. Am I doing it the right way ? Can you 
please provide me some direction on this ?


Try this:

  AuthAttrDef phoneNumber, X-Phone-Number, request

For details, look for AuthAttrDef in the reference manual:
https://files.radiatorsoftware.com/radiator/ref.pdf

That adds the phoneNumber LDAP attribute value, if returned with search 
results, to request object as an attribute named 'X-Phone-Number'. You 
can then access it with %{Request:X-Phone-Number} or with equivalent 
short form: %{X-Phone-Number}.


Attributes that start with 'X-' are not special. I've simply used an 
attribute name that is not present in the Radius dictionary. This avoids 
overwriting any real Radius attributes already present in the request. 
It also keeps the attibute internal because it can not be proxied 
without a dictionary entry. This can be helpful with proxy configurations.


Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
___
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator